SUPPLEMENTAL STATE PRIVACY NOTICE

Omada Health, Inc. (“Omada,” “we,” “us,” “our”) provides this supplemental state privacy notice (“Notice”) to comply with certain State Privacy Laws (as defined below) including (without limitation) the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the “CCPA”). For the purposes of this Notice, “you” and “your” refers to you as the user of the Covered Services described below or a representative of a company we do business with.  

This Notice is applicable to residents of the states of: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, all of which have enacted consumer privacy laws that grant their residents certain rights and require additional disclosures in certain circumstances (“State Privacy Laws”). 

This Notice explains how we collect, use, and disclose information about users of our website (www.omadahealth.com), including when you or your company interact with us in a “business to business” capacity and when we conduct a transaction or communicate with a representative of our vendors or other business partners (collectively, the “Covered Services”). 

Please note that these State Privacy Laws, including the CCPA, do not cover PHI collected by a covered entity or business associate that is governed by the Health Information Portability and Accountability Act of 1996 (“HIPAA”), and so this Notice does not apply to individuals as they apply for, register for, and/or participate in one or more of our digitally-based health care programs (including interactions with the related mobile applications). For information on how Omada, as a health care provider, uses and shares information from the applicants and members in our health care programs, please refer to our Notice of HIPAA Privacy Practices and Privacy Policy. Please also note that our Covered Services are designed for users in the United States only and are not intended for individuals residing outside the United States.

Please read this Notice carefully. By using or accessing any of the Covered Services, you agree to the collection, use, and disclosure of your information as described in this Notice. If you do not agree to this Notice, please do not use or access any of the Covered Services.

We may modify this Notice from time to time, in which case we will update the “Last Updated” date indicated in this Notice. If we make material changes to the way we use information that we collect, we will use reasonable efforts to notify you (such as by posting notice of such changes on the Covered Services, by emailing you at the last email address you provided us, or by other means consistent with applicable law), and we will take any additional steps required by applicable law. If you do not agree to any updates to this Notice, please do not access or continue to use the Covered Services.

 

Collection and Processing of Personal Information

We collect information that you provide directly to us. For example, we collect information when you request information related to our Covered Services, fill out a form on our website, or otherwise communicate with us. We also collect certain information from you automatically, including through tracking technology like cookies and scripts. Finally, we collect email addresses, postal addresses, and related information from third parties, such as consumer and sales marketing databases, which we use to supplement our records and perform outreach.  For more information about the types of information that we collect and how, please refer to our Privacy Policy. 

In the preceding 12 months, as part of the Covered Services, we collected and disclosed, for Omada’s business purposes, the following categories of personal information (“Personal Information”) about residents:

• Identifiers such as real name, email address, and IP address; 
• Personal Information categories listed in the CCPA such as real name, physical characteristics or description, address, and telephone number; 
• Internet or other similar network activity such as information regarding your interaction with the website; 
• Geolocation data such as IP address;
• Professional or employment-related information such as professional title, industry, role type, employer, and professional background; and
• Inferences drawn from other personal information.

 

Our delivery of the Covered Services does not require us to collect sensitive personal information (as that term is defined under applicable law), such as account log-ins, social security or passport numbers, financial information, or biometric information (“Sensitive Personal Information”).

We may use the Personal Information that we collect for one or more of the following business purposes:

• to communicate with you about our products and services; 
• to provide and improve the Covered Services, including for our internal business purposes;
• to communicate with you about webinars and events;
• to audit the number of ad impressions attributed to unique visitors, verify positioning and quality of ad impressions, and for our compliance;
• to maintain the security of our Covered Services;
• to identify and repair errors that impair existing intended functionality; and
• to perform services on behalf of the business, including maintaining or servicing accounts, providing customer service, verifying customer information, providing analytic services, or providing similar services on behalf of the business.

 

In addition, we have or may disclose Personal Information to certain of our vendors or co-sponsors of our webinars and events for the above purposes. We only use and disclose Personal Information for purposes permitted by applicable law, or otherwise with your consent.

The period of time that we may retain Personal Information is based upon a number of criteria, including: 

• The length of time necessary to fulfill the purpose(s) for which we collected the Personal Information; 
• The length of time it is reasonable to keep records to demonstrate that we have fulfilled our business and legal obligations; and
• Any retention periods prescribed by law or recommended by regulators, professional bodies, or associations.
  
  

Selling or Sharing of Personal Information

We are in the business of delivering health care, not disclosing Personal Information for advertising purposes or purposes unrelated to our business. When we disclose Personal Information with cloud storage providers, co-sponsors, security vendors, and other parties core to the delivery of our Covered Services, we disclose this information in order to perform the services and related purposes like the prevention, detection, and investigation of security incidents - not with a goal of enabling cross-context behavioral advertising or uses unrelated to our business in a manner that would be considered “sharing” (as that term is defined under the CCPA). 

We also do not sell Personal Information or Sensitive Personal Information, nor have we done so in the preceding 12 months. 

Further, we do not have actual knowledge that we sell or share for targeted advertising purposes Personal Information of individuals under 16 years of age.

 

Your Rights 

Depending on where you live and subject to certain exceptions, you may have some or all of the following rights:

• Right to Know. You have the right to request that we disclose to you the Personal Information we collect, use, or disclose as part of the Covered Services and information about our related data practices. For California residents, you may ask that we provide you with a copy of the following: 
  • categories of and specific pieces of Personal Information we have collected about you; 
  • categories of sources from which we collect Personal Information; 
  • the business or commercial purposes for collecting Personal Information; 
  • categories of third parties to whom the Personal Information was disclosed for a business purpose; and 
  • categories of Personal Information disclosed about you for a business purpose.  
• Right to Request Correction. You have the right to request that we correct inaccurate Personal Information from the Covered Services that we maintain about you, subject to certain exceptions.
• Right to Request Deletion. You have the right to request that we delete your Personal Information that we have collected from or about you through the Covered Services, except where the law may require that we not delete that information because of our obligations to maintain business records. 
• Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

Where Personal Information is used for certain types of targeted advertising (or profiling in furtherance of similar uses), individuals may use various technologies to send opt-out signals. However, as described above, we are in the business of delivering health care, not sharing Personal Information for advertising purposes or purposes unrelated to our business. Accordingly, we do not recognize opt-out preference signals. In addition, where certain Personal Information is shared with third parties for direct marketing purposes, California law permits users in California to request certain details about that use. For the reasons mentioned above, we expect that users of the Covered Services would not need to make any such requests.

Under U.S. privacy laws, when you have the legal right to make a request, you may also designate an authorized agent to make the request on your behalf. When you submit a request to exercise one of your rights, or if you use an authorized agent to submit a request, please note that we may need to collect additional information, such as a valid government-issued ID, to verify your identity before processing your request to protect your information and the integrity of our services. In addition, where applicable, we will provide you with more information about our appeal process. When you submit a request or launch an appeal, we will limit our collection of your Personal Information to only what is necessary to securely fulfill your request or process your appeal. We will not require you or your authorized agent to pay a fee for the verification of your request or appeal. 

 

How to Contact Us

Should you have any questions about this Notice, our privacy practices or our Privacy Policy, please email us at privacy@omadahealth.com or contact us at the following telephone number or address: 

Phone: 888-409-8687

Omada Health, Inc.

Attn: Legal

P.O. Box 210129

Dallas, TX 75211

We will make every effort to respond to your questions, concerns, complaints, and requests within a reasonable time.