SUPPLEMENTAL PRIVACY NOTICE FOR RESIDENTS OF CALIFORNIA, COLORADO, CONNECTICUT, UTAH, AND VIRGINIA

January 1, 2023

Omada Health, Inc. (“Omada,” “we,” “us,” “our”) provides this supplemental privacy notice (“Notice”) to comply with certain state consumer privacy notices, including the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the “CCPA”). For the purposes of this Notice, “you” and “your” refers to you as the user of the Covered Services described below or a representative of a company we do business with.  

This Notice explains how we collect, use, and disclose information about users of our websites (www.omadahealth.com and www.physera.com), including when you or your company interact with us in a “business to business” capacity and when we conduct a transaction or communicate with a representative of our business partners, vendors, and other companies we do business with (collectively, the “Covered Services”). 

Please note that these state consumer privacy acts, including the CCPA, do not cover PHI collected by a covered entity or business associate that is governed by the Health Information Portability and Accountability Act of 1996 (“HIPAA”), and so this Notice does not apply to individuals as they apply for, register for, and/or participate in one or more of our digitally-based health care programs (including interactions with the related mobile applications). For information on how Omada, as a health care provider, uses and shares information from the applicants and members in our health care programs, please refer to our Notice of HIPAA Privacy Practices and Privacy Policy. Please also note that our Covered Services are designed for users in the United States only and are not intended for individuals residing outside the United States.

Please read this Notice carefully. By using or accessing any of the Covered Services, you agree to the collection, use, and disclosure of your information as described in this Notice. If you do not agree to this Notice, please do not use or access any of the Covered Services.

We may modify this Notice from time to time, in which case we will update the “Last Updated” indicated in this Notice. If we make material changes to the way we use information that we collect, we will use reasonable efforts to notify you (such as by posting notice of such changes on the Covered Services, by emailing you at the last email address you provided us, or by other means consistent with applicable law), and we will take any additional steps required by applicable law. If you do not agree to any updates to this Notice, please do not access or continue to use the Covered Services.

Collection and Processing of Personal Information

We collect information that you provide directly to us. For example, we collect information when you request information related to our Covered Services, fill out a form on our website, or otherwise communicate with us. We also collect certain information from you automatically, including through tracking technology like cookies and scripts. Finally, we collect email addresses, postal addresses, and related information from third parties, such as consumer and sales marketing databases, which we use to supplement our records and perform outreach.  For more information about the types of information that we collect and how, please refer to our Privacy Policy

In the preceding 12 months, as part of the Covered Services, we collected and disclosed, for Omada’s business purposes, the following categories of personal information (“Personal Information”) about residents:

  • Identifiers such as real name, email address, and IP address; 
  • Personal information categories listed in the CCPA such as real name, physical characteristics or description, address, and telephone number; 
  • Internet or other similar network activity such as information regarding your interaction with the website; 
  • Geolocation data such as IP address;
  • Professional or employment-related information such as professional title, industry, role type, employer, and professional background; and
  • Inferences drawn from other personal information.

Our delivery of the Covered Services does not require us to collect sensitive personal information (as that term is defined under applicable law), such as account log-ins, social security or passport numbers, financial information, or biometric information (“Sensitive Personal Information”).

We may use the Personal Information that we collect for one or more of the following business purposes:

  • to communicate with you about our products and services; 
  • to perform auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and our compliance;
  • to maintain the security of our Covered Services;
  • to identify and repair errors that impair existing intended functionality; and
  • to perform services on behalf of the business, including maintaining or servicing accounts, providing customer service, verifying customer information, providing analytic services, or providing similar services on behalf of the business;

In addition, we have or may disclose Personal Information to certain of our vendors for the above purposes. We only use and disclose Personal Information for purposes permitted by applicable law, or otherwise with your consent.

The period of time that we may retain Personal Information is based upon a number of criteria, including: 

  • The length of time necessary to fulfill the purpose(s) for which we collected the personal information; 
  • The length of time it is reasonable to keep records to demonstrate that we have fulfilled our business and legal obligations; and
  • Any retention periods prescribed by law or recommended by regulators, professional bodies, or associations.

Selling or Sharing of Personal Information

We are in the business of delivering health care, not sharing Personal Information for advertising purposes or purposes unrelated to our business. When we share Personal Information with cloud storage providers, security vendors, and other parties core to the delivery of our Covered Services, we share this information in order to perform the services and related purposes like the prevention, detection, and investigation of security incidents - not with a goal of enabling cross-context behavioral advertising or uses unrelated to our business in a manner that would be considered “sharing” (as that term is defined under the CCPA). 

We also do not sell Personal Information or Sensitive Personal Information, nor have we done so in the preceding 12 months. 

Further, we do not have actual knowledge that we sell or share for targeted advertising purposes Personal Information of individuals under 16 years of age.

Your Rights 

Depending on where you live and subject to certain exceptions, you may have some or all of the following rights:

  • Right to Know. You have the right to request that we disclose to you the personal information we collect, use, or disclose as part of the Covered Services and information about our related data practices. For California residents, you may ask that we provide you with a copy of the following: 
    • categories of and specific pieces of Personal Information we have collected about you; 
    • categories of sources from which we collect Personal Information; 
    • the business or commercial purposes for collecting Personal Information; 
    • categories of third parties to whom the Personal Information was disclosed for a business purpose; and 
    • categories of Personal Information disclosed about you for a business purpose.  
  • Right to Request Correction. You have the right to request that we correct inaccurate Personal Information from the Covered Services that we maintain about you, subject to certain exceptions.
  • Right to Request Deletion. You have the right to request that we delete your Personal Information that we have collected from or about you through the Covered Services, except where the law may require that we not delete that information because of our obligations to maintain business records. 
  • Right to Object to Targeted Advertising and Profiling. In some jurisdictions, where Personal Information is used for certain types of targeted advertising (or profiling in furtherance of similar uses), you may have the right to opt out of your Personal Information being used in this way. However, as described above, we are in the business of delivering health care, not sharing Personal Information for advertising purposes or purposes unrelated to our business.
  • Right to Limit Use and Disclosure of Sensitive Personal Information. For California residents, where Sensitive Personal Information is collected and used, you have the right to limit our use and/or disclosure of Sensitive Personal Information to only what is necessary to perform those services or provide the goods reasonably expected by an average resident (except to certain limited purposes permitted by law). However, as described above, our delivery of the Covered Services does not require us to collect Sensitive Personal Information.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

Where Personal Information is used for certain types of targeted advertising (or profiling in furtherance of similar uses), individuals may use various technologies to send opt-out signals. However, as described above, we are in the business of delivering health care, not sharing Personal Information for advertising purposes or purposes unrelated to our business. Accordingly, we do not recognize opt-out preference signals. In addition, where certain Personal Information is shared with third parties for direct marketing purposes, California law permits users in California to request certain details about that use. For the reasons mentioned above, we expect that users of the Covered Services would not need to make any such requests.

Under U.S. privacy laws, when you have the legal right to make a request, you may also designate an authorized agent to make the request on your behalf. When you submit a request to exercise one of your rights, or if you use an authorized agent to submit a request, please note that we may need to collect additional information, such as a valid government-issued ID, to verify your identity before processing your request to protect your information and the integrity of our services. In addition, where applicable, we will provide you with more information about our appeal process. When you submit a request or launch an appeal, we will limit our collection of your Personal Information to only what is necessary to securely fulfill your request or process your appeal. We will not require you or your authorized agent to pay a fee for the verification of your request or appeal. 

How to Contact Us

Should you have any questions about this Notice, our privacy practices or our Privacy Policy, please email us at privacy@omadahealth.com or contact us at the following telephone number or address: 
Phone: 888-409-8687
Omada Health, Inc.
500 Sansome St., Suite 200
Attn: Privacy Officer
San Francisco, CA 94111
We will make every effort to respond to your questions, concerns, complaints, and requests within a reasonable time.

January 1, 2023