Guides
Back to EVAL Apps
Start typing to search…

Privacy Policy

Introduction

Welcome to EVAL Health. This Privacy Policy applies to all users of the EVAL Health website, its subdomains, and associated services (collectively, the "Platform"). This includes healthcare practitioners, their staff, and any member of the public who visits our website or interacts with our public application marketplace.

Our primary goal is to provide healthcare practitioners with powerful tools to build and manage clinical applications. This policy explains what information we collect, how we use and protect it, and outlines your responsibilities as a user of our Platform.

For information on how we handle patient data within the separate patient portal, please refer to our dedicatedEVAL Health Patient Privacy Policy.

Our core principles:

  • We are a B2B Service: Our platform is designed for professionals. Our business model is based on providing valuable software, not on monetizing data.
  • We Do Not Sell Data: We will never sell, rent, or trade your professional information or any patient data you entrust to us.
  • Security is Foundational: We are committed to protecting all data on our platform with robust technical and administrative safeguards.
  • You Control Patient Data: Practitioners, not EVAL Health, are the primary controllers of the patient data they manage on our Platform.

1. Information We Collect and How We Use It

We collect different types of information depending on how you interact with our Platform.

1.1. For All Website Visitors
When you visit EVAL Health, even without an account, we automatically collect technical information to ensure our Platform is secure and functional. This includes:

  • Log and Usage Data: Your IP address, browser type, operating system, pages visited, and the dates/times of your visit.
  • Public Marketplace Interaction: If you interact with publicly published clinical apps, we may collect anonymized usage data to provide analytics to the app's publisher and to improve our Platform. No personally identifiable information is collected during this interaction unless you voluntarily provide it.

1.2. For Account Holders
When you create a free or paid account, we collect information necessary to provide you with our services:

  • Account Information: Your name, email address, password, professional title, and practice/organization name. We use this to create and manage your account, and to communicate with you about service updates and security alerts.
  • Subscription & Billing Information: If you subscribe to a paid feature like "Charts," we and our third-party payment processors will collect payment information (such as credit card details and billing address) to process your transactions. EVAL Health complies with PCI-DSS policy and does not store sensitive payment information.

1.3. Information from Third-Party Authentication
You may choose to create an account or log in using single sign-on (SSO) services such as Google, Apple, or Facebook. By doing so, you authorize us to collect, store, and use information made available to us by the third-party provider, including:

  • Your full name
  • Your primary email address
  • A unique identifier associated with your SSO account
  • Your profile picture (optional)

We use this information for platform operations ONLY, such as authenticating your identity and pre-populating your profile. We do not receive your password from these services. We will never use this information for marketing or share it with third parties, other than as required to operate the Platform.

1.4. For "Charts" Subscribers (Protected Health Information)
Our obligations change significantly when you subscribe to a feature designed to handle patient data, such as "Charts." Only at this stage, and only within these designated features, are you permitted to enter Protected Health Information (PHI) or other sensitive patient data.

EVAL Health does not own this data. We act as a secure custodian, processing it solely to provide the service to you and your authorized patients.

2. Your Role and Responsibilities with Patient Data

When you use features like "Charts" to manage patient information, you take on specific legal roles and responsibilities.

2.1. Your Status as a Data Controller / Covered Entity
You acknowledge that with respect to any patient PHI you manage on the Platform, you are the "Data Controller" (under GDPR) or the "Covered Entity" (under HIPAA). You are responsible for ensuring you have a legal basis for collecting and processing this data and for complying with all applicable laws.

2.2. Our Role as a Data Processor / Business Associate
In this context, EVAL Health acts as your "Data Processor" (GDPR) or "Business Associate" (HIPAA). We process patient data only on your behalf and according to our agreements with you.

2.3. Business Associate Agreement (BAA)
For practitioners subject to HIPAA, a signed Business Associate Agreement (BAA) is required before you can store any PHI on the Platform. The BAA is a separate legal agreement that governs our respective obligations regarding PHI and is available to all "Charts" subscribers.

2.4. Your Legal and Professional Obligations
You are solely responsible for complying with all laws related to medical record retention. Deleting data from the EVAL Health platform does not absolve you of your professional responsibility to maintain patient records for the legally required period.


3. How We Share and Disclose Information

We share information only in limited circumstances:

  • With Service Providers: We use third-party vendors for services like cloud hosting (e.g., Amazon Web Services) and payment processing. These vendors are bound by strict confidentiality and security agreements (including BAAs where applicable) and are only permitted to use the information to provide their services to us.
  • For Legal Reasons: We may disclose information if required by law, subpoena, or other valid legal process.
  • Information You Share Publicly: The Platform may offer you the ability to publish a professional profile or share clinical applications in the public EVAL Marketplace. These features are strictly voluntary and require your explicit action to enable. When you choose to make information public, you acknowledge that the content you designate—such as your name, professional title, organization, and any applications you publish—will be accessible to anyone on the internet. You are responsible for the information you choose to share in this manner.
  • With Your Consent: Beyond the specific cases listed here, we may share your professional information in other ways if you give us your explicit consent.

We will never share or disclose patient PHI for any reason other than to provide the service as directed by you, or as compelled by law.

4. Data Security

We implement robust technical, administrative, and physical security measures to protect all information on our Platform from loss, misuse, and unauthorized access or disclosure. This includes encryption of data in transit and at rest, strict access controls, and regular security assessments.

5. Local Storage for Platform Functionality

We utilize your browser's local storage to provide essential platform functionality and security when you are logged in. This technology is used for the following operational purposes:

  • Maintaining your secure, authenticated session.
  • Storing authentication information to streamline the login process.
  • Caching application files to enhance performance and enable offline use of our tools.

This data is stored directly on your device and is used strictly for these operational purposes.

6. Your Data Protection Rights

As a practitioner, you have rights over your own personal account information:

  • Right to Access & Rectify: You can access and update your account information at any time through your profile settings.
  • Right to Erasure: You can request the deletion of your practitioner account. Please note that this will not delete patient records for which you are responsible (see Section 2.4).
  • Right to Data Portability: You can request an export of your professional account data.

To exercise these rights, please contact us at [email protected].

7. Changes to This Privacy Policy

We may update this policy from time to time to reflect changes in our practices or for legal reasons. We will post any changes on this page and, if the changes are significant, we will provide a more prominent notice or notify you by email.

8. Contact Us

If you have any questions or concerns about this Privacy Policy or our practices, please contact our privacy officer:

Email:[email protected]

Updated about 1 month ago