1. Introduction

This Privacy Policy explains how Ride RoundTrip, Inc. (“Roundtrip,” “we,” “us,” or “our”) collects, uses, protects, and discloses information. It applies to information we collect when you use or access our website at www.roundtriphealth.com (the “Website”), our software applications (the “Product”), or any other services we provide (collectively, the “Roundtrip Service”).

We are committed to protecting the privacy of our users and the individuals whose information we handle. Your trust is important to us, and we take our data protection responsibilities seriously. If you have any questions, please contact us at privacy@roundtriphealth.com.

2. Changes to This Policy

We may update this Privacy Policy from time to time. If we make changes, we will notify you by revising the “Last Updated” date at the top of the policy. For any material changes, we will provide you with more prominent notice, such as by adding a statement to our Website homepage or by sending you a direct email notification prior to the change becoming effective. We encourage you to review this policy periodically to stay informed.

Your use of the Roundtrip Service after the posting of such changes shall constitute your consent to such changes, so please check the policy periodically for updates. If you have any questions regarding this Privacy Policy, please email privacy@roundtriphealth.com.

3. Information We Collect

We collect information to provide and improve the Roundtrip Service. The types of information we collect depend on how you interact with us.

a. Information You Provide to Us We collect information you provide directly to us or to our customers (e.g., hospitals, healthcare systems, health plans, human services organizations) for use of the Roundtrip Service. This may include:

• Account and Profile Information: Name, email address, phone number, postal address, job function, information about profile preferences, transactional information (including services purchased or subscribed to and the billing address), your registration for and attendance at events, your newsletter subscriptions, as well as any contact or other information you choose to provide. We also store information you upload or provide to the Roundtrip Service (“Content”) to provide you with the features and functionality of the Roundtrip Service.
• Communications: Information you provide when you request customer support, fill out a contact form, participate in a survey, or otherwise communicate with us.

b. Protected Health Information (PHI) As a service provider to healthcare organizations, we are a “Business Associate” under the Health Insurance Portability and Accountability Act (HIPAA). We collect and handle Protected Health Information (PHI) on behalf of these healthcare organizations (“Covered Entities”) to provide our services. This information may include:

• Patient Demographics: Name, date of birth, gender, and contact information.
• Appointment Information: Dates, times, locations, and type of medical appointment.
• Medical Information: Information relevant to coordinating transportation, such as medical conditions, mobility needs, or necessary medical equipment.

Our collection, use, and disclosure of PHI are governed by our Business Associate Agreements (BAAs) with our healthcare customers and by HIPAA.

c. Information We Collect Automatically When you access or use the Roundtrip Service, we automatically collect:

• Log and Usage Data: Information about your activity on our Service, including the features you use, system activity, browser type, browser language, IP address, referral URL, pages visited, and the dates and times of your visits. We monitor user activity in connection with the Roundtrip Service and may collect information about the features you use, Content you upload, download, share, or access while using the Roundtrip Service, the Content you access, and any actions taken in connection with the access and use of your Content in the Roundtrip Service.
• Device Information: Information about the computer or mobile device you use, including the hardware model, operating system and version, and unique device identifiers.
• Information from Cookies and Tracking Technologies: We use cookies and similar technologies to operate and analyze our Service, save your preferences, and compile aggregate data about site traffic and site interaction. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features. We may contract with third-party service providers to assist us in better understanding our site and visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Maintain the Service: To operate and improve the Roundtrip Service, including coordinating transportation, enabling you to access your account, and processing transactions.
• To Communicate With You: To send you technical notices, security alerts, administrative messages, and to respond to your comments and requests for customer service and support.
• For Research and Development: To monitor and analyze trends and usage in connection with our Service to improve it and develop new features.
• For Marketing and Promotions: To communicate with you about services, features, surveys, newsletters, offers, and events offered by Roundtrip, where permissible. You may opt out of receiving promotional communications at any time.
• For Personalization: To personalize and improve the Roundtrip Service, and provide content and/or features that match your interests and preferences or otherwise customize your experience on the Roundtrip Service.
• For Automated Decision-Making and Profiling: Currently, Roundtrip does not use automated systems to make decisions that would have a legal or similarly significant effect on you. We are always working to improve the Roundtrip Service, and we may develop features in the future that use algorithms or artificial intelligence to help optimize the Roundtrip Service. Should we introduce any feature that makes automated decisions with a legal or otherwise significant effect on you, we will update this policy to describe the process in detail and provide you with information on how to request human intervention or contest the decision, as required by applicable law.
• To Ensure Safety and Security: To investigate and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• To Comply with Legal Obligations: To comply with applicable laws and regulations, including our obligations under HIPAA.

5. How We Share and Disclose Information

We do not sell your personal information. We only share information as described below:

• With Healthcare Partners: We share information, including PHI, with healthcare providers, transportation companies, and other partners as necessary to coordinate transportation and provide the Roundtrip Service. These disclosures are made in accordance with our BAAs and HIPAA.
• With Vendors and Service Providers: We share information with third-party service providers who need it to perform work on our behalf (e.g., cloud hosting, data analytics, payment processing). These providers are contractually obligated to protect your information and are not permitted to use it for their own purposes. When PHI is involved, we enter into a BAA with the service provider.
• For Legal Reasons: We may disclose information if we believe it’s reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our agreements and policies; to protect the security or integrity of the Roundtrip Service; to protect Roundtrip, our users, or the public from harm or illegal activities; to respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing death or serious bodily injury of any person; or as otherwise directed by you.
• In Connection with a Business Transfer: We may share or transfer information in connection with or during the negotiations of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of any such change in ownership or control of your personal information.
• Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you, in accordance with applicable legal standards like HIPAA.

6. Data Security and Retention

a. Security We implement robust technical, administrative, and physical security safeguards designed to protect the information we process. These measures include data encryption in transit and at rest, access controls, and regular security assessments. However, no security system is impenetrable, and we cannot guarantee the absolute security of your information. In the event of a data breach, we will notify affected Covered Entities, individuals, and/or regulators as required by our agreements and applicable law.

b. Retention We retain personal information for as long as necessary to fulfill the purposes for which we collected it, to provide the Roundtrip Service, to comply with our legal obligations (such as those under HIPAA), resolve disputes, and enforce our agreements. For PHI, we retain and dispose of the information as directed by the relevant healthcare customer in our BAA.

7. Your Privacy Rights and Choices

You have certain rights and choices regarding your information.

a. Account Information You may update or correct your account information at any time by logging into your profile or by emailing us at privacy@roundtriphealth.com.

b. Your HIPAA Rights If your information is considered PHI, you have specific rights under HIPAA, such as the right to access and amend your PHI and receive an accounting of certain disclosures. To exercise these rights, please contact your healthcare provider (the Covered Entity) directly.

c. Your U.S. Privacy Rights (California and Other States) Residents of certain U.S. states, including California, Colorado, Connecticut, Virginia, and Utah, have specific rights regarding their personal information.

Please note the privacy rights described below may not apply to all of your information. In particular, these rights are often not applicable to Protected Health Information (PHI) that we collect and process on behalf of our healthcare customers. PHI is governed by HIPAA, which has its own set of patient rights and data retention requirements that may supersede state privacy laws.

Subject to certain limitations, you have the right to:

• Know and Access: Request to know the categories and specific pieces of personal information we have collected about you.
• Delete: Request that we delete personal information we have collected from you.
• Correct: Request that we correct inaccurate personal information we maintain about you.
• Opt-Out of Sale/Sharing: We do not sell your personal information. You have the right to opt-out of the "sharing" of your information for cross-context behavioral advertising.
• Limit Use of Sensitive Personal Information: Request that we limit the use and disclosure of your sensitive personal information to that which is necessary to perform the services.

We will not discriminate against you for exercising your privacy rights.

d. Your Rights for Data from Europe (EEA, UK, Switzerland) If you are an individual in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the right to access, rectify, or erase your personal data, as well as the rights to data portability, to restrict processing, and to object to processing. To exercise these rights, please contact us at privacy@roundtriphealth.com.

e. How to Exercise Your Rights and What to Expect To exercise any of the privacy rights described above, please submit a verifiable request to us by emailing privacy@roundtriphealth.com with “Subject Access Request” within the subject line of the e-mail. You may designate an “Authorized Agent” (such as a person, lawyer, or registered business) to make privacy rights requests on your behalf.

The request should:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. If the request is submitted by an Authorized Agent, proof of authorization is required.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority.

We will confirm receipt of your request within 10 business days and provide information about how we will process it. We endeavor to respond to a verifiable request within the timeframe required by applicable law (e.g., within 45 days for requests under the CPRA). If we require more time, we will inform you of the reason and extension period in writing.

A note on Backups: Please be aware that when we fulfill a deletion request, the relevant data is permanently removed from our live production systems. However, for disaster recovery purposes, this data may remain in our archived backup systems until those backups are purged according to our data retention schedule. We have implemented measures to ensure that any data stored in our backups is isolated and will not be restored to our live systems except for the limited purpose of disaster recovery. Should a backup be restored, we will re-process the deletion request to ensure the data is not inadvertently brought back into a live environment.

8. International Data Transfers

We are based in the United States, and we process and store information on servers located in the U.S. If there is a need to transfer personal information from other regions (such as the EEA, UK, and Switzerland), we use legally-provided data transfer mechanisms, which may include the EU-U.S. Data Privacy Framework, the UK Extension to the DPF, the Swiss-U.S. DPF, and Standard Contractual Clauses.

9. Links to Third-Party Websites

We may place links on the Roundtrip Service, including the Roundtrip blog. When you click on a link to a third-party website from our website or application, your activity and use on the linked website is governed by that website’s policies, not by those of Roundtrip. We encourage you to review the privacy and user policies of such third-party websites.

10. Children's Privacy

The Roundtrip Service is intended for use by adults. We do not knowingly permit individuals under the age of 16 to create an account or use our Service directly.

We understand that we may process information about individuals under 16 when it is necessary to provide the Roundtrip Service (for example, when the patient being transported is a minor). In such cases, the minor's personal information, including any Protected Health Information (PHI), is provided to us by their parent, legal guardian, or a healthcare organization that has obtained the necessary consent or has the authority to provide this information. We do not knowingly collect personal information directly from children.

If you are a parent or guardian and you believe your child has provided us with personal information without your consent, please contact us at privacy@roundtriphealth.com, and we will take steps to delete such information from our systems.

11. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@roundtriphealth.com
Mail:
Ride RoundTrip, Inc.
Attn: Privacy Officer
1516 N 5th St, Coworking Unit 320
Philadelphia, PA 19122