Last updated: November 11, 2020
- We only collect enough information for You to use the Doxy.me Service;
- We do not sell Your information;
- You have the right to delete all information in Your account;
- The Session (an audio/video conference) is not recorded or otherwise stored on Our servers;
- If You have any questions regarding the Service and how it uses Your Personal Data, You may contact Us; and
- We do not directly collect or process any Protected Health Information.
- If You are a Provider.
- If You are a Patient or someone who connects to a Provider using the Doxy.me Service.
- If You are browsing this web site as a guest.
- Additional terms (including if You are a California resident).
If You reside in the European Union, please view the policy that describes how We process and transfer Personal Data as related to EU citizens. https://doxy.me/en/eu-policy/
If You reside in Canada please view the policy that describes how We process and transfer Personal Data as related to its citizens. https://doxy.me/en/ca-policy/
If You reside in New Zealand, please view the policy that describes how We process and transfer Personal Data as related to its citizens. https://doxy.me/en/nz-policy/
If You reside in Australia, please view the policy that describes how We process and transfer Personal Data as related to its citizens. https://doxy.me/en/au-policy/
Regardless of how You use this website or the Doxy.me Service, this section defines certain terms that are used throughout this policy.
For the purposes of this policy:
- You means the individual accessing or using the Doxy.me Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. You must be at least 18 years of age in order to use the Service.
- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Doxy.me Inc., 3445 Winton Pl, Suite 114, Rochester, NY 14623.
- Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
- Service Provider means any natural or legal person who processes data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
- Personal Data is any information that relates to an identified or identifiable individual.
- Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing (among other things) the details of Your browsing history and/or connection information when using the Service.
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit, requestor IP address).
- User is someone accessing the Website as a guest, a Provider, or a Patient.
- Protected Health Information (PHI) means any health-related information as defined by applicable law.
Terms specific to the Doxy.me products are:
- Service or Doxy.me Service refers to the doxy.me software products accessible from the Website.
- Provider means a doctor, medical group, or other healthcare professional who has signed up as a “Provider” on the Doxy.me Service.
- Patient refers to an individual who is using the “Patient” component of the Service using a unique URL sent by the Provider to view the Waiting Room (prior to the Session).
- Account means a unique account created for You to access our Service or parts of our Service. This may also be referred to as Your Clinic.
- Website refers to doxy.me, accessible from http://doxy.me
- Session is secure audio and/or video communication between the Patient and the Provider—the key feature of the Doxy.me Service.
- Waiting Room is the web page that is seen by Patients prior to the beginning of a video session. The Provider may change the look and feel of the Waiting Room and upload Provider-specific content.
- Provider Link is the unique URL (web address) that the Patient uses to enter the Provider’s Waiting Room prior to a Session. An example is https://yourclinic.doxy.me/DrSmith
Usage Data is collected automatically when accessing the Service and visiting this Website.
Usage Data may include information such as Your Device’s Internet Protocol address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. However, this Usage Data is de-identified and anonymized and not linked to a particular data. As such, it is not considered personal information; it is incidental to providing the Service.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers, and other diagnostic data.
We may also collect information that Your browser sends whenever You visit this Website or when You access the Service by or through a mobile device.
To learn more about controlling and deleting cookies, please visit this external website: https://www.aboutcookies.org/
Our Service is not intended to be used by anyone under the age of 18. As the Services are self-administered and unmonitored by Us, it is up to both the Provider and Patient to ensure that only adults over 18 use the Services.
If You are a Provider
This section applies only if You sign up and have been given access to a Provider account. Some features are not activated automatically and require explicit authorization by You.
Types of Data Collected
We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. In addition, and anything else You provide in the Waiting Room will be seen by Patients when they “enter” the Waiting Room. Such information includes:
- Email address
- First name and last name
- Position or title*
- National Provider Identifier (NPI)*
- States licensed to practice*
- Mobile number*
- Country, phone number **
* This information is optional.
** Only required if using Stripe payment services; this information is not stored in the Service.
By using the Service, You allow Us to contact You by email regarding Service features, changes, maintenance, and other products that may be introduced from time-to-time. In addition, if You enable email notifications within the Service, We will send You an email notifying You that a Patient is waiting in the Waiting Room.
If You wish to be notified by text message that a Patient is waiting in the Waiting Room, You may optionally provide Your mobile number.
All Your data are processed in secure and HIPAA-compliant cloud services using HealthCare Blocks. This allows Us to focus on creating solutions where high security and privacy are enabled by default. We use industry-best security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of all Your data.
You may elect to login to the Doxy.me Service via a third-party authentication service. This is called Single Sign-On (SSO) and means that You must first authenticate to that third-party identity provider prior to accessing the Service. Facebook and Google identity connectors are built into the Service for the You to optionally use. Also, doxy.me offers a custom feature whereby You may specify Your own SSO service.
By using SSO, You will be transferred to an authentication agent for that particular identity provider where Your login credentials (usually a name and password) are used to verify Your identity. Doxy.me does not have access to credentials used by a third-party identity provider. Once You have authenticated via SSO, a token is returned to Us indicating that Your identity has been verified and You will be granted access to the Service.
You may invite Patients to Sessions by the following methods:
- Email sent by the Service
- Email sent by Your computer or smartphone email system
- Email sent by a web service (e.g., Gmail, Hotmail)
- Mobile text message
Any information You enter into the invitation will be used to create and send the message. Once that task is completed, the information is no longer used and is permanently deleted.
The Service provides a feature whereby You may share all or part Your computer screen with the Patient or You may request to view the Patient’s screen.
There are obvious privacy issues associated with sharing one’s screen. It is up to You to ensure that no sensitive or confidential information (other than that which the Patient is allowed to see) is viewable during the screensharing session.
Conversely, it is up to the Patient to ensure that there is no sensitive or confidential information on their screen prior to agreeing to the screenshare.
Protected Health Information (PHI)
Although the Doxy.me Service is targeted to the healthcare community, no PHI is collected during the video conference between Patient and Provider.
Any health or other sensitive information You discuss or share with Your Patient is encrypted over a secure channel using the SSL Internet protocol. Doxy.me will not, and is not, able to view the audio-video component of the Session.
If You choose to send a file to the Patient, that file will be automatically deleted from Our server 15 minutes after the transfer completes. Conversely, if a Patient sends You a file, it will be automatically deleted 15 minutes after the transfer completes.
If You capture a photo of the Patient, that image will be sent securely and then destroyed after 15 minutes.
Any chats between You and the Patient are temporarily stored in Your computer memory, not on doxy.me servers. Your chat history stays after the Session ends so You may copy to an internal system. Once the browser is closed, the chat history is permanently deleted.
Patient Payment Information
If You choose to ask the Patient to pay You during the Session, You may use the third-party Stripe credit card payment system. Prior to requesting payment, You must setup a Stripe account in the settings section of Your Account. The Patient will receive a payment pop-up screen asking to provide their name and credit card details. All credit card transactions are handled by Stripe. Doxy.me does not capture or utilize any information entered in the payment pop-up screen. For more information, please visit https://stripe.com/
Service Payment Information
If You choose to upgrade the Service for a fee, You have the option to pay via the Stripe third-party credit card payment system. All credit card transactions are handled by Stripe. Doxy.me does not capture or utilize any information entered in the payment pop-up screen but does receive payment information from Stripe when the transaction is completed.
Teleconsent Appointment Consent Form
You may ask or require a Patient to sign a Teleconsent Appointment Consent Form. The purpose of the form is to convey what Telehealth communication is, Patient rights, and obligations for each party. Doxy.me provides a template form or, depending on Your Account type, You may upload Your own form.
After the Patient signs the form, it should be downloaded by both You and Your Patient as it is not stored by the Service and will be permanently deleted.
At any time during the Session, You may disable the audio, video, or both. Doing so may prevent effective communication with the Patient. However, there may be times when You wish to disable the audio or video for personal reasons.
You may terminate the Session at any time.
If You are a Patient
This section only applies if You have received a unique web link (such as https://yourclinic.doxy.me/DrSmith) by a Provider and wish to communicate with the Provider by video conference using the Service. Some features are not activated automatically and require explicit authorization by You.
Types of Data Processed
Name to Enter Waiting Room
A Patient does not need an account or register with doxy.me in order to use the Service.
A Provider will email or text You a Provider Website link in order to enter the Waiting room. When You click on that link, it will take You to the welcome screen and You will be asked to enter Your name and click a “Check In” button.
Your name is only seen by the Provider and used for an initial identification. There is no verification of the entry, nor is there a requirement that You use Your full name. Your name is used only for the current session and is not stored or otherwise used by the Service.
At any time during the Session, You may disable the audio, video, or both. Doing so may prevent effective communication with the Provider. However, there may be times when You wish to disable the audio or video for personal reasons.
You may also terminate the Session at any time.
Protected Health Information (PHI)
Although the Doxy.me Service is targeted to the healthcare community, no PHI is collected during the Session between Patient and Provider. Any health or other sensitive information You discuss or send the Provider is sent over a secure channel using the SSL Internet protocol.
If You choose to send a file to the Provider, that file will be sent securely and then destroyed after 15 minutes.
If Your Provider chooses to capture a photo of You, that image will be sent securely and then destroyed after 15 minutes.
Any chats between You and the Provider are temporarily stored in computer memory, not on doxy.me services. Once the browser is closed, the chat history is permanently deleted.
If You choose to pay the Provider during the Session, a credit card authorization screen will pop-up asking You to provide Your name and credit card details. All credit card transactions are handled by Stripe, a third-party. Doxy.me does not capture or utilize any information You enter in the payment pop-up screen. For more information, please visit https://stripe.com/
Teleconsent Appointment Consent Form
Your Provider may ask You to sign a Teleconsent Appointment Consent Form. The purpose of the form is to inform You of what Telehealth communication is, and Your rights and obligations. You should read the form completely and not hesitate to ask Your Provider for any clarifications.
If You are required to sign the form, Your signature will be electronically captured by using Your mouse and be embedded in the form. The form may be downloaded by both You and Your Provider and is not stored by the Service.
The Service provides a feature whereby You may share all or part of Your computer screen with the Provider. You will be sent a message to confirm that You wish to share Your screen or a specific window.
There are obvious privacy issues associated with sharing one’s screen. It is up to You to ensure that no sensitive or confidential information (other than that which You wish to show the Provider) be viewable during the screensharing session.
For instance, if You do not wish the Provider to see Your email system or other open windows, it would be best to terminate those applications prior to the screenshare.
If You are browsing this website as a guest
When perusing this doxy.me website as a guest:
- No personal data are collected or requested unless You specifically wish to contact us for information (such as pricing, demonstration, or chat).
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
- To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide You with news, special offers and general information about other goods, services and events which We offer that are similar to those that You have already purchased or enquired about unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to us.
We may share Your personal information in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
- For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
- With Business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: when You share personal information or otherwise interact in the public areas (such as the doxy.me community support, https://discuss.doxy.me) with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
Legal basis of processing
We may process Personal Data relating to You if one of the following applies:
- You have given Your consent for one or more specific purposes. Note: Under some jurisdictions, We may be allowed to process Personal Data until You object to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;
- provision of Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which We are subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Us;
- processing is necessary for the purposes of the legitimate interests pursued by the Us or by a third party.
In any case, We will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Retention of Your Personal Data
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Disclosure of Your Personal Data
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of Users of the Service or the public
- Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially standard means to protect Your Personal Data, We cannot guarantee its absolute security.
Information for Residents of California
This part of the document uses the term “personal information” as it is defined in The California Consumer Privacy Act (CCPA).
Categories of personal information collected, disclosed or sold
In this section We summarize the categories of personal information that we’ve collected, disclosed or sold and the purposes thereof.
You can read about these activities in detail in the section titled “Detailed information on the processing of Personal Data” within this document.
Information We collect: the categories of personal information We collect
We have collected the following categories of personal information about You: identifiers, commercial information, and internet information. We will not collect additional categories of personal information without notifying You.
How We collect information: what are the sources of the personal information We collect?
We collect the above-mentioned categories of personal information, either directly or indirectly, from You when You use doxy.me.
For example, You directly provide Your personal information when You submit requests via any forms on doxy.me. You also provide personal information indirectly when You navigate doxy.me, as personal information about You is automatically observed and collected. Finally, We may collect Your personal information from third parties that work with us in connection with the Service or with the functioning of doxy.me and features thereof.
How We use the information We collect: sharing and disclosing of Your personal information with third parties for a business purpose
We may disclose the personal information We collect about You to a third party for business purposes. In this case, We enter a written agreement with such third party that requires the recipient to both keep the personal information confidential and not use it for any purpose(s) other than those necessary for the performance of the agreement.
We may also disclose Your personal information to third parties when You explicitly ask or authorize us to do so, in order to provide You with our Service.
To find out more about the purposes of processing, please refer to the relevant section of this document.
Sale of Your personal information
For our purposes, the word “sale” means any “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration”.
This means that, for example, a sale can happen whenever an application runs ads, or makes statistical analyses on the traffic or views, or simply because it uses tools such as social network plugins and the like.
Your right to opt out of the sale of personal information
You have the right to opt out of the sale of Your personal information. This means that whenever You request us to stop selling Your data, We will abide by Your request.
Such requests can be made freely, at any time, without submitting any verifiable request, simply by following the instructions below.
Instructions to opt out of the sale of personal information
If You’d like to know more or exercise Your right to opt out in regard to all the sales carried out by doxy.me, both online and offline, You can contact us for further information using the contact details provided in this document.
What are the purposes for which We use Your personal information?
We may use Your personal information to allow the operational functioning of doxy.me and features thereof (“business purposes”). In such cases, Your personal information will be processed in a fashion necessary and proportionate to the business purpose for which it was collected, and strictly within the limits of compatible operational purposes.
We may also use Your personal information for other reasons such as for commercial purposes (as indicated within the section “Detailed information on the processing of Personal Data” within this document), as well as for complying with the law and defending our rights before the competent authorities where our rights and interests are threatened or We suffer an actual damage.
We will not use Your personal information for different, unrelated, or incompatible purposes without notifying You.
Your California privacy rights and how to exercise them
The right to know and to portability
You have the right to request that We disclose to You:
- the categories and sources of the personal information that We collect about You, the purposes for which We use Your information and with whom such information is shared;
- in case of sale of personal information or disclosure for a business purpose, two separate lists where We disclose:
The disclosure described above will be limited to the personal information collected or used over the past 12 months.
If We deliver our response electronically, the information enclosed will be “portable”, i.e. delivered in an easily usable format to enable You to transmit the information to another entity without hindrance – provided that this is technically feasible.
The right to request the deletion of Your personal information
You have the right to request that We delete any of Your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on doxy.me, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.).
If no legal exception applies, as a result of exercising Your right, We will delete Your personal information and direct any of our service providers to do so.
How to exercise Your rights
To exercise the rights described above, You need to submit Your verifiable request to us by contacting us via the details provided in this document.
For us to respond to Your request, it’s necessary that We know who You are. Therefore, You can only exercise the above rights by making a verifiable request which must:
- provide sufficient information that allows us to reasonably verify You are the person about whom We collected personal information or an authorized representative;
- describe Your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will not respond to any request if We are unable to verify Your identity and therefore confirm the personal information in our possession actually relates to You.
If You cannot personally submit a verifiable request, You can authorize a person registered with the California Secretary of State to act on Your behalf.
If You are an adult, You can make a verifiable request on behalf of a minor under Your parental authority.
You can submit a maximum number of two (2) requests over a period of 12 months.
How and when We are expected to handle Your request
We will confirm receipt of Your verifiable request within 10 days and provide information about how We will process Your request.
We will respond to Your request within 45 days of its receipt. Should We need more time, We will explain to You the reasons why, and how much more time We need. In this regard, please note that We may take up to 90 days to fulfill Your request.
Our disclosure(s) will cover the preceding 12-month period.
Should We deny Your request, We will explain You the reasons behind our denial.
We do not charge a fee to process or respond to Your verifiable request unless such request is manifestly unfounded or excessive. In such cases, We may charge a reasonable fee, or refuse to act on the request. In either case, We will communicate our choices and explain the reasons behind it.
Third-Parties used by doxy.me
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
For a list of sub-processors and third-parties, please visit https://doxy.me/en/sub-processor-list/.
This website and its content is under copyright by Doxy.me – © Doxy.me Inc. 2014-2023. All rights reserved.
Any reproduction or redistribution of part or all of the contents of this site in any form is prohibited. This includes the source code of Doxy.me, all written content, visual representations of graphics, sounds, content, and videos displayed as part of the site.
You may not, except with our written permission, distribute or commercially exploit the content of Doxy.me. You may not transmit it or store it in any other website.