C8 Health Inc., a US company with registered office at 1007 North Orange St., Wilmington, DE (US), & Head ToToe mHealth Sàrl, a Swiss company with registered office at Rue de la Rôtisserie 2, c/o Olivier Faivre, avocat, 1204 Geneva (Switzerland) (DBA C8 Health) (“C8 Health,” “we,” “us,” or “our”) welcomes you. We have created this privacy policy (this “Privacy Policy”) because we know that you care about how information you provide to us is used and shared. This Privacy Policy applies to our processing of personal information as defined below, meaning any operation that is performed on personal information, such as collection, storage, use, alteration, disclosure and erasure, through (i) our website at https://c8health.com; (ii) our proprietary Platform, which is provided to you through the website; (iii) information about the users of our Platform provided by hospitals; and (iv) any websites, applications or other digital properties that link to this Privacy Policy (collectively, the “Site”). Please note that we may provide you with different or additional privacy policies or notices when we collect personal information in other contexts or for other purposes.
By browsing, accessing, or using our Site, you are agreeing to the terms of this Privacy Policy and the accompanying Website Terms of Use. Capitalized terms not defined in this Privacy Policy shall have the meaning set forth in our Website Terms of Use.
This Privacy Policy may be updated by us from time to time with or without notice to you.
For residents of the European Union, United Kingdom, Switzerland and the European Economic Area, this Privacy Notice is further supplemented by the Ancillary Privacy Notice in the Annex to this Privacy Policy.
I. THE INFORMATION WE COLLECT AND/OR RECEIVE
C8 Health collects personal information both directly from you, and automatically when you use our Site. For purposes of this Privacy Policy, “personal information” means information that identifies, relates to, or describes an identified or identifiable individual. This does not include aggregated or de-identified information that is maintained in a form that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual.
1. Personal Information Received from Hospitals
We ask hospitals that use our services to provide us with the following information about their users of the Platform: first and last name, work email, department, profession, role, and the level of training of each user. Hospitals may also provide us with the following information, which is optional: rotation, phone number, work phone number or Cisco, pager, speciality, and title.
2. Personal Information Collected Directly From You
If we do not receive the above-mentioned kinds of information directly from the hospital, we will ask you to provide it to us when you log into our product for the first time. We will also process any additional information you choose to disclose in your interactions with us.
3. Personal Information We Derive or Collect Automatically
We and our third-party service providers automatically collect personal information related to your use of our Site and interactions with us and others, including when you enable certain features within our Site. This information may include:
- Device and IT information. When you interact with our Site, we may collect technical information about your device including your IP address; unique identifiers; unique device identifier and device type; domain, browser type, version, and language; operating system and system settings; general location information and time zone; and similar device and usage information.
- Location information. We may collect or derive approximate or precise location information about you. How we collect this information depends on how you use and interact with our Site and on your device settings. For example, we may derive your general location through your IP address. We may collect your precise geolocation (GPS) information from your device or browser. You may turn off precise location information sharing through your device settings.
- Online Activity and Browsing Information. We may use cookies, log files, pixel tags, software development kits (“SDKs”) and other tracking technologies to automatically collect information about your interaction on our Site and with the communications you receive from us. This information includes links clicked, page views, purchases, searches, features used, items viewed, time spent on the Site, and information uploaded.
- Third-Party Analytics. We use third-party analytics services (such as Google Analytics) to evaluate your use of the Site, compile reports on activity (based on their collection of IP addresses, internet service provider, browser type, operating system and language, referring and exit pages and URLs, data and time, amount of time spent on particular pages, and other similar usage data), and analyze performance metrics. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing and using the Site, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy. For more information on these third parties, including how to opt out from certain data collection, please visit the websites below. Please be advised that if you opt out of any service, you may not be able to use the full functionality of the Site. For additional information about Google Analytics, please see https://www.google.com/analytics.
II. HOW AND WHY WE USE YOUR PERSONAL INFORMATION
C8 Health collects, uses, discloses, and otherwise processes the personal information for the following business and commercial purposes:
- To Provide the Site and the Services You Request. When you use our Site (including the Platform), we will use your personal information to provide the requested product or service, such as responding to your inquiries or providing you with access to and securing your account.
- Marketing. As permitted by applicable law, we may use your personal information for marketing purposes, such as informing you about our products and services that could be useful, relevant, valuable, or otherwise of interest to you. You can always opt out of receiving marketing content from us.
- Improving and Evolving our Services. We constantly evaluate and improve our Site and services, including developing new products or services and use the information we gather to do so.
Aggregated Information. In an ongoing effort to better understand users of the Site, we might analyze your personal information in aggregate form in order to operate, maintain, manage, and improve the Site. This aggregate information does not identify you personally.
III. HOW WE DISCLOSE AND SHARE PERSONAL INFORMATION
C8 Health may disclose and share the personal information we collect with the following types of entities and recipients:
- Agents, Administrators and Other Service Providers. We may engage other companies and individuals as service providers to perform certain business-related functions on our behalf. Examples include providing technical assistance, order fulfillment, and customer service (but please note that we do not share or sell any personal information of our users with third parties for their marketing purposes). Our agreements with such vendors require that the vendors (i) use personal information received from us only to provide us with the requested services, (ii) to keep the information secure, and (iii) to delete it at the end of the engagement. We do not allow any third parties to use, or grant them access to, personal information for their own business purposes.
- Group Companies and Affiliates. We may also share your personal information with our parent companies, subsidiaries, or other companies under common control with us on a need-to-know basis only.
- Contractual Partners within Business Transfers. As we develop our company, we might sell or buy other assets or businesses. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, your personal information may be part of the transferred assets associated with such transactions. In the context of a transaction we may also share your personal information with potential transaction partners, service providers, advisors, and other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell or transfer all or a portion of our assets or business.
- Authorities. To the extent permitted by law, we may also disclose your personal information: to court, government or law enforcement authority or regulatory agency (i) when required by law or court order, ; (ii) whenever we believe that disclosing such information is necessary or advisable, for example, to protect the rights, property, or safety of C8 Health or others; or (iii) when necessary to enforce our rights arising from any contracts entered into between you and us, including our Terms of Use and this Privacy Policy or if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of C8 Health, our users, or others.
- Other Third Parties. With Your Consent we may also disclose your personal information to fulfill any purpose for which you provide it or for any other purpose disclosed by us when you provide this information.
Aggregated Information. We may share aggregate data with our affiliates, agents, and business partners, and may share and sell this aggregate information to other unaffiliated third parties. We may also disclose aggregated user statistics in order to describe our Site to current and prospective business partners and to other third parties for other lawful purposes.
IV. CHILDREN'S PRIVACY
We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and you believe we have collected your child’s personal information, please contact us as outlined below.
V. PROTECTION OF PERSONAL INFORMATION
We use a variety of technical, administrative, and organizational security measures, including encryption and authentication tools in certain circumstances, that are intended to protect your personal information. Please be aware that despite our efforts, no data security measures can guarantee security. You can help keep your data safe by taking reasonable steps to protect your personal information against unauthorized disclosure or misuse.
VI. RETENTION OF PERSONAL INFORMATION
We retain your personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy or disclosed to you at the time of collection, unless otherwise required or permitted by law. We keep the customer data for the duration of the entire business relationship and generally delete all customer data (including any personal information) within ninety days of agreement termination, unless retention beyond this duration is required in accordance with legal retention and documentation obligations or needed to assert claims against our company.
VII. MANAGING YOUR PRIVACY RIGHTS AND CHOICES
1. Updating Your Account Information
You can update certain personal information, like your email and phone number, by logging in and updating it through your C8 Health account settings. In order to access the Platform, you will need to use the email address provided to us by the hospital.
2. Opting Out of Direct Marketing
Your organization can choose to opt out of letting some or all of its users receive marketing content from us. Alternatively, you can opt-out individually by following the opt-out or unsubscribe instructions in our messages or by contacting us as outlined below.
3. Managing Your Cookie and Advertising Preferences
There are several ways that you can manage your preferences for cookies and advertising by us and on our Site. You can review or change your preferences for most cookies and tags on our Site, other than those that are necessary for operation and functionality, by adjusting your cookie settings in your browser. These preferences are browser- and device-specific, so you will need to set your preferences for each browser and device you use, and if you subsequently delete or block cookies, you may need to reapply these settings. You may individually select or deselect the types of cookies used on the Site for different purposes. You can object to the use of non-essential cookies at any time, during the first visit and during subsequent visits. Please note that if you decide not to accept cookies from us, certain aspects of the Site may not be available or function properly.
4. Do Not Track
Please note that we do not recognize or respond to any signal which your browser might transmit through the “Do Not Track” feature. If you wish to disable cookies on our Site, you should not rely on any “Do Not Track” feature your browser might have.
VIII. EXTERNAL WEBSITES
The Site may contain links to other third-party websites, products or services not owned or controlled by C8 Health (“External Websites”). C8 Health has no control over the privacy practices or the content of these External Websites. As such, we are not responsible for the content or the privacy policies of those External Websites, and you should check the applicable third-party privacy policy and terms of use when visiting any External Websites.
IX. NOTICE TO NON-U.S. RESIDENTS
The Site and its servers are operated in various countries, including in the United States. We process data of our US customers in the US, and the data of our EU customers in the EU. However, if you are not a customer and are located outside of the United States, please be aware that any information you provide to us maybe transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
If you are a resident of the European Union (“EU”), United Kingdom, Switzerland, Liechtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation, the UK Data Protection Act 2018 or Swiss Data Protection Act 25 Septembre 2020, respectively (the “Local Data Protection Law”) with respect to your Personal Data, as outlined in our Ancillary Privacy Notice in the Annex of this Document.
X. NOTICE TO CALIFORNIA RESIDENTS
Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents who provide us certain personal information are entitled to request and obtain from us, free of charge, information about the personal information (if any) we have shared with third parties for their own direct marketing use. Such requests may be made once per calendar year for information about any relevant third-party sharing in the prior calendar year. To submit a “Shine the Light” request, contact us as outlined below, and include in your request a current California address and your attestation that you are a California resident. Please note, however, that we do not share personal information with third parties for their own direct marketing use, nor have we done so in the past.
XI. NOTICE TO NEVADA RESIDENTS
If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal information to third parties. You can exercise this right by contacting us as outlined in section 14 below with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note, however, that we do not sell personal information to third parties.
XII. CHANGES TO THIS PRIVACY POLICY
This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time with or without notice to you, and any such changes will be posted on the Site. Please be aware that, to the extent permitted by applicable law, our use of your personal information is governed by the Privacy Policy in effect at the time we collect the information. Please refer back to this Privacy Policy on a regular basis.
XIII. HOW TO CONTACT US
If you have questions about this Privacy Policy or if you would like C8 Health to either change, or discontinue the use of, your personal information, please contact us with “Privacy Policy” in the subject line at:
C8 Health, Inc.
2261 Market Street
STE 5399
San Francisco, CA 94114, USA
ANNEX
ANCILLARY PRIVACY NOTICE
Last Update: March 5, 2025
----
If you are a resident of the European Union (“EU”), United Kingdom, Switzerland, Liechtenstein, Norway, or Iceland (an “European Individual”), you may have additional rights under the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018, or the Swiss Data Protection Act 25 Septembre 2020, respectively (each the “Local Data Protection Law”) with respect to your Personal Data, as outlined in this Ancillary Privacy Notice (the “Ancillary Notice”).
For this GDPR Notice, we use the terms “Personal Data” and “processing” as they are defined in the Local Data Protection Law, but “Personal Data” generally means information that can be used to identify a person, and “processing” generally refers to actions that can be performed on data such as its collection, use, storage or disclosure.
If you have a contract with Head ToToe mHealth Sàrl (DBA C8 Health), C8 Health and C8 Health Inc. will be joint controllers of any Personal Data processed in connection with the contract. Otherwise, C8 Health Inc. will be the controller of the Personal Data processed in connection with the services we provide to you. Where applicable, this Ancillary Notice is intended to supplement, and not replace, our Privacy Policy. If there are any conflicts between the Ancillary Notice and the other parts of the Privacy Policy, the policy or portion that is more protective of Personal Data shall prevail to the extent of such conflict.
1. Our Contact Information
Please contact us for any questions, complaints, or requests regarding this Ancillary Notice with the subject line “Data Protection Request” as follows:
C8.health mHealth Sàrl
Avenue d’Aïre 73C
CH-1203 Genève
dataprotection@C8.health
If our are a EU resident, you may also contact us via our Data Protection Representative in the EU, for which we have appointed Prighter Group with its local partners. You can do so by visiting the following website: https://prighter.com/q/18067254811.
2. Types of Personal Data we Collect
We currently collect and otherwise process the kinds of Personal Data listed above in Section I of the Privacy Policy.
3. How we get the Personal Data and why we have it
We receive the Personal Data in the ways and for the purposes listed above in Sections I - III of the Privacy Policy. Under the GDPR, the lawful bases we rely on for processing this information are:
3A. We have a contractual obligation
We process Personal Data as necessary to provide our services in accordance with the Terms of Use and to provide the Site and the services you request in accordance with the Privacy Policy.
3B. We have a legitimate interest
- Information Security: We process contact information, and the information collected through cookies and when you use the Site in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Site usage, combating distributed denial-of-service (DDOS) or other attacks, and removing or defending against malicious individuals or programs.
- App Operation and Improvement and Evolvement of our Services: We process server log information and information collected through cookies pursuant to our legitimate interest in operating and improving our Site.
- General Business Development and Management and Marketing Purposes: We process Personal Data pursuant to our legitimate interest in creating and managing our business relationships with European Individuals, including without limitation:
- To respond to inquiries from European Individuals;
- To provide European Individuals with information about our products and services; and
- To assist European Individuals with any issues while using the Site.
- Protection of Rights: We may also disclose Personal Data to respond to claims of violation of third party rights or to enforce and protect our rights.
3C. We have a legal obligation
We may be required to disclose Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose Personal Data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
3D. Your consent
Subsidiary when no contractual obligation, legitimate interest or legal obligation applies, we will seek your consent to process your Personal Data.
We will in particular seek your consent for the following data processing:
- Audience Measurement and Retargeting: Pursuant to a Site user’s consent, we use analytics cookies, and collect identifiers through such cookies, for purposes of audience measurement, analytics, audience reaction to the Site, and creating relevant Site user experiences.
- Direct Marketing: Generally, we marketing communications to European Individuals pursuant to their consent. When you use the Site, and if allowed under applicable law, we may also send you marketing messages pursuant to our legitimate interest in sending such communications to you in the context of our business relationship.
You can remove your consent at any time. You can do this by contacting us via email at dataprotection@C8.health with the subject line “Data Protection Request.”
4. Transfer of Personal Data Abroad
Recipients of your Personal Data may be within EU, United Kingdom, Switzerland, Liechtenstein, Norway, or Iceland, but they may also be located in any country world-wide. In particular, you must anticipate your Personal Data to be transmitted to the USA where C8 Health Inc is located. The laws of the USA may not provide the same level of protection for your Personal Data as your home country, and your Personal Data may be available to the US government or its agencies under a lawful order made in the USA.
If a recipient is located in a country without adequate statutory data protection, such as the USA, we require the recipient to undertake to comply with data protection obligations. For this purpose, we use the European Commission’s Standard Contractual Clauses, unless the recipient is subject to a legally accepted set of rules to ensure data protection, or if we can rely on an exception. An exception may apply, for example, in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented, or if data has been made available generally by you and you have not objected against the processing.
We also enter into contracts with our data processors that require them to process personal data in a manner that is consistent with this Privacy Notice and the applicable Local Data Protection Law.
5. How we store your Personal Data
We use commercially reasonable administrative, technical, and physical safeguards to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction, for which we take into account the nature of the Personal Data, its processing, and the threats posed to it. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us via email at dataprotection@C8.health.
We retain your Personal Data for as long as needed to fulfill the purposes for which we obtained it, as further described in this Privacy Policy. We will only keep your Personal Data for as long as allowed or required by law.
6. Profiling and Automated Individual Decision-Making
We may partially process your Personal Data automatically with the aim of evaluating certain personal aspects (profiling) for the purposes described in Privacy Policy. In particular, profiling allows us to determine preference data, but also to detect misuse and security risks, perform statistical analysis or for operational planning. For this purpose, we may use evaluation tools that enable us to communicate with you and advertise to you, including market and opinion research.
In any cases, we pay attention to the proportionality and reliability of the results and take measures against misuse of these profiles or profiling. Where these can produce legal effects concerning you or similarly significantly affect you, we ensure human review.
In establishing and carrying out a business relationship, we do not use any fully automated individual decision-making. Should we use such procedures in certain cases, we will inform you separately about this and advise you of your relevant rights if required by law.
7. Your data protection rights
Under Local Data Protection Law, you have rights, which include:
- Right of access: You have the right to ask us for copies of your Personal Data.
- Right to rectification: You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Right to erasure: You have the right to ask us to erase your Personal Data in certain circumstances.
- Right to restriction of processing: You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.
- Right to object to processing: You have the right to object to the processing of your Personal Data in certain circumstances.
- Right to data portability: You have the right to ask that we transfer the Personal Data you gave us to another organization, or to you, in a structured, commonly used and machine-readable format and transmit those data in certain circumstances.
- Right to withdraw consent: You have the right to withdraw your consent where consent is used as the legal basis for processing your Personal Data, without affecting the lawfulness of the processing before such withdrawal;
- Objecting to Legitimate Interest/Direct Marketing: You may object to Personal Data processed pursuant to our legitimate interest. In such case, we will no longer process your Personal Data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your Personal Data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by emailing us or sending us a letter with the subject line “Data Protection Request.” In such case, your Personal Data will no longer be used for that purpose.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please email us or send us a letter with the subject line “Data Protecion Request” if you wish to make a request.
Please note that conditions, exceptions or restrictions apply to these rights under applicable Local Data Protection Law. In particular, we may need to continue to process and keep your Personal Data in order to perform a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permitted, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a subject request in whole or in part (for example by redacting content that concerns third parties or our trade secrets). Please further note that the exercise of these rights may be in conflict with your contractual obligations and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.
8. How to complain
If you have any concerns about our use of your Personal Data, you can make a complaint to us via email or letter with the subject line “Data Protection Request.”
You also have the right to lodge a complaint about the processing of your Personal Data with a supervisory authority of the European state where you work or live or where any alleged infringement of data protection laws occurred.
9. Corporate Restructuring
In the event of a merger, reorganization, dissolution, or similar corporate event, or the sale of all or substantially all of our assets, the information that we have collected, including Personal Data, may be transferred to the surviving or acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such Personal Data as set forth in this Ancillary Notice.
10. Updates to this Ancillary Notice
If, in the future, we intend to process your Personal Data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Ancillary Notice, and the “Last Update” at the top of this page will be updated accordingly.