Privacy Policy — Summit Audience Segments

1. Introduction

Summit Audience Segments, LLC ("Summit," "we," "us," or "our") is committed to protecting your privacy and handling personal and health-related information responsibly. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our audience data platform, data licensing services, and associated websites (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.

For questions, concerns, or requests related to this Privacy Policy, please contact us at: info@summitaudiencesegments.com

2. Information We Collect

We collect and process several categories of information in connection with providing our Services:

2.1 De-Identified Health Data

Our core data products are built on de-identified health and clinical information derived from prescription fulfillment records, electronic health record (EHR) signals, genomic data, and patient journey markers. This data has been processed in accordance with the HIPAA Safe Harbor and Expert Determination de-identification standards such that it does not constitute Protected Health Information (PHI) under HIPAA. We do not knowingly re-identify de-identified records, and we contractually prohibit our data licensees from doing so.

Categories of de-identified health data we process include:

Condition and diagnosis codes (ICD-10) stripped of direct identifiers
Prescription drug class and therapeutic category indicators
Patient journey stage signals (diagnosis, treatment initiation, refill, discontinuation)
Geographic data at the zip+4 or census-tract level (not street address)
Genomic variant indicators where available under applicable consent frameworks

2.2 Usage and Platform Data

When you access our platform, website, or client portal, we automatically collect certain technical information, including:

IP address, browser type, operating system, and device identifiers
Pages visited, features accessed, time spent, and clickstream data
Referring URLs and search terms used to find our Services
Cookies, pixel tags, and similar tracking technologies (see Section 8 below)
API request logs, including endpoint access timestamps and response codes

2.3 Contact and Account Information

When you register for an account, request a demo, submit a contact form, or enter into a business relationship with us, we collect:

Full name, job title, and company or organization name
Business email address and phone number
Billing and payment information (processed via PCI-compliant third-party processors)
Contract and agreement execution data
Communications you send to us via email, chat, or support tickets

2.4 Data Provided by Business Partners

We may receive data about prospective clients or data suppliers from third-party sources, including business intelligence platforms, industry databases, and referral partners. Such data is limited to business contact information and is used solely for B2B outreach and service delivery purposes.

3. How We Use Information

We use the information we collect for the following purposes:

Service Delivery: To build, maintain, license, and deliver our audience data products and platform features to authorized clients.
Account Management: To create and administer your account, process transactions, and communicate with you about your relationship with Summit.
Product Development: To analyze usage patterns, conduct research, and develop new data products, features, and audience segments.
Compliance and Legal Obligations: To fulfill our obligations under applicable law, including HIPAA, CCPA, and applicable state data protection statutes.
Security and Fraud Prevention: To monitor for unauthorized access, investigate suspicious activity, and maintain the integrity of our platform and data assets.
Marketing and Communications: To send you product updates, educational content, event invitations, and promotional materials, subject to your communication preferences.
Analytics: To measure the performance of our Services and understand how users interact with our platform.

We do not sell, rent, or disclose your personal account information to third parties for their own direct marketing purposes without your explicit consent.

4. HIPAA Compliance

Summit Audience Segments, LLC operates as a business associate and/or covered data partner under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in connection with certain data processing activities. We maintain a comprehensive HIPAA compliance program that includes:

4.1 De-Identification Standards

All health-related data included in our audience products is de-identified in accordance with 45 CFR §164.514(b) using either the Safe Harbor method or the Expert Determination method, as appropriate. We retain documentation of de-identification analyses and make such documentation available to authorized parties under NDA upon request.

4.2 Business Associate Agreements

Where Summit receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity or another business associate, we enter into a Business Associate Agreement (BAA) that satisfies the requirements of 45 CFR §164.504(e). Clients requiring BAA execution should contact info@summitaudiencesegments.com.

4.3 Minimum Necessary Standard

We apply the HIPAA minimum necessary standard to all PHI access and disclosure activities, ensuring that access to health information is limited to the minimum amount necessary to accomplish the intended purpose.

4.4 Breach Notification

In the event of a breach of unsecured PHI, Summit will provide notification in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), including timely notification to affected covered entities, individuals where required, and the Secretary of Health and Human Services.

5. Data Sharing and Third Parties

We may share information with third parties in the following circumstances:

5.1 Authorized Data Licensees

Our de-identified audience data products are licensed to pharmaceutical companies, health systems, insurance organizations, MedTech firms, digital health platforms, demand-side platforms (DSPs), customer data platforms (CDPs), and marketing agencies under executed Data Licensing Agreements. All licensees are contractually prohibited from re-identifying data, combining it with other data in ways that could re-identify individuals, or using it for purposes not specified in their agreements.

5.2 Service Providers

We engage third-party vendors and service providers who process data on our behalf, including cloud infrastructure providers, analytics platforms, payment processors, customer relationship management tools, and email delivery services. These providers are bound by data processing agreements and may only use your information to perform services for Summit.

5.3 Legal Requirements

We may disclose information when required by law, regulation, subpoena, court order, or government demand, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Summit, our clients, or the public.

5.4 Business Transfers

If Summit is involved in a merger, acquisition, asset sale, or other business combination, your information may be transferred to the successor entity. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or statistical information that cannot reasonably be used to identify you with third parties for research, industry reporting, or marketing purposes.

6. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights with respect to your personal information:

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.
Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. To exercise this right, please visit our Do Not Sell or Share My Personal Information page.
Right to Limit Use of Sensitive Personal Information: You may have the right to limit certain uses and disclosures of sensitive personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, contact us at info@summitaudiencesegments.com. We will respond within 45 days of receipt, with an extension of up to 90 days where reasonably necessary. We may need to verify your identity before processing your request.

Note on De-Identified Data: The CCPA does not apply to de-identified information. Because our core audience data products consist exclusively of de-identified records that cannot reasonably be used to identify individuals, those products are not subject to CCPA consumer rights requests.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention practices include:

Account and Contract Data: Retained for the duration of the business relationship plus seven (7) years for tax, audit, and legal compliance purposes.
Platform Usage Logs: Retained for up to twenty-four (24) months for security monitoring and product analytics purposes.
De-Identified Health Data: Retained and refreshed continuously in accordance with our data supply agreements; aging records are purged on a rolling basis consistent with data quality standards.
Marketing Communications: Opt-out and preference records are maintained indefinitely to honor your communication choices.

When information is no longer needed, we securely delete or anonymize it in accordance with our data destruction standards.

8. Cookies and Tracking Technologies

Our website uses cookies, web beacons, pixel tags, and similar technologies to enhance functionality, analyze usage, and support our marketing activities. Categories of cookies we use include:

Strictly Necessary Cookies: Required for the operation of our website and client portal, including authentication and session management.
Analytics Cookies: Used to understand how visitors interact with our site (e.g., Google Analytics).
Marketing Cookies: Used to track the effectiveness of our advertising campaigns and deliver relevant ads on third-party platforms.

You can control cookie settings through your browser preferences. Note that disabling certain cookies may affect the functionality of our Services.

9. Security

We implement and maintain administrative, technical, and physical security safeguards designed to protect the information we process against unauthorized access, disclosure, alteration, and destruction. Our security program includes:

AES-256 encryption for data at rest and TLS 1.2+ for data in transit
Role-based access controls and multi-factor authentication for all internal systems
Annual third-party penetration testing and SOC 2 Type II certification
Employee security awareness training and background screening
Incident response and business continuity planning

No security system is impenetrable. While we take reasonable precautions to protect your information, we cannot guarantee absolute security. In the event of a security incident affecting your information, we will notify you as required by applicable law.

10. Children's Privacy

Our Services are directed exclusively to healthcare industry professionals and business entities. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete that information.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as via email to registered users). Your continued use of our Services following the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@summitaudiencesegments.com
Mail: Summit Audience Segments, LLC, Privacy Office, 1311 Hymettus Ave., Encinitas, CA 92024

For California-specific requests, please include "CCPA Request" in the subject line of your email. For HIPAA-related inquiries, please include "HIPAA Inquiry" in the subject line.