California and Colorado Privacy Notice
Effective Date: December 22, 2023
- Categories of Personal Information we collect and may share for business and commercial purposes.
The following is a list of all categories of Personal Information specified in
of the CCPA that Doximity has collected from California and Colorado residents in the twelve (12) months prior to the Effective Date, together with (1) examples of the types of Personal Information we collect within that category, and (2) the categories of sources from which we collect such Personal Information:
- Identifiers: (1) examples of what we collect: name, username/password, email address, office and/or home address, office and/or personal phone numbers, ethnicity, voluntary video recordings, and other similar identifiers; (2) sources: you, third parties including public sources, service providers, publications, commercial clients
- Commercial Information: (1) examples of what we collect: records of your purchases of our services, prescribing history and claims data; (2) sources: you, third parties including service providers, commercial clients
- Online Identifiers: (1) examples of what we collect: cookies, device identifiers, IP addresses; (2) sources: you
- Internet or Network Information: (1) examples of what we collect: browsing history, record of your browsing session, search history, and information about your interaction with our websites, applications and advertisements (collectively, “Interaction Data”); (2) sources: you
- Geolocation Data: (1) examples of what we collect: city, state, and zip code; (2) sources: you (directly and indirectly from your IP address)
- Inferences: (1) examples of what we collect: inferred preferences, interests, characteristics, abilities, and attitudes; (2) sources: you
- Professional Employment Information: (1) examples of what we collect: current and past employment; (2) sources: you and third parties including business partners, service providers, commercial clients, employers, public sources, publications
- Protected Classification Characteristics: (1) examples of what we collect: age and sex (we may not intentionally collect this information, but it may be revealed by other information we collect, e.g., photo, year of graduation, affiliations, etc.); (2) sources: you and third parties including business partners, employers, service providers, public sources
- Physical Description: (1) examples of what we collect: physical description apparent from a photo; (2) sources: you, employers, public sources, business partners
(1) examples of what we collect: contents of faxes and messages exchanged through the Service; (2) sources: you and other users of the Service
- Data Retention
- Contents of faxes are stored for up to seven years, but you have the option within your account settings to configure storage for one, three, or seven years.
- Contents of text messages to patients are stored for up to seven days.
- Interaction Data are stored for up to seven years.
- Patient phone numbers and call logs (e.g. the fact that you made a call to a patient, date and time of that call, and duration) are stored for up to seven years.
- Your California and Colorado privacy rights.
California and Colorado residents have the rights listed below. However, these rights are not absolute and exceptions apply, so in certain cases we may decline your request as permitted by law.
You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected
- The categories of sources from which we collected Personal Information
- The business or commercial purpose for collecting and/or selling Personal Information
- The categories of third parties with whom we share Personal Information.
- Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient
- Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient
- Access. You can request a copy of the Personal Information that we have collected about you since January 1, 2022.
- Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Opt-out of sales or sharing. If we sell or share (as defined in the CPRA) your Personal Information relating to the “Categories of Personal Information we collect and may share for business and commercial purposes” section above, you may opt-out.
- Nondiscrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
- Correction. You can correct your own Personal Information displayed on your public profile and your Private Profile Information. You can also ask us to correct Personal Information that we have collected from you.
- Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- How to exercise your rights
If you are a California or Colorado resident, you may exercise your California and Colorado privacy rights described above, subject to certain exceptions, as follows:
- You can request to exercise your information, access and deletion rights by contacting us via your account at email@example.com. We will verify your request using information associated with your Doximity account. Government or other identification may be required. You may designate an authorized agent to make a request on your behalf, in which event we will require a valid power of attorney and the authorized agent’s government issued identification, and we may verify the authenticity of the request directly with you. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. Also, if we are unable to verify your identity or authority, we may not be able to fulfill your request. We do not keep sufficient information to enable us to readily link an identified individual with information collected from such individual in connection with a prior visit to the Service unless the individual accessed the Service as a logged-in member.
- Note that we may deny your deletion request if retaining your information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- Also, the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication from some of its requirements, including access and deletion rights.
- Response times and format. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
- Contact Information.
If you have any questions about this notice or Doximity’s privacy practices, or wish to exercise your rights under California or Colorado law, please do not hesitate to contact us at:
500 3rd Street, Suite 510
San Francisco, CA 94107
Attn: Legal Department