Privacy Policy

Last Updated Date: November 2, 2023

Overview

Nayya Health, Inc. (together with its subsidiaries, “Nayya,” “we,” “our,” or “us”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This Privacy Policy describes (1) the types of personal information we may collect from you or that you may provide when you visit our website located at www.nayya.com (the “Website”), or when you otherwise interact with us; and (2) our practices for collecting, using, protecting and disclosing that information. This Privacy Policy also describes how we collect and use data in connection with our software-as-a-service offering and related professional services that we provide pursuant to written agreements with our customers (herein referred to as the “Services”).

Information We Collect

Nayya Website

Personal information collected from you on our Website will be used to carry out the actions you have requested or authorized. Additionally, we may use your personal information to provide you with information about our Services.

Our Website may collect certain information about your visit, such as the name of your Internet service provider and the Internet Protocol (IP) address through which you access the Internet; the browser you are using; the date and time you access our Website; the pages that you access while at our Website and the Internet address of the Website from which you linked directly to our Website. This information is used to help improve our Website, analyze trends, and administer our Website.

From time to time we may receive personal information about you from third-party sources. For example, a business partner may share your contact information with us if you have expressed interest in learning specifically about our products or services, or the types of products or services we offer. We may obtain your personal information from other third parties, such as marketing partners, publicly-available sources and data providers. We may maintain pages for our Company on social media platforms, such as Facebook, LinkedIn, Twitter, Google, YouTube, Instagram, and other third party platforms. When you visit or interact with our pages on those platforms, the platform provider’s privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

We provide the opportunity for individuals to “opt-out” of having their personal information (as collected from our Website) used for the purposes set forth above, and we provide the right to be “forgotten” (i.e., we will remove all of your personal information from our records). If you do not wish your personal information (as collected from our Website) to be stored on our systems, or provided to third parties, we will remove your information from these systems. Simply email legal@nayya.com with the details of your request.

Nayya Services

As part of our Services, we provide a web-based software service to our customers (primarily business entities) and their designated third party users (collectively, our “Users”) that utilizes information related to healthcare and lifestyle to offer users a personalized health and lifestyle benefits decision support experience. In providing the Services to our Users, we collect, store and process data that our Users and customers submit to us or instruct us to process. We use such information in order to provide the Services to our Users pursuant to the terms of the written agreement between us and our customer, and we do not use this information for any other purpose.

While our Users and customers decide what information to submit, it typically includes:

  • Name, date of birth, information on family members, compensation
  • Employment information, including information about the identity of your employer, the health plans that your employer offers to you, and the cost of each of those health plans to you
  • Demographic information such as your city, state, country of residence, postal code, and age
  • Medical insurance-related information such as medical insurance usage information, including insurance login information, how much you and your dependents spent on medical care, how you used your medical insurance and how much you paid for medical treatment or medication out of pocket
  • Credit information, such as your consumer report
  • Health and lifestyle information, such as medical conditions and activities

It is your right to withhold providing this information when requested (or you later ask to delete it). We will tell you what information you must provide to receive the Service by designating it as required at the time of collection or through other appropriate means.

The information collected may include personally identifiable information. When we provide our Services to our Users, in some instances we process personal information about third parties that is provided by our Users.

We use a limited number of third-party service providers to assist us in providing our Services to our Users. These service providers fall into one of the following categories:

  • Hosting providers (Amazon Web Services)
  • Providers of additional functionality for our Services (as set forth in the written agreement between us and our customer)

These third parties may access, collect, process, or store personal information in the course of providing their services. We will only provide personal information to these third parties for the purpose of providing our Services to our Users. We maintain contracts with each of these third parties restricting their access, use and disclosure of personal information.

We may create anonymous, aggregated or de-identified data from personal information you provide. We may make some personal information into anonymous, aggregated or de-identified data by removing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business. Where we have de-identified personal information, we will not attempt to re-identify it, and we will ensure that any third parties who receive such de-identified information are required to not re-identify it.

Cookies and Other Automated Means

We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and activity occurring on or through the Service. Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies serve different purposes, like helping us understand how a site is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience. Our Website and Service may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

The information that may be collected automatically includes your computer or mobile device operating system type and version number, manufacturer and model, device identifier (such as the Google Advertising ID or Apple ID for Advertising), browser type, screen resolution, IP address, the website you visited before browsing to our website, general location information such as city, state or geographic area; and information about your use of and actions on the Service, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our service providers and business partners may collect this type of information over time and across third-party websites and mobile applications.

On our Website, this information is collected using cookies, browser web storage (also known as locally stored objects, or “LSOs”), Flash-based LSOs (also known as “Flash cookies”), web beacons, and similar technologies, and our emails may also contain web beacons. Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, the Website or Service may not work properly.

With Your Consent

In some cases we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.

How We Use Your Personal Information

We use your personal information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

Nayya Website

  • To understand your needs and interests in our products and services
  • Respond to your requests, questions and feedback
  • To send you marketing and promotional communications as permitted by law. You will have the ability to opt-out of our marketing and promotional communications as described in the “Your Rights” section below.

Nayya Service

  • Provide, operate and improve the Service
  • Establish and maintain your user profile on the Service
  • Manage the security features of the Service
  • Understand your needs and interests, and personalize your experience with the Service
  • Provide support and maintenance for the Service
  • Utilization to analyze and improve the service

To Comply With the Law

We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

Disclosure Required by Law

In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet government authority or law enforcement requirements.

We reserve the right to disclose personal information as required by law and when we believe that disclosure is necessary to protect our legal rights and/or to comply with a judicial proceeding, court order, or legal process.

Access to Personal Information

Nayya Website and Services

We acknowledge the right of individuals to access their personal information as collected through our Website and/or Services. Individuals wishing to review, edit, supplement or delete their personal information as collected may do so by contacting us at legal@nayya.com. We will promptly respond to any such request.

Security Practices

The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.

How We Manage Your Personal Information

Personal Information Collection

Your personal information is collected on a one-time basis or as necessary for the third parties to perform the Service.

Personal Information Transfers

Your information is stored in the United States. If it is necessary to transfer your information, we will ensure that your personal information is protected by appropriate safeguards as required by applicable data protection laws.

Personal Information Retention

We retain your information in line with our Data Management Policy. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise. We may need to retain your information for a longer period where we need the information to comply with regulatory or legal requirements (e.g. HIPAA) or where we may need it for our legitimate purposes e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc. If we don’t need to retain information for this period of time, we may destroy, delete or anonymize it more promptly. This includes user account information affiliated with our Service.

There may be occasions where we are unable to fully delete, anonymize, or de identify your information due to technical, legal, regulatory compliance or other operational reasons. Where this is the case, we will take reasonable measures to securely isolate your personal information from any further processing until such time as we are able to delete, anonymize, or de-identify it.

Your Rights

Individuals located in certain countries have certain statutory rights in relation to their personal information. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. If you are a Nayya user, you can exercise this right by contacting us at legal@nayya.com.

We only collect, use, and process personal information where we have lawful grounds to do so, which may include, without limitation: (i) in order to provide the requested Services, (ii) in connection with our legitimate interests, (iii) in connection with our fulfillment of legal obligations, or (iv) as otherwise consented to by you. For the avoidance of doubt, we may process personal data for direct marketing purposes as set forth above and you have a right to object to our use of your personal data for this purpose at any time.

Some of the business partners that collect information about users’ activities on or through the Service may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior or mobile application usage for purposes of targeted advertising. Users may opt out of receiving targeted advertising on websites through members of the Network Advertising Initiative by clicking here or the Digital Advertising Alliance by clicking here. European users may opt out of receiving targeted advertising on websites through members of the European Interactive Digital Advertising Alliance by clicking here, selecting the user’s country, and then clicking “Choices” (or similarly titled link). Please note that we also may work with companies that offer their own opt-out mechanisms and may not participate in the opt-out mechanisms that we linked above.

Other Sites, Mobile Applications and Services

The Service may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.

Children

As a general rule, children are not allowed to use the Service and neither our Website nor our Services are directed to children. We define “children” as anyone under 13 years of age. Any personal information of a child we collect has been provided directly by a parent or guardian through use of the Services. If we learn that we have collected personal information of a child without the consent of the child’s parent or guardian, we will delete it. We encourage parents with concerns to contact us.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. We may, and if required by law, will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through the Service.

Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on the Service (or as otherwise indicated at the time of posting). In all cases, your continued use of the Service after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

How to Contact Us

Please direct any questions or comments about this Policy or privacy practices to legal@nayya.com.

PRIVACY RIGHTS ADDENDUM

The California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CCRA”) and other similar state consumer data privacy laws such as the Connecticut Data Privacy Act (“CTDPA”), Colorado Privacy Act (“CPA”) and Virginia Consumer Data Protection Act (“VCDPA”) provides residents with specific rights regarding their personal information. In addition to our Privacy Policy, this Addendum further describes your rights as a resident of these states and explains how to exercise those rights. For purposes of this section, “Personal Information” and “Personal Data” have the meanings given in the CCPA and other similar state consumer data privacy laws, but does not include information exempted from the scope of these laws. In some cases we may provide a different privacy notice to certain categories of residents, such as job applicants, in which case that notice will apply instead of this section.

Depending on your state of residence, you may have the rights listed below with respect to the information we collect from you. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.

Personal Information We Collect, Disclose for a Business Purpose

We collect the following categories of Personal Information.

CategoryExamples (not a comprehensive list)Service Collected (Yes/No)Website Collected(Yes/No)
IdentifiersReal name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or similar identifiersYesYes
Personal Information Categories under Cal. Civ. Code Sec. 1798.80Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance informationYesYes
Protected classifications under CA or federal lawAge, race, sexual orientation, military status, citizenship, religion or creed, marital statusYesNo
Commercial informationRecords of personal property, products or services purchased, obtained or considered, or other purchasing or consuming historiesYesNo
Biometric informationPhysiological, biological or behavioral characteristics, activities, such as imagery of the iris, retina, or fingerprints, from which an identifier template such as a faceprint or voiceprint can be extractedNoNo
Internet or other electronic network activity informationBrowsing history, search history, and information regarding interaction with an internet website application or advertisementNoYes
Geolocation dataLocation dataYesYes
Sensory dataAudio, electronic, thermal, visual, olfactory, or other similar informationNoNo
Non-Public Education informationEducation records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary recordsNoNo
Additional inferencesInferences drawn from any of the information identified in this chart to create a profile of a person relating to that person’s preferences, characteristics, behavior, abilities etcYesYes
Sensitive Personal InformationPersonal Information that reveals an individual’s Social Security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation information; racial or ethnic origin; the contents of mail, email, and text messages unless we are the intended recipient of the communication; personal information collected and analyzed concerning an individual’s health; biometric information used for the purpose of uniquely identifying an individual; personal information collected and analyzed concerning a consumer’s sex life or sexual orientationYesNo

We collect the Personal Information in the chart in the manner we provide in the Privacy Policy and for the reasons in the Privacy Policy.

Access Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. We will disclose to you:

  • The categories of Personal Information we collect about you.
  • The categories of sources for the Personal Information we collect about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • The specific pieces of Personal Information we collect about you and the right to obtain and reuse this information (also called a data portability request).
  • If we sell or disclose your Personal Information for a business purposes, two separate lists disclosing (1) which disclosures are done for a business purposes, identifying the Personal Information categories that each recipient obtained; and (2) which disclosures are done for sales, if applicable, identifying the Personal Information categories that each category of recipient purchased.
Deletion Rights

You have the right to request deletion of any Personal Information we collect or retain from you, subject to certain exceptions. We retain information for the period of time and purposes described in the Privacy Policy. However, even if you request a deletion, we may deny your request if the information is necessary for us or our service providers to:

  • Complete the transaction for which the Personal Information was collected
  • Detect security incidents and product against any malicious, fraudulent activity
  • Debug and/or repair errors
  • Exercise free speech, ensure the right of another consumer to exercise that right of free speech, or exercise another right provided by law
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code §1546) or any such similar law or regulation
  • Engage in a public or peer-reviewed scientific, historical or statistical research that complies with all applicable ethics and privacy laws
  • Comply with a legal obligation.
Non-Retaliation Rights

You are entitled to exercise your rights and be free from retaliation. This means that we will not:

  • Deny you goods or services
  • Charge different prices for goods or services for exercising your rights (whether through denying benefits or imposing penalties)
  • Provide you with a different level of quality of goods or services
  • Threaten you with any of the above
Right to Correct Inaccurate Personal Information

You have the right to request a correction of any inaccurate Personal Information we have about you, and we shall use commercially reasonable efforts to make such corrections after we receive a verifiable consumer request.

Right to Limit Sensitive Personal Information.

You have the right to limit our use of your sensitive Personal Information only to what is necessary to perform the services or to fulfill the reason that we collected such information and/or other permissible business purposes.

Opt-Out Rights

We do not sell your Personal Information in the conventional sense (i.e., for money). However, like many companies, we use services that help deliver interest-based ads to you. California law may classify our use of these services as a “sale” of your Personal Information to the companies that provide the services. This is because we allow them to collect information from our website users (e.g., online identifiers and browsing activity) so they can help serve ads more likely to interest you. You can submit an [Opt-out Request](https://support.nayya.com/hc/en us/requests/new) to opt-out of this “sale” of your personal information by one of the means specified below.

If you direct us not to sell your Personal Information, we will consider it a request pursuant to California’s “Shine the Light” law to stop sharing your personal information covered by that law with third parties for their direct marketing purposes.

If we know that you are younger than 16 years old, we will ask for your permission (or if you are younger than 13 years old, your parent’s or guardian’s permission) to sell your Personal Information before we do so.

Third Party Disclosures.

We engage in certain trusted third parties to perform functions and provide services to us, including auditing, hosting and maintenance, helping to ensure security, debugging, database storage and management, and direct marketing campaigns. We may share your Personal Information with these third parties, but only to the extent necessary to perform these functions and provide such services. We also require these third parties to maintain the privacy and security of the Personal Information they process on our behalf.

How to Exercise Your Consumer Rights

To exercise your right to access, data portability, correction and/or deletion rights described above, please submit a verifiable consumer request to us by either:

Only you, or if you are a California resident, a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another without hindrance. The verifiable consumer request must:

  • Provide sufficient information that allows us to verify you are the person about whom we collected personal information or an authorized representative
  • Describe your request with sufficient details that allows us to properly understand, evaluate, and respond to it

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

We endeavor to respond to all verified requests within 45 days of receipt of the verified request, although this time may be extended as permitted by law. Depending on your state of residence, you may have the right to appeal our response to a verifiable consumer request by submitting a written request to us by mailing us at legal@nayya.com.

We will respond to your appeal within 45 days of receipt, although this time may be extended as permitted by applicable law. Upon receipt of our appeal decision, depending on your state of residence, you may submit a complaint to the Attorney General’s office.