Privacy Policy

Introduction

Frontera Health, Inc. (hereinafter collectively referred to as “Frontera”, “Company,” “we,” “us” or “our”) is committed to protecting your privacy. The following discloses our information-gathering and dissemination practices for our Company’s website at Fronterahealth.com (the “Website”) and its platform and apps, excluding its community site, (“Platform”) in this Privacy Policy (“Policy”) unless otherwise and explicitly stated. Users on our Platform are referred to herein as “you” from time to time. This Policy explains what Personal Information we collect, how we collect it, and how we use, disclose, and protect your Personal Information collected on our Platform, including how we may use such data for analytics, service improvement, and training of artificial intelligence and machine learning models. If you opt out of such AI training uses, we will not use your Personal Information that was collected after your opt-out request for training AI models, and we will take commercially reasonable steps to exclude your previously collected data from future model training to the extent technically feasible. This Policy describes what categories of personal data we collect, the purposes we use that data for, your choices regarding our use of your personal data, our security measures, and how you can review and correct our data about you. By accessing our Platform, you acknowledge that you have read and understood this privacy statement. For certain processing activities, including the use of your Personal Information for training artificial intelligence and machine learning models, we will seek your explicit consent as required by applicable law, including GDPR and the Colorado Privacy Act (CPA).

HIPAA Privacy

This Privacy Policy is distinct from the HIPAA Notice of Privacy Practices from Frontera, Frontera Entities or healthcare professionals who use our Platform, which is a special notice required by a federal privacy law known as the HIPAA Privacy Rule. The HIPAA Notice of Privacy Practices describes how Frontera Entities or healthcare professionals who use our Platform use “individually identifiable health information” collected by Frontera, both online and offline, to provide services to you and to administer the various programs and products that we administer and are subject to Business Associate Agreements with the Frontera Entities or healthcare professionals who use our Platform. Our Privacy Policy describes how we use your Personal Information that we collect from you on our Platform. The Frontera Notice of Privacy Practices describes how we use your individually identifiable health information that we may collect from you in another manner. This Privacy Policy makes distinctions between Personal Information contained in a Personal Health Record (“PHR”) that you might choose to maintain through one of our secure web portals and personal information otherwise provided through our general publicly available website. This Privacy Policy is distinct from the HIPAA Notice of Privacy Practices, which is a special notice that describes how we may use and disclose your protected health information (“PHI”) to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law.

Data Collection

Data collected directly from visitors. This Policy applies to the operation of the Website that directly links to this statement when you click on “Privacy Policy” in the website footer. Through the Website, we may collect information that can identify you, such as your name, address, telephone number, e-mail address, and other similar information (“Personal Information” or “Your Information”) when it is voluntarily submitted to us (see discussion below about “IP Addresses” if you have a broadband connection). We will use your Personal Information to respond to requests you may make of us, and from time to time, we may refer to your Personal Information to better understand your needs and how we can improve our Website, products, and services. You are not required to provide this information; however, if you choose not to, we may not be able to provide you the requested service. We will clearly indicate which data fields are mandatory for service provision and which are optional at the point of collection. You have the right to limit the collection of your Personal Information to only what is necessary for the specific service you are requesting. Data collected automatically. The Website may use a technology known as web beacons – sometimes called single-pixel gifs – that allow this site to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. Web log information is gathered when you visit one of our webpages by the computer (called a “webserver”) that hosts our Website . The web server automatically recognizes some information, such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using (e.g., Chrome, Edge), the type of operating system you are using (e.g., Windows 10), and the domain name and address of your Internet service provider (e.g., AT&T). Under GDPR and the Colorado Privacy Act, this information constitutes personal data when it can be linked to or is reasonably capable of being associated with you. We may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened. The Website uses cookies and similar tracking technologies. A cookie is a piece of information that our webserver sends to a browser file on your computer when you access a website. We use the following types of cookies: (1) strictly necessary cookies for site functionality; (2) performance cookies to analyze site usage; (3) functional cookies to remember your preferences; and (4) targeting cookies for marketing purposes. You can control cookie settings through your browser, and you may refuse non-essential cookies without affecting your ability to use essential services. For more information about the specific cookies we use, including their duration and purposes, and your choices regarding cookies, please email us at support@fronterahealth.com. The Website uses Internet Protocol (IP) Addresses. An IP Address is a number assigned to your computer by your Internet service provider so you can access the Internet. Generally, an IP address changes each time you connect to the Internet. Note, however, that if you have a broadband connection, depending on your individual circumstances, it is possible that your IP address that we collect, or even perhaps a cookie we use, may contain information that could be deemed personal data under applicable privacy laws. This is because, with some broadband connections, your IP Address does not change and could be associated with your personal computer. We use your IP address to report aggregate information on use and to help improve the Website. Any other information transferred by you in connection with your visit to our Website (“Other Information” – that is, information that cannot reasonably be used to identify you and is not linked to identifiable information) may be included in databases owned and maintained by Frontera or its agents. Frontera maintains these databases in accordance with applicable data protection laws. You retain all rights to your personal data as described in this Policy and as provided by applicable law, including the Colorado Privacy Act. These rights apply regardless of whether the data is characterized as “Personal Information” or “Other Information,” to the extent such data is linked or reasonably linkable to you. Other Information we collect may include your IP address and other information gathered through our weblogs and cookies.

Our Use of Personal Data

We will use Personal Information only for the purposes set forth below and as disclosed to you at the time of collection, based on the following legal bases: (a) your consent, which you may withdraw at any time; (b) performance of the legal contract contained in our Terms of Use with you; (c) compliance with legal obligations; (d) protection of vital interests; (e) performance of tasks in the public interest; or (f) our legitimate interests, where not overridden by your rights and freedoms and where we have conducted a balancing test. For data subjects in the EU/EEA, we will identify the specific legal basis for each processing activity. Services and Transactions. We use your Personal Information to recommend and deliver treatment services through certain Frontera Entities (defined as Frontera Health New Mexico, Frontera Medical P.A., and any present or future affiliate, subsidiary, or parent) or execute transactions you request, such as answering customer service requests, providing information about our products and services, and processing orders. We may also enhance or merge your Personal Information with data obtained from third parties for the same purposes, provided we have verified that such third parties have obtained appropriate consent or have another lawful basis for sharing such data with us. We will provide you with advance notice and an opportunity to opt out of such data enhancement activities before combining your data, and we will honor your opt-out request within 15 days. You may opt out by contacting us at support@fronterahealth.com or through your account settings. We will inform you of the sources of such third-party data and the categories of data obtained. Marketing Communications. With your permission, we may use Your Information to inform you of products or services available from the Company. When collecting information that might be used to contact you about our products and services, we give you the opportunity to opt-out from receiving such communications. Moreover, each email communication we send includes an unsubscribe link allowing you to stop delivery of that type of communication. If you elect to unsubscribe, we will remove you from the relevant email list within 10 business days of receiving your request. Employment Applications. In connection with a job application or inquiry, you may provide us with data about yourself, including your educational background, resume, and other information, including your ethnicity, sex, veteran status or other identifying information, where required or permitted by law. We may use your Personal Information for the purpose of employment consideration. We will keep the information for future consideration unless you direct us not to do so. Website Improvement. We may use data about you to improve our Website (including our security measures) and related products or services, including through analytics and research and development. We may also use your Personal Information for training of artificial intelligence and machine learning models, but only with your explicit opt-in consent. You have the right to opt out of analytics and research uses at any time, and we will honor your opt-out within 15 days. For AI training, if you later withdraw your consent, we will cease using your Personal Information collected after withdrawal for new AI model training and will take commercially reasonable steps to exclude your data from future training cycles of existing models, though we cannot remove data from models already trained. To exercise this right, please contact us using the information in the “Questions about our Privacy Practices” section.

Disclosure of Personal Information

Except as described below, Personal Information that you provide to us via our Platform will not be shared outside of Frontera, or its business partners who have agreed to maintain the confidentiality of your Personal Information and comply with applicable data protection requirements, without your consent or another lawful basis for sharing. Sharing Data with our Contractors. We may share Your Information with agents, contractors, or partners of Frontera in connection with services that these individuals or entities perform for, or with, Frontera. These agents, contractors, or partners are restricted from using this data in any way other than to provide services for Frontera, or services for the collaboration in which they and Frontera are engaged (for example, some of our products may be developed and marketed through joint agreements with other companies). Where applicable to a EU user, we maintain written data processing agreements with all such parties that comply with GDPR Article 28 and applicable Colorado law requirements, and we conduct appropriate due diligence to ensure their data protection capabilities. We will proactively disclose in this Policy, and update at least annually, the categories of third parties with whom we share your data. Upon request, we will provide you with the specific names of third parties with whom we have shared your Personal Information in the preceding 12 months. We may, for example, provide your information to agents, contractors, or partners for hosting our databases, for data processing services, or so that they can send you information that you requested. Security Matters. Frontera reserves the right to share your Personal Information to respond to duly authorized information requests of governmental authorities or where required by law. We will notify you of such requests within 30 days unless legally prohibited from doing so or unless providing such notice would impede a law enforcement investigation. We will document all such disclosures and make records available to you upon request, except where prohibited by law. In exceptionally rare circumstances where national, state, or company security is at issue, or where we are legally prohibited from providing notice, Frontera reserves the right to share information from our database of visitors and customers with appropriate governmental authorities to the extent required or permitted by law. Business Sale. We may also provide your Personal Information to a third party in connection with the sale, assignment, or other transfer of the business of the Platform to which the information relates. We will provide you with at least 30 days advance notice of such transfer and obtain your consent as required by applicable law, including the Colorado Privacy Act. You will have the right to opt out of such transfer or request deletion of your data prior to the transfer, and we will honor such requests to the extent feasible and legally permissible. If the transfer involves your Personal Information that was used to train AI models, we will disclose this fact and explain the limitations on removing such data from trained models. Any such buyer will be required to agree to treat Your Information in accordance with this Privacy Policy and applicable data protection laws. Information You Make Public Through Use of Our Services and User Privacy Settings. Our Platform may contain certain features that give you an opportunity to interact with Frontera and others. These may include chats, forums, message boards, and personal community profiles. When you use these features, you should be aware that any information you submit, including your name, location and email address, may be publicly available to anyone, including other users, search engines, advertisers, third party application developers, and anyone else with access to our Online Services. We are not responsible for any information you choose to submit and make public through these interactive features.

Security

Areas of our Platform that collect Your Information use Transport Layer Security (TLS) 1.2 or higher encryption; however, to take advantage of this, your browser must support TLS 1.2 or higher encryption. Additionally, we take the security of your information very seriously, and enforce additional security efforts via physical, electronic, and administrative procedures in accordance with our SOC-2 compliant security policies. We implement appropriate technical and organizational measures to protect Personally Identifiable Information (“PII”), including SOC-2 compliant security controls. Our security program includes AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit, role-based access controls with multi-factor authentication, regular third-party security audits and penetration testing, and documented incident response procedures with defined escalation protocols and notification timelines. While no method of transmission over the internet or electronic storage is 100% secure, we maintain a comprehensive information security program that is audited for SOC-2 compliance and includes regular security assessments, vulnerability testing, and mandatory employee security training. We highly recommend that you take all reasonable precautions to protect your PII while you are on the internet, including using strong passwords, enabling multi-factor authentication where available, keeping your software updated, and avoiding public Wi-Fi networks when accessing sensitive information.

Reviewing Personal Data

You have the right to access, correct, update, and request deletion of your Personal Information. In some cases, you can review and correct your Personal Information provided through our Platform by going to the page on which you provided the data. For other requests, or if you need assistance, please contact us using the information provided in the “Questions about our Privacy Practices” section. We will respond to your request within 30 days (or 45 days for Colorado residents under the CPA, with possible extension).

International Transfers of Personal Data

Personal data collected on our Platform may be stored and processed in the United States or another country where our service providers are located. By choosing to use our Platform and to provide data to it, you consent to any such transfer of information. We offer our Services only to individuals located in the United States, and we do not advertise our Services outside the United States. If you are located outside the United States and choose to provide your Personal Information to us, please note that we may transfer your Personal Information to the United States or another country where our service providers are located, and such countries may not provide the same data protection. Those who choose to access and use the Services from outside the United States do so on their own initiative, at their own risk, with this understanding.

Links to other Websites

As a convenience to our visitors, our Platform may contain links to a number of sites that we believe may offer useful information.

Children

We are committed to protecting the privacy of children in connection with the use of our Services. Our Platform is not intended for use by individuals under the age of 18. Unless it is with their parent’s or guardian’s consent, we do not knowingly PII from any individual under the age of 18. If you become aware that your child has provided us with personal information without your consent, please contact us at support@Fronterahealth.com.

California Residents Privacy Rights

With respect to the California Consumer Privacy Act of 2018 (“CCPA”), you have certain rights in relation to the Personal Information you share with us. The right to access. You have the right to know and request access to details around the Personal Information that we collect about you. These details include our use of your Personal Information, the categories of third parties with whom your Personal Information is shared, the categories of Personal Information we have collected about you, the categories of sources from which we collect your Personal Information, and the specific pieces of your Personal Information that we collect. These rights are subject to certain exceptions. For example, we cannot share specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of that Personal Information, your account, or the security of our systems of networks. The right to opt-out of the sale of your Personal Information. We do not sell your Personal Information and would not without your consent. The right to delete. You have the right to request the deletion of your Personal Information. However, exemptions to this right exist if the Personal Information pertains to HIPAA as outlined under California Civil Code sections 1798.145(c)(1)(A) and 1798.145(c)(1)(B). Under these codes, information is exempt if it pertains to treatment, payment, or healthcare operations; and if it is properly stored within the guidelines of HIPAA regulations. The right to non-discrimination for exercising your rights. We will not discriminate against you for exercising your legal rights. This extends to the level of quality of services and goods, associated fees or charges, and the denial of any services and goods. If you wish to exercise your rights as outlined above, please see the section below, “Questions about our Privacy Practices”, for contact information.

Questions about our Privacy Practices

If you have questions regarding this Policy or would like to be removed from our email marketing list, please contact us at:

• By email: support@fronterahealth.com
• By phone: (720) 248-8144
• Mailing Address: Frontera, Inc. / Medical Groups, 1517 Blake Street, Suite 250 Denver, CO 80202

You can also make a request to review and correct your Personal Information collected via our websites or submit any inquiries or concerns you may have regarding your Personal Information. We may take steps to verify your identity before providing you access to personal data.

Changes to this Privacy Statement

We may modify this Policy from time to time. We encourage you to read this Policy periodically to ensure you have up-to-date knowledge of our privacy practices. The date of change will be shown next to “Last Updated” at the top of this page. By continuing to access or use the Services after changes to this Policy become effective, you accept the revised Policy. If any changes are unacceptable to you, you may stop using our Services at any time.

Information we collect

The type of personal information we collect depends on your relationship with us. It also depends on how you interact with us. Described below by category is the information we may collect. Contact information. We may collect your name and phone number. We also collect your address and email address. Location information. We may collect information about your location. This may include zip code and state. Professional information. We collect resumes, education, and employment history from job applicants. This includes information about your skills and qualifications for the position. Site usage information. We collect logs and session data when you visit our website. This may include location information. We collect browser and operating system information. We collect what site you came from or what site you visit when you leave us. We also look at the areas of our site you visit and any actions you make. We collect your IP address. We also collect device identifiers. This might include your hardware model.

Business purposes for collecting information

We use information to communicate with you. We use information to respond to your questions. We also use information to communicate with you about our policies and terms. If you apply for a job with us, we use information to process your application. We use information to provide and improve our site. We use information to make our site better. This may include customizing your experience with us. We also use information to improve our services. We use information for marketing purposes. We may use information to let you know about new developments and services. This may be about our offers or offerings of third parties. We also use information to send you newsletters or other content we think you may find interesting. Targeted ads. As permitted by law, we also use certain categories of information to serve you with ads we think you will find interesting. We might do this based on your browsing habits or other activities. These could be on ours or others’ platforms. (This is often called interest-based, targeted or “cross contextual” advertising.) We might do this on social media platforms. This may occur after you leave our sites or platforms and may encourage you to return. We use information to protect ourselves and others. We use information to protect our company. For example, to identify fraud or secure our systems. We may also use information to protect our website visitors. We use information for other purposes as permitted by law or as we may disclose to you.

Methods of collecting information

We collect information directly from you. We collect information if you contact us or submit it to us. This could be in person. It may also be over the phone or online. We collect information passively. We collect information about users over time and across different websites. We may do this on our websites and in emails that we send to you. We also work with third parties that collect personal information this way. We may use several common tracking tools to collect information. Tracking tools include browser cookies and web beacons. To learn more about cookies visit the FTC’s Online Tracking Page. We may work with others to gather information on our platforms and elsewhere. We collect information about you from others. For example, business partners may provide information about you to us. We may also collect information from referrals or industry associations or other public sources.

We combine information

We combine information we collect from you on the website with information we receive from you offline. We combine information that we have collected across other third party sites. We combine information across devices, such as computers and mobile devices. We also combine information you provide with information we obtain from third parties.

When we share information with others

We may share information within our family of companies. We may share information with our affiliates, parent company, and other related companies. This includes current and future companies. We share information with vendors who perform services on our behalf. We may share information with trusted vendors that provide us with services. For example, vendors who help us host and operate the site. We share information if we think we have to in order to comply with the law or to protect ourselves. We share information we collect about you to respond to a court order or subpoena. We share information in response to a government agency or investigatory body request. We share information we collect when we investigate potential fraud. We share information with any successor to all or part of our business. If all or part of our business was sold, we may share information as part of that transaction. If there is a merger or acquisition, we may also share your information. If there is a financing or bankruptcy, we may share your information. We share information as permitted by law and for other reasons we may describe to you.

You have certain choices

You can opt out of receiving our marketing emails. To stop receiving our promotional emails, follow the “unsubscribe” instructions in any promotional email communication you get from us. Even if you opt out of getting marketing messages, we will still send you transactional messages. For example, this includes responses to your questions. OUR COOKIE AND AD POLICY You can control cookies and tracking tools. Your browser may give you the ability to control cookies or other tracking tools. How you do so depends on the type of tool. Certain browsers can be set to reject browser cookies. If you block cookies, certain features on our sites may not work. If you block or reject cookies, not all of the tracking described here will stop. Additionally, the Self-Regulatory Program for Online Behavioral Advertising provides consumers with the ability to manage certain choices online here and provides a tool for managing mobile choices here. Our Do Not Track Policy: Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. Options you make are browser and device specific.

How we protect information

We use reasonable security measures as required by relevant law. The Internet is not 100% secure. We cannot promise that your use of our sites or apps will be completely safe. We encourage you to use caution when using the Internet. This includes not sharing your passwords.

We store information in the United States

Information we collect is stored in the United States. This site is intended for people who are in the United States. If you live outside of the United States and choose to use this site you understand that it is at your own risk. If you live outside of the US, you understand and agree that we may transfer your information to the US. Our sites and businesses are subject to US laws, which may not afford the same level of protection as those in your country. By submitting your information, you agree to the processing of it in the US.

Third-party sites and links

If you click on a link to a third-party site, you will be taken to websites we do not control. This includes our pages on social media sites. This policy does not apply to the privacy practices of these websites. Read the privacy policy of other websites carefully. We are not responsible for these third-party practices.

These sites are not intended for children

Our sites are meant for adults. We do not knowingly collect personally identifiable information online from children under 13. If you are a parent or legal guardian and think your child under 13 has given us information, you can email us. You can also write to us at the address listed at the end of this policy. Please mark your inquiries “COPPA Information Request.” Parents, you can learn more about how to protect children’s privacy on-line here.

Contact us and updates to this policy

If you have questions about this Policy, you can email us at support@fronterahealth.com. We may make changes or updates to this Policy. We will notify you of any material changes to this Policy as required by law. All changes will also be posted on our website. Please check our site periodically for updates.