O'Conco Privacy Policy

1. Introduction and Scope

This Policy applies to information collected through O'Conco's public website and authorized access to product-specific applications and services.

Questions regarding this Policy may be directed to the attention of the Data Privacy Officer using the contact information above.

We encourage you to read this Policy carefully to understand our practices regarding your data and how we will treat it.

2. Information We Collect

Our public website is primarily informational in nature. Visitors are not required to create accounts, register, or provide personal information in order to browse the website.

When visitors access our website, we may automatically collect limited technical information, including:

• IP address
• Browser type and version
• Operating system
• Device information
• Pages visited
• Referring websites
• Date and time of access

We use Google Analytics and similar tools to better understand website usage and improve website performance and content.

Access to O'Conco product-specific websites is restricted to authorized users. Depending on the application and services provided, we may collect or process:

• Name
• Email addresses
• Company or hospital name
• User account credentials
• Authentication and security information
• Application usage information
• User-entered reporting data
• Quality reporting and abstraction information
• Notes, comments, and other information entered by authorized users
• Report filtering criteria and application settings

Email addresses may be used for account administration, password resets, multi-factor authentication, security notifications, and other service-related communications.

O'Conco provides reporting, analytics, quality improvement, abstraction, and related reimbursement services to healthcare organizations.

In connection with these services, O'Conco may process information on behalf of healthcare-provider clients, including information used for healthcare operations, quality improvement activities, regulatory reporting, and related purposes.

Where applicable, O'Conco acts as a service provider and Business Associate pursuant to contractual agreements and Business Associate Agreements with its healthcare-provider clients, who are considered "Covered Entities" under HIPAA and its applicable rules.

Information processed on behalf of healthcare-provider clients remains subject to the policies and procedures of the applicable healthcare organization. The healthcare organization remains responsible for determining the purposes and permitted uses of such information.

Individuals seeking access to, correction of, or information regarding data maintained on behalf of a healthcare-provider client should contact the applicable healthcare organization directly.

We and our third-party partners may use a variety of tracking technologies to collect information about your interactions with our website and services. These include:

• Cookies: Small text files stored on your device that help us remember your preferences, enable functionality, and analyze site usage. These are set by both our website (first-party cookies) and via our partners (third-party cookies).
• Tracking Scripts / Analytics Tools: Software (such as Google Analytics, or similar) that collects information about how you interact with our website.
• Session Storage: Temporary storage of data during your browser session, which is cleared when you close your browser.
• Device Fingerprinting: Techniques that analyze information from your device, such as browser type, operating system, and settings, to uniquely identify your device.
• Log Files: Automatically recorded information about your device and usage upon each visit.

These technologies may be used to maintain secure user sessions, authenticate users, improve website performance, analyze website usage, and protect our systems and services.

3. How We Use Your Information

We use the collected data for various purposes, based on specific legal bases:

• To Provide and Maintain Our Services: Including to authenticate users and manage accounts, deliver multi-factor authentication and password reset functionality, process your transactions, and deliver the services you request.
• For Customer Support: To respond to your inquiries, provide technical support, and resolve issues.
• For Security and Fraud Prevention: To detect, prevent, and address technical issues, fraud, or illegal activities.

4. How We Share Your Information

O'Conco does not sell personal information. We may share your personal data with third parties in certain circumstances, always ensuring appropriate safeguards are in place.

4.1 Healthcare Clients: Information processed through applications may be accessible to the healthcare organizations that own or control the underlying data.

4.2 Service Providers: We may engage third-party vendors to provide services such as hosting, cloud infrastructure, email delivery, email security, analytics, authentication, security monitoring, backup services, and technical support. These providers are authorized to access information only as necessary to perform services on our behalf and are required to protect such information in accordance with applicable contractual obligations.

4.3 Business Transfers: If O'Conco is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

4.4 Legal Requirements: We may disclose your personal data in the good faith belief that such action is necessary to:

• Comply with a legal obligation (e.g., subpoena or court order).
• Protect and defend the rights or property of O'Conco.
• Prevent or investigate possible wrongdoing in connection with the service.
• Protect the personal safety of users of the service or the public.
• Protect against legal liability.

4.5 With Your Consent: We may disclose your personal data for any other purpose with your explicit consent.

4.6 Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you.

5. International Data Transfers

O'Conco operates exclusively within the United States. Information may be processed by authorized service providers that support our business operations that operate outside of the United States, including providers of cloud services, email services, security services, and infrastructure services.

When engaging such providers, O'Conco takes reasonable steps to ensure appropriate safeguards are in place to protect information consistent with applicable legal and contractual requirements.

6. Data Security and Retention

6.1 Data Security: We employ industry-standard technical and organizational security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: Using SSL/TLS encryption for data in transit (HTTPS)./li>
• Access Controls: Restricting access to personal data to authorized personnel only.
• Data Minimization: Collecting only necessary data.
• Regular Security Audits: Conducting periodic reviews of our security practices.
• Employee Training: Educating our staff on data protection and security.
• Pseudonymization/Anonymization: Where feasible and appropriate

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

6.2 Data Retention: We will retain your personal data only for as long as is necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law (e.g., for legal, tax, or accounting purposes).

When we no longer need your personal data, we will securely delete or anonymize it in accordance with applicable law.

7. Your Data Protection Rights

Depending on applicable law, individuals may have certain rights regarding personal information maintained by O'Conco.

Because much of the information processed by O'Conco is maintained on behalf of healthcare-provider clients, requests relating to client-owned information should generally be directed to the applicable healthcare organization.

To submit a privacy-related inquiry, please contact us using the information provided in Section 1.

8. Children's Privacy

Our services are intended for business and healthcare-professional use and are not directed to children under the age of 13.

We do not knowingly collect personal information from children under 13. If we become aware that such information has been collected, we will take reasonable steps to delete it.

9. Links to Other Websites

Our services do not contain links to other websites that are not operated by us.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page along with an updated "Last Updated" date.

Continued use of our website or services following the posting of changes constitutes acceptance of the updated Privacy Policy.

11. Questions or Concerns

If you have concerns about our privacy practices, please contact us directly using the details provided in Section 1 above.