PRIVACY POLICY FOR FIVE JOURNEYS®

Last Revised: September 9, 2025

This privacy notice for Five Journeys® (“Company,” “we,” “us,” or “our“) describes how and why we might collect, store, use, and/or share (“process“) your information when you use our services (“Services“), such as when you:

• Visit our website at (https://fivejourneys.com), or any website of ours that links to this privacy notice
• Download and use our mobile application (Five Journeys®), or any other application of ours that links to this privacy notice
• Engage with us in other related ways, including any sales, marketing, or events

 

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. This policy incorporates our duties and your rights under the Health Insurance Portability and Accountability Act (HIPAA). If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

SUMMARY OF KEY POINTS

• What personal information do we process? We process personal information depending on how you interact with us, the choices you make, and the products you use. This includes information you provide, information collected automatically, and sensitive health information.
• Do we process sensitive personal information? Yes. As a health and wellness service, we process Protected Health Information (PHI) as defined by HIPAA. We process this information with your consent and as permitted by law to provide our Services.
• How do we process your information? We process your information to provide, improve, and administer our Services, manage your healthcare, communicate with you, for security and fraud prevention, and to comply with the law.
• In what situations and with which parties do we share personal information? We may share information in specific situations, such as for treatment, payment, or healthcare operations as required by HIPAA, or in connection with business transfers. We do not sell your personal information.
• How do we keep your information safe? We have implemented organizational and technical security measures to protect your personal and health information. However, no electronic transmission can be guaranteed to be 100% secure.
• What are your rights? You have extensive rights regarding your personal information, including specific rights under HIPAA, GDPR, and CCPA, depending on your location. These include the right to access, amend, and request an accounting of disclosures of your health information.
• How do you exercise your rights? The easiest way is by contacting us using the details provided in this notice. We will respond to all requests in accordance with applicable data protection laws.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR GENERAL INFORMATION?
3. HOW DO WE USE AND DISCLOSE PROTECTED HEALTH INFORMATION (PHI)?
4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
6. HOW LONG DO WE KEEP YOUR INFORMATION?
7. HOW DO WE KEEP YOUR INFORMATION SAFE?
8. DO WE COLLECT INFORMATION FROM MINORS?
9. WHAT ARE YOUR PRIVACY RIGHTS AND CHOICES?
10. OUR LEGAL DUTIES UNDER HIPAA
11. CONTROLS FOR DO-NOT-TRACK FEATURES
12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
13. DO WE MAKE UPDATES TO THIS NOTICE?
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

 

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

We collect personal information that you voluntarily provide when you register on the Services, express interest in our products, participate in activities, or contact us. This may include:

• Identifiers: Names, phone numbers, email addresses, mailing addresses.
• Professional Information: Job titles.
• Account Credentials: Usernames, passwords, contact preferences, and authentication data.
• Payment Data: We collect data necessary to process your payment if you make purchases, such as your credit card number and security code. All payment data is stored by our payment processor, Authorize.net. You can find their privacy notice here..

Sensitive Information / Protected Health Information (PHI)

As part of providing our Services, and with your consent or as permitted by law, we process sensitive health data, which is classified as Protected Health Information (PHI) under HIPAA. This includes information about your past, present, or future physical or mental health or condition.

Information automatically collected

When you visit or navigate our Services, we automatically collect certain information. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, referring URLs, country, location, and other technical information needed for the security and operation of our Services.

Application Data

If you use our mobile application, we may request access to certain features on your mobile device (e.g., calendar, camera, microphone, contacts) if you provide permission. This access is used to enable app features and can be revoked at any time in your device’s settings.

2. HOW DO WE PROCESS YOUR GENERAL INFORMATION?

We process your non-health-related personal information for a variety of reasons, including:

• To facilitate account creation and management.
• To send you marketing and promotional communications, with your consent.
• To respond to your inquiries and offer support.
• For security and fraud prevention.
• To comply with legal obligations.

3. HOW DO WE USE AND DISCLOSE PROTECTED HEALTH INFORMATION (PHI)?

Our use and disclosure of your PHI is strictly governed by HIPAA.

A. Permitted Uses and Disclosures Without Your Written Authorization

• Treatment: We may use or disclose PHI to coordinate and manage your healthcare services. For example, essential information may be shared with hospitals or other medical personnel to ensure continuity of care.
• Payment: We may use PHI to obtain payment for services, such as submitting claims to insurers or for billing purposes.
• Healthcare Operations: We may use PHI for internal processes such as quality improvement, training, licensing, audits, and member communication.
• Public Health and Safety: PHI may be disclosed as required by law to public health authorities (e.g., for disease reporting), or to prevent a serious threat to your health and safety or that of others.
• Legal Obligations: We may release PHI in response to court orders, subpoenas, or other lawful requests by authorities.

B. Uses and Disclosures Requiring Your Written Authorization

Any other use or disclosure of your PHI not outlined above, such as for marketing purposes, requires your specific written authorization. You may revoke this authorization in writing at any time, except to the extent that we have already acted in reliance on it.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

We only process your personal information when we have a valid legal reason. This includes your consent, our contractual obligations to provide you with Services, our legal obligations (including under HIPAA), and our legitimate business interests. If you are in a region governed by GDPR or similar laws, you have specific rights related to these legal bases.

5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We only share information in the following situations:

• HIPAA-Compliant Disclosures: As described in Section 3 for treatment, payment, and healthcare operations.
• Business Transfers: We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of our business. The recipient will be bound to protect your information consistent with this policy.
• Service Providers: We may disclose your information to third-party vendors, consultants, and other service providers who perform services for us under a contractual agreement that requires them to protect the information.
• With Your Consent: We may disclose your personal information for any other purpose with your consent.

 

We do not sell your personal information.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We keep your information for as long as necessary to fulfill the purposes outlined in this notice, unless a longer retention period is required or permitted by law. For PHI, retention periods are also governed by federal and state healthcare regulations. When we have no ongoing legitimate business need to process your information, we will either delete or anonymize it.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal and health information we process. However, despite our safeguards, no electronic transmission or storage technology can be guaranteed to be 100% secure. Transmission of information to and from our Services is at your own risk.

8. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to the minor’s use of the Services. If we learn that personal information from users less than 18 has been collected without verifiable parental consent, we will take reasonable measures to promptly delete such data.

9. WHAT ARE YOUR PRIVACY RIGHTS AND CHOICES?

You have various rights regarding your personal data depending on your location.

A. General Rights for All Users

You may review, change, or terminate your account at any time by logging into your account settings or contacting us. Upon your request to terminate your account, we will deactivate or delete it from our active databases, though some information may be retained in our files for legal, security, or backup purposes.

B. Your Rights Under HIPAA Regarding Your PHI

As our client, you have the following rights concerning your Protected Health Information:

• Right to Inspect and Copy: You may request to review and obtain a copy of your PHI. We may charge a reasonable, cost-based fee for this service.
• Right to Amend: If you believe your PHI is incorrect or incomplete, you may request that we amend it. We may deny the request under certain conditions but will provide a written explanation.
• Right to an Accounting of Disclosures: You can request a list of certain disclosures we have made of your PHI, other than those for treatment, payment, or healthcare operations.
• Right to Request Restrictions: You may ask us to limit how we use or disclose your PHI. We will consider all requests but are not legally required to agree, except in certain limited circumstances.
• Right to Request Confidential Communications: You can request that we communicate with you about your health information in a specific way or at a specific location (e.g., only by mail to a P.O. box). We will accommodate all reasonable requests.

C. Rights for Users in the EEA, UK, and Canada

If you are located in these regions, you have rights under GDPR or similar laws, including the right to request access, rectification, erasure, restriction of processing, and data portability. You also have the right to withdraw consent at any time.

D. Rights for California Residents

California residents have specific rights under the California Consumer Privacy Act (CCPA). Please see Section 12 for a full description of these rights.

10. OUR LEGAL DUTIES UNDER HIPAA

We are legally obligated to:

• Maintain the privacy and security of your PHI.
• Provide you with this Notice explaining our legal duties and privacy practices.
• Abide by the terms of the Notice currently in effect.
• Notify you promptly in the event of a data breach of your unsecured PHI.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track (“DNT”) feature. As there is no uniform technology standard for recognizing and implementing DNT signals, we do not currently respond to them.

12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

Yes. If you are a California resident, you are granted specific rights regarding your personal information under the CCPA. This includes the Right to Know, the Right to Delete, and the Right to Non-Discrimination. Please note that information governed by HIPAA may be exempt from certain CCPA requirements. For a detailed list of categories of information collected and to exercise your rights, please refer to the contact information at the end of this policy.

Five Journeys® has not sold any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months and will not sell personal information in the future.

13. DO WE MAKE UPDATES TO THIS NOTICE?

Yes. We may update this privacy notice from time to time to stay compliant with relevant laws. The updated version will be indicated by a “Revised” date. We encourage you to review this notice frequently.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions, wish to exercise any of your rights, or want to file a complaint, please contact us:

• Email: [email protected]
• Phone: 617-934-6400
• Mail: Five Journeys® 181 Wells Ave, Suite 292 Newton, MA 02459 United States

 

You also have the right to file a complaint directly with the U.S. Department of Health and Human Services’ Office for Civil Rights without fear of retaliation from us.