Privacy Policy Addendum for California Residents
Last updated: May 27, 2025
Introduction
This Privacy Policy Addendum for California Residents (this “California Privacy Addendum”) supplements the information contained in Oar Health, Inc.’s (“Oar,” “we,” “our,” or “us”) Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“Consumers” or “you”). We adopt this California Privacy Addendum to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”) and any terms defined in the CPRA have the same meaning when used in this California Privacy Addendum.
Applicability
This California Privacy Addendum applies to information that we collect on our Website that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your device (“Personal Information”). However, publicly available information that we collect from government records and deidentified or aggregated information (when deidentified or aggregated as described in the CPRA) are not considered Personal Information and this California Privacy Addendum does not apply to such information.
This California Privacy Addendum also does not apply to certain Personal Information that is excluded from the scope of the CPRA, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 and the California Confidentiality of Medical Information Act or clinical trial data. Specifically, certain health and medical information you elect to provide through our intake assessments is governed by the California Confidentiality of Medical Information Act and is processed for clinical care purposes. As such, it is not subject to this California Privacy Addendum.
Personal Information We Collect About You
Our Website collects, and over the prior twelve (12) months has collected the following categories of Personal Information:
Personal Information Category | Applicable Pieces of Personal Information Collected |
|---|---|
Identifiers | A real name; postal address; Internet Protocol address; email address; driver’s license number; and passport number. |
Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | A name; address; telephone number; passport number; driver’s license or state identification card number; credit card number, debit card number, or any other financial information. Some Personal Information included in this category may overlap with other categories. |
Protected classification characteristics under California or federal law | Age (40 years or older); and sex (including gender, gender identity, or gender expression) (to the extent that you disclose such information to us through the screening tool on the Website). |
Commercial Information | Records of personal property, products, or services purchased, obtained, or considered. |
Internet or other similar network activity | Browsing history; search history; Information on a consumer’s interaction with a website, application, or advertisement. |
Inferences drawn from other Personal Information | Profile reflecting a person’s preferences; characteristics; predispositions; behavior; attitudes; abilities; and aptitudes. |
Sensitive Personal Information (“Sensitive Personal Information”) | Government identifiers (e.g., driver’s license, state identification card, or passport number). |
Oar will not collect additional categories of Personal Information without providing you notice. As further described below, we do not (i) “sell” any categories of Personal Information for monetary or other valuable consideration, or (ii) “share” any categories of Personal Information for cross-context behavioral advertising purposes.
Sources of Personal Information
Oar obtains the categories of Personal Information listed above from the following categories of sources:
Directly from you. For example, from forms or surveys you complete or products and services you purchase.
Indirectly from you. For example, from observing your actions on our Website.
Purposes for Our Collection of Your Personal Information
We limit the collection, use, retention, and sharing of Personal Information to that which is reasonably necessary and proportionate to achieve the business purpose for which the Personal Information was collected or processed (for example, please refer to the “Use of your Personal Information” section of our Website Privacy Policy).
Additionally, pursuant to the CPRA, we may use or disclose the Personal Information we have collected, for the purposes described in our Privacy Policy as well as the following additional purposes:
To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to ask a question about our products or services, we will use that Personal Information to respond to your inquiry.
Performing services on behalf of Oar, including developing our Website, maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
To help maintain the safety, security, quality, and integrity of our Website, products and services, databases and other technology assets, and business, including to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity, and to debug, identify and repair errors that impair existing intended functionality.
For testing, research, analysis, and product development and demonstration, including to develop and improve our Website, products, and services.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Oar’s assets, whether as a going concern or as a part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Oar about our Website users is among the assets transferred.
As described to you when collecting your Personal Information or as otherwise set forth in the CPRA.
Oar will not use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Third Parties to Whom We Disclose Your Personal Information for Business Purposes
Oar may disclose your Personal Information to third parties for one or more business purposes. When we disclose Personal Information to non-affiliated third-parties for a business purpose, where required by CPRA we enter a contract that describes the purpose, requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for the specific business purposes for which the Personal Information was disclosed or as otherwise permitted by law, and requires the recipient to otherwise comply with the requirements of the CPRA.
In the preceding twelve (12) months, Oar may have disclosed the following categories of Personal Information for one or more of the business purposes described below to the following categories of third parties:
Personal Information Category | Categories of Third-Party Recipients |
|---|---|
Identifiers. | Business partners; and affiliates of Oar. |
Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Business partners; and affiliates of Oar. |
Protected classification characteristics under California or federal law. | Business partners; and affiliates of Oar. |
Commercial Information | Business partners; and affiliates of Oar. |
Internet or other similar network activity. | Business partners; and affiliates of Oar; Advertisers and advertising networks; Internet cookie information recipients, such as analytics and behavioral advertising services. |
Inferences drawn from other Personal Information. | Business partners; and affiliates of Oar. |
Sensitive Personal Information Category | Categories of Third-Party Recipients |
|---|---|
Government identifiers (e.g., driver’s license, state identification card, or passport number) | Not disclosed. |
We may disclose your Personal Information to the categories of third parties listed above for one or more of the following business purposes:
Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
Helping to ensure security and integrity of our services and IT infrastructure to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes.
Debugging to identify and repair errors that impair existing intended functionality.
Short–term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with us. Our agreements with third parties generally prohibit your Personal Information from disclosure to another third-party and from using your Personal Information to build a profile about you or otherwise alter your experience outside your current interaction with us.
Performing services on behalf of us, including maintaining or servicing accounts, providing customer service, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us.
Providing advertising and marketing services, except for cross-context behavioral advertising, to Consumers.
In addition to the above, we may disclose any or all categories of Personal Information to any third party (including government entities and/or law enforcement entities) as necessary to:
Comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information;
Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
Cooperate with law enforcement agencies concerning conduct or activities that we (or one of our service providers’) believe may violate federal, state, or local law;
Comply with certain government agency requests for emergency access to your Personal Information if you are at risk or danger of death or serious physical injury; or
Exercise or defend legal claims.
Sales & Sharing of Personal Information
We do not: (i) “sell” Personal Information for monetary or other valuable consideration, and have no actual knowledge of “selling” any Personal Information of consumers under the age of sixteen (16) for monetary or other valuable consideration; or (ii) “share” any Personal Information of consumers with third parties for cross-context behavioral advertising purposes, and have no actual knowledge of “sharing” any Personal Information of consumers under the age of sixteen (16) for such purposes.
Consumer Data Requests
The CPRA provides California residents with specific rights regarding their Personal Information. This section describes your CPRA rights and explains how to exercise those rights. You may exercise these rights yourself or through your Authorized Agent. For more information on how you or your Authorized Agent can exercise your rights, please see Exercising Your CPRA Privacy Rights.
Right to Know and Access (Data Portability) Personal Information
You have the right to request that Oar disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months (a “Right to Know” Consumer Request) You also have the right to request that Oar provide you with a copy of the specific pieces of Personal Information that we have created or otherwise received from a third-party about you (a “Data Portability” Consumer Request). Once we receive and confirm your Consumer Request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
The categories of Personal Information we collected about you.
The categories of sources for the Personal Information we collected about you.
Our business or commercial purpose for collecting Personal Information.
The categories of third parties to whom we have disclosed that Personal Information.
The specific pieces of Personal Information we collected about you (also called a data portability request).
We will not disclose any Personal Information that may be subject to an exception under the CPRA. If we are unable to disclose certain pieces of your Personal Information, we will describe generally the types of Personal Information that we were unable to disclose and provide you a description of the reason we are unable to disclose it.
If you would like to make both a Right to Know Consumer Request and a Data Portability Consumer Request, you must make both requests clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. You may make a Right to Know or a Data Portability Consumer Request a total of two (2) times within a twelve (12) month period at no charge.
Correction Rights
You have the right to request that we correct any incorrect Personal Information about you to ensure that it is complete, accurate, and as current as possible. You may review and correct some Personal Information about yourself by logging into the Websites and visiting your “Account” page. You may also request that we correct the Personal Information we have about you as described below under Exercising Your CPRA Privacy Rights. In some cases, we may require you to provide reasonable documentation to show that the Personal Information we have about you is incorrect and what the correct Personal Information may be. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect or if the Personal Information is subject to another exception under the CPRA.
Deletion Request Rights
You have the right to request that Oar delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your Consumer Request (see Your CPRA Rights), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies pursuant to the CPRA. Some exceptions to your right to delete include, but are not limited to, if we are required to retain your Personal Information to complete the transaction or provide you the goods and services for which we collected the Personal Information or otherwise perform under our contract with you, to detect security incidents or protect against other malicious activities, and to comply with legal obligations. We may also retain your Personal Information for other internal and lawful uses that are compatible with the context in which we collected it.
Limiting Our Uses and Disclosures of Sensitive Personal Information
We do not use or disclose your Sensitive Personal Information for any purpose other than the following:
To that use which is necessary to perform the services reasonably expected by an average consumer who requests those services from us.
To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that our use of your Sensitive Personal Information is reasonably necessary and proportionate for such purposes.
To resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions, provided that our use of your Sensitive Personal Information is reasonably necessary and proportionate for this purpose.
To ensure the safety of natural persons, provided that our use of your Sensitive Personal Information is reasonably necessary and proportionate for this purpose.
For short-term, transient use.
To perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us.
To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
Because we only use your Sensitive Personal Information for the above purposes, we do not, and are not required to, provide you with the ability to limit the use of your Sensitive Personal Information for these purposes.
Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not do any of the following as a result of you exercising your CPRA rights: (a) deny you goods or services; (b) charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (c) provide you a different level or quality of goods or services; or (d) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Exercising Your CPRA Rights
To exercise the rights described above, please submit a request (a “Consumer Request”) to us by either:
Calling us at: (201) 308-3120
Visiting: https://www.oarhealth.com/
Emailing us at: privacy@oarrx.com
If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.
Only you, or your Authorized Agent that you authorize to act on your behalf, may make a Consumer Request related to your Personal Information. To designate an Authorized Agent, see Authorized Agents below.
All Consumer Requests must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an Authorized Agent of such a person. This may include verifying information that we may already have about you, such as your name and email address.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm which Personal Information relates to you or the individual for whom you are making the request as their Authorized Agent.
Making a Consumer Request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account.
We will only use Personal Information provided in a Consumer Request to verify the requestor’s identity or authority to make the request.
Authorized Agents
You may authorize your agent to exercise your rights under the CPRA on your behalf by registering your agent with the California Secretary of State or by providing them with power of attorney to exercise your rights in accordance with applicable laws (an “Authorized Agent”). We may request that your Authorized Agent submit proof of identity and that they have been authorized to exercise your rights on your behalf. We may deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.
Response Timing and Format
We will confirm our receipt of your Consumer Request within ten (10) business days of its receipt. We will generally process a Consumer Request within forty-five (45) days of its receipt. If we require more time, (up to an additional 45 calendar days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the twelve (12) month period preceding the Consumer Request’s receipt. The response we provide will also explain the reasons we cannot comply with your Consumer Request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically a CSV file.
We do not charge a fee to process or respond to your Consumer Request unless it is excessive, repetitive, or manifestly unfounded. We reserve the right to consider more than two (2) total Right to Know or Data Portability Consumer Requests (or combination of the two) in a twelve (12) month period to be repetitive and/or excessive and require a fee. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Personal Information Retention Periods
We will keep your Personal Information for no longer than is necessary for the purpose(s) it was provided for. Further details of the periods for which we retain Personal Information are available on request. However, we may retain any or all categories of Personal Information when your information is subject to one of the following exceptions:
When stored in our backup and disaster recovery systems. Your Personal Information will be deleted when the backup media your Personal Information is stored on expires or when our disaster recovery systems are updated.
When necessary for us to exercise or defend legal claims.
When necessary to comply with a legal obligation.
When necessary to help ensure the security and integrity of our Website.
Changes to Our California Privacy Addendum
Oar reserves the right to amend this California Privacy Addendum at our discretion and at any time. When we make changes to this California Privacy Addendum, we will post the updated addendum on the Website and update the addendum’s last updated date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
Contact Information
If you have any questions or comments about this California Privacy Addendum, the ways in which Oar collects and uses your information described above and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Phone: (201) 308-3120
Website: https://www.oarhealth.com/
Email: privacy@oarrx.com
Postal Address:
Oar Health
10 Jay St, Suite 102
Brooklyn, NY 11201
