Privacy Policy

Last updated: June 28, 2023

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of information. It also outlines privacy rights and applicable laws.

The short version:

  • We collect as little information as possible;
  • We do not sell information;
  • Users with accounts may delete their personal information from the system at any time;
  • We do not collect, process, store or maintain any Protected Health Information;
  • By using this Service, You agree to the terms of this policy.

The long version:

Throughout this Policy, We use the following terms:

  • We, Us, Our, the Company, and Shoreline refer to Shoreline Solution Benefit LLC., 250 East 200 South, Floor 16, Salt Lake City Utah 84111.
  • Service refers to the Shoreline application hosted on this website.
  • Account or Login Account refers to a paid account protected by a username and password.
  • Visitor refers to a person who does not have a Login Account. We do not read, collect, process or store any of the following Visitor information: IP Address, cookies, phone number, email address, name, PII or PHI. Typically, Visitors are patients.
  • User refers to a person who buys a license to log in and use Shoreline. Users provide their name, email address, and time zone preference to Shoreline.
  • You and Your refers to Service Providers, Visitors and Users.
  • Service Provider refers to third-party companies or individuals that enable the Shoreline Service to function properly.
  • Personal Data refers to name, email address, IP address, or cookies.
  • Device means any device that can access the Service such as a computer, laptop, mobile phone or tablet.
  • Device Fingerprint refers to your Device’s type, version, and capabilities.
  • Usage Data refers to information provided by your browser and Device.
  • Cookies are small files that are placed on your Device to identify You or store Your preferences.
  • Processing refers to the act of reading information provided by Users, Visitors and their Devices.
  • Storage refers to saving information that can later be used by the Service.
  • Personally Identifiable Information or PII is protected by federal and state laws and regulations, including federal regulations administered by the U.S. Department of Homeland Security (DHS), and is defined by DHS as “any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.” PII must be protected prior to release in accordance with the Utah Government Records Access Management Act (GRAMA) or other disclosures required by law. For details of what information is personally identifiable, see the U.S. Department of Labor definitions here.
  • Aggregate Data refers to compiled records such as number of visits or clicks that cannot be broken down into smaller pieces.
  • Protected Health Information or PHI is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) and includes all individually identifiable information that relates to the health or health care of an individual. The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers as follows:
    • Patient names  
    • Geographical elements (such as a street address, city, county, or zip code)
    • Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
    • Telephone numbers
    • Fax numbers
    • Email addresses
    • Social security numbers
    • Medical record numbers
    • Health insurance beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers
    • Device attributes or serial numbers
    • Digital identifiers, such as website URLs 
    • IP addresses
    • Biometric elements, including finger, retinal, and voiceprints
    • Full face photographic images 
    • Other identifying numbers or codes

Processing and Storage of data

The Shoreline Service processes and stores the following data:

DataVisitorUser
IP Address, Device Fingerprint, pages visited, features used.Shoreline does not read, collect, process or store this information.Processed and Stored to provide usage analytics, auditing and security features.
Name, avatar, time zone, organization name.Shoreline does not request, read, collect, process or store this information.Processed and Stored to provide Service.
Phone numberShoreline does not request, read, collect, process or store this information when patient education material is sent through MyChart. Processed when a User sends a Visitor a text message but never Stored. i.e. it’s deleted after We send the message.Processed and Stored to provide Service.
Email addressShoreline does not request, read, collect, process or store this information when patient education material is sent through MyChart. Processed when a User sends a Visitor an email message but never Stored. I.e. it’s deleted after We send the message.Processed and Stored to provide Service.
PasswordNot applicable. Visitors do not log into the system.Processed and Stored using a cryptographically secure high-iteration, one-way hash algorithm.
PHIThe Shoreline Service does not request, read, collect, process or store this information.The Shoreline Service does not request, read, collect, process or store this information.

All data that is Processed and Stored is protected in transit by TLS 1.3 encryption and at rest by AES-256 encryption. All data is Processed and Stored in secure and HIPAA-compliant cloud services.

We use Cookies as little as possible. The following table describes how Cookies are used to provide the Service.

Cookie TypeVisitorUser
Shoreline Service CookiesNot used.Used to identify Users.
Third-Party CookiesNot used.Not used.

Children’s Privacy

Our Service is not intended to be used by anyone under the age of 18. Because the Service is self-administered and unmonitored, it is up to Users and Visitors to ensure that only adults over 18 use the Services.

Single Sign-On

Users may elect to login to the Shoreline Service via a third-party authentication service. This is called Single Sign-On (SSO) and means that Users must first authenticate to that third-party identity provider prior to accessing the Service.

By using SSO, Users will be transferred to an authentication process for that particular identity provider where credentials (often username and password) are used to verify identity. Shoreline does not have access to credentials used by any third-party identity provider. Once Users have authenticated via SSO, a token is returned to Us indicating that the User’s identity has been verified and will be granted access to the Service.

Sharing

Users may send patient education material to Visitors via the following methods:

  • Email message sent from Shoreline
  • Email message sent from a User’s computer or smartphone
  • Mobile text message from Shoreline
  • Various methods inside of the Service Provider (Epic) software including Messages, After Visit Summary etc.

Any materials or messages Users send to Visitors is never Stored. In other words, Shoreline forgets phone numbers, email addresses and message text after sending the message.

Protected Health Information (PHI)

Shoreline never asks for PHI.

Service Payment Information

Users can choose to pay for The Service via a third-party payment systems. Shoreline does not directly capture nor save any payment information. In other words, Shoreline does not store credit card numbers, expiration dates or card verification codes.

Terms of Data Usage

Shoreline may use Users’ Personal Data for the following purposes. Herein the terms You and Your refer to Users.

  • To provide and maintain our Service, including to monitor the usage of our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To provide You with news, special offers and general information about other goods, services and events which We offer that are similar to those that You have already purchased or enquired about unless You have opted not to receive such information.
  • To manage Your requests: To attend and manage Your requests to us.
  • Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.

We may process User and Visitor data if one of the following applies:

  • You have given Your consent for one or more specific purposes. Note: Under some jurisdictions, We may be allowed to process Personal Data until You object to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;
  • provision of Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof;
  • processing is necessary for compliance with a legal obligation to which We are subject;
  • processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Us;
  • processing is necessary for the purposes of the legitimate interests pursued by the Us or by a third party.

In any case, We will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Retention of Your Personal Data

The Company will retain Your Personal Data and Usage Data only for as long as is necessary for the purposes detailed in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if We are required to retain Your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Transfer of Your Personal Data

In cases where We process and store information as outlined in this Policy, third-party Service Providers may Process or Store the information. Processing and Storage may occur outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

Disclosure of Your Data

Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users/Visitors of the Service or the public
  • Protect against legal liability

Security of Your Data

We use the latest cryptographic technologies and best practices to encrypt and secure your data in transit and at rest. We do everything possible to protect data, but  encryption is not foolproof.

Our employees are trained and audited on security as part of Our Information Security Management Policy. We adhere to standards found in SOC II, ISO-27001 and other organizational security standards.

Information for Residents of California

The provisions contained in this section apply to all Users who are consumers residing in the state of California, United States of America, according to “The California Consumer Privacy Act of 2018” (Users are referred to below, simply as “You”, “Your”, “Yours”), and, for such consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in the privacy policy.

This part of the document uses the term “personal information” as it is defined in The California Consumer Privacy Act (CCPA).

Categories of personal information collected, disclosed or sold
In this section We summarize the categories of personal information that we’ve collected, disclosed or sold and the purposes thereof. 

You can read about these activities in detail in the section titled “Detailed information on the processing of Personal Data” within this document.

Information We collect: the categories of personal information We collect
We have collected the following categories of personal information about You: identifiers, commercial information, and internet information. We will not collect additional categories of personal information without notifying You.

How We collect information: what are the sources of the personal information We collect?
We collect the above-mentioned categories of personal information, either directly or indirectly, from You when You use Shoreline.

For example, Users directly provide name, email address and organization name when they create their Account.

How We use the information We collect: sharing and disclosing of Your personal information with third parties for a business purpose
We may disclose the personal information We collect about You to a third party for business purposes. In this case, We enter a written agreement with such third party that requires the recipient to both keep the personal information confidential and not use it for any purpose(s) other than those necessary for the performance of the agreement.

We may also disclose Your personal information to third parties when You explicitly ask or authorize us to do so, in order to provide You with our Service.

To find out more about the purposes of processing, please refer to the relevant section of this document.

Sale of Your personal information
For our purposes, the word “sale” means any “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration”.

Shoreline does not sell Your personal information.

Your California privacy rights and how to exercise them

The right to know and to portability
You have the right to request that We disclose to You:

  • the categories and sources of the personal information that We collect about You, the purposes for which We use Your information and with whom such information is shared;
  • in case of sale of personal information or disclosure for a business purpose, two separate lists where We disclose:

  • The disclosure described above will be limited to the personal information collected or used over the past 12 months.

If We deliver our response electronically, the information enclosed will be “portable”, i.e. delivered in an easily usable format to enable You to transmit the information to another entity without hindrance – provided that this is technically feasible.

The right to request the deletion of Your personal information
You have the right to request that We delete any of Your personal information, subject to exceptions set forth by the law.

If no legal exception applies, as a result of exercising Your right, We will delete Your personal information and direct any of our service providers to do so.

How to exercise Your rights
To exercise the rights described above, You need to submit Your verifiable request to us by contacting us via the details provided in this document.

For us to respond to Your request, it’s necessary that We know who You are. Therefore, You can only exercise the above rights by making a verifiable request which must:

  • provide sufficient information that allows us to reasonably verify You are the person about whom We collected personal information or an authorized representative;
  • describe Your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We will not respond to any request if We are unable to verify Your identity and therefore confirm the personal information in our possession actually relates to You.

If You cannot personally submit a verifiable request, You can authorize a person registered with the California Secretary of State to act on Your behalf.

If You are an adult, You can make a verifiable request on behalf of a minor under Your parental authority.

You can submit a maximum number of two (2) requests over a period of 12 months.

How and when We are expected to handle Your request
We will confirm receipt of Your verifiable request within 10 days and provide information about how We will process Your request.

We will respond to Your request within 45 days of its receipt. Should We need more time, We will explain to You the reasons why, and how much more time We need. In this regard, please note that We may take up to 90 days to fulfill Your request.

Our disclosure(s) will cover the preceding 12-month period.

Should We deny Your request, We will explain You the reasons behind our denial.

We do not charge a fee to process or respond to Your verifiable request unless such request is manifestly unfounded or excessive. In such cases, We may charge a reasonable fee, or refuse to act on the request. In either case, We will communicate our choices and explain the reasons behind it.

Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, you can contact us by calling us at 1-888-730-5627.