Truemed Logo
Fitness Equipment
Sleep
Supplements
Health Tech
Adaptive Footwear
Cold Plunges
Saunas
Red Light Therapy
Gym & Studios

Data Processing Addendum

1. Structure

This Data Processing Addendum ("DPA") is subject to and forms part of the Agreement between True Medicine, Inc. ("Truemed" or "Company") and the applicable Merchant, and governs Truemed's Processing of Personal Data. In the event of a conflict between this DPA and Truemed's Terms, this DPA shall control. Terms used but not defined in this DPA have the meanings ascribed to them in the Agreement.

2. Truemed as a Data Processor, Data Controller, and Business Associate

2.1 Data Processing Roles

RoleDescription
Truemed as a ProcessorWhen Truemed Processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of the Merchant, acting as the Data Controller.
Truemed as a ControllerWhen Truemed Processes Personal Data as a Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through the Merchant or the applicable End User.
Truemed as a Business AssociateWhen Truemed Processes personal data that is Protected Health Information as a Business Associate, it is acting as a HIPAA business associate to one or more Telehealth Partners in their capacity as a HIPAA covered entity.

2.2 Data Processing Purposes

RolePurposes
Truemed as a ProcessorThe purposes of Truemed's Processing of Personal Data in its capacity as a Data Processor are to:
  • market Truemed's and Merchant's services for or on behalf of Merchant, to the extent expressly agreed upon by Truemed and Merchant;
  • perform other services as expressly agreed-upon between Truemed and Merchant; and
  • process Personal Data on behalf of certain Telehealth Partners.
Truemed as a ControllerThe purposes of Truemed's Processing of Personal Data in its capacity as a Data Controller when providing Truemed's Services are to:
  • provide Truemed's Services to End Users pursuant to the Agreement;
  • utilize third parties (e.g., payment method providers like Stripe) in connection with the performance of the Services;
  • monitor, prevent and detect fraudulent transactions and fraudulent activity, and monitor, prevent and mitigate financial loss, security risks, and other harms;
  • implement, maintain and perform internal processes that enable Truemed to provide and improve its Services, including analytics, relationship management, billing, and invoicing;
  • comply with Applicable Laws; and
  • analyze, develop, and promote Truemed's Services.
Truemed as a Business AssociateThe purposes of Truemed's Processing of Protected Health Information in its capacity as a Business Associate are to:
  • collect, process, and store Protected Health Information for or on behalf of certain of its Telehealth Partner(s); and
  • comply with individual rights requests and other requirements under HIPAA pursuant to Truemed's obligations to certain of its Telehealth Partner(s).

2.3 Categories of Data Subjects and Personal Data

CategoryDescription
Truemed as a Processor and as a ControllerTruemed may Process the Personal Data of End Users, Merchant representatives, and any natural person who accesses or uses the Truemed Services.
Truemed as a Business AssociateTruemed may Process the Protected Health Information of End Users for and on behalf of Truemed's Telehealth Partner(s).
Personal DataIf applicable, Truemed may Process payment account details, billing/shipping address, name, order description (including date, time, amount, product or service description), device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, and identity information.
Sensitive DataTruemed may Process Protected Health Information and other Sensitive Data, including information about End Users health, medical history, and family history, provided by End Users to Truemed, including for and on behalf of Truemed's Telehealth Partner(s).

3. Truemed Obligations when Acting as a Data Processor

3.1 Obligations

When Truemed is acting as a Data Processor for a Merchant, Truemed will:

  1. process Personal Data on Merchant's behalf and according to its Instructions. Truemed will inform Merchant if, in its opinion, Merchant's Instructions violate or infringe Applicable Data Protection Laws;

  2. ensure that all persons Truemed authorizes to Process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data;

  3. to the extent required by Applicable Data Protection Laws, inform Merchant of each request Truemed receives from Data Subjects (including "verifiable consumer requests" as defined under the CCPA) exercising their rights under Applicable Data Protection Laws to (i) access (e.g., right to know under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased; (iii) restrict or object to Truemed's Processing; or (iv) data portability (collectively "Data Subject Request"). Other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to the Merchant as Data Controller, Truemed will not respond to these requests unless it is instructed in writing to do so by the applicable Merchant. Taking into account the nature of the Processing, Truemed will assist Merchant by appropriate technical and organizational measures, insofar as this is possible, to enable Merchant to meet its obligations to respond to a Data Subject Request;

  4. to the extent required by Applicable Data Protection Laws, inform Merchant of each law enforcement request Truemed receives from a Governmental Authority requiring Truemed to disclose Personal Data or participate in an investigation requiring Truemed to disclose Personal Data, unless prohibited by Applicable Laws;

  5. implement and maintain a written information security program to implement the Data Security Measures;

  6. if Truemed experiences a Data Breach, notify Merchant without undue delay, in each case after becoming aware of the Data Breach. To the extent known to Truemed, Truemed's notification will describe in reasonable detail (i) the type of Personal Data that was the subject of the Data Breach, (ii) the categories and potential number of individuals or records affected (including their countries), and (iii) the status of Truemed's investigation and current or planned remediation. Following the notification, Truemed will provide relevant updates to assist Merchant in complying with its obligations under Applicable Data Protection Laws;

  7. to the extent required by Applicable Data Protection Laws and following a written request from Merchant, contribute to audits or inspections by making available audit reports. Following this request, and no more frequently than once annually, Truemed will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding Truemed's Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are Truemed's confidential information; and

  8. at Merchant choice, delete or return all Personal Data Processed in connection with the Services, and delete existing copies, following termination of the Agreement, except that Truemed will not be required to delete or return that Personal Data, or delete existing copies, to the extent that Truemed's storage of that Personal Data or those copies is (i) required by Truemed to exercise its rights and perform its obligations under this Agreement; or (ii) required or authorized by Applicable Data Protection Laws for a longer period.

3.2 Sub-processors

  1. Truemed engages Sub-processors as necessary to perform the Services. Merchant consents to Truemed's use of its existing Sub-processors and grants Truemed a general written authorization to engage Sub-processors as necessary to perform the Services. Merchant acknowledges that Truemed's Sub-processors are essential to provide the Services and that if Merchant objects to Truemed's use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement (including this DPA), Truemed will not be obligated to provide Services for which Truemed uses that Sub-processor.

  2. Truemed will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on Truemed under this DPA, including the obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, Truemed will remain liable for the acts and omissions of its Sub-processor to the same extent Truemed would be liable if performing the relevant Services directly under this DPA.

3.3 CCPA

If the CCPA applies and Truemed is acting as a Data Processor, Truemed will not: (a) sell or share (as defined under the CCPA) Personal Data; (b) retain, use or disclose Personal Data outside of its direct business relationship with Merchant other than to provide Truemed's Services and as required to comply with Applicable Laws; and (c) combine Personal Data received from Merchant with Personal Data received from or on behalf of an individual or collected from Truemed's own interactions with the individual, except to provide Truemed's Services and as permitted by Applicable Laws. Truemed certifies that it understands and will comply with the requirements in this DPA relating to the CCPA and will provide the same level of privacy protection to Personal Data as required by the CCPA. Truemed will inform Merchant if it determines that it can no longer meet its obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.

3.4 Disclaimer of Liability

Notwithstanding anything to the contrary in the Agreement, including this DPA, Truemed will not be liable for any claim made by a Data Subject related to Truemed's acts or omissions, to the extent that such a claim arises from Merchant's breach of Applicable Laws, negligence, or intentional misconduct.

4. Merchant's Obligations as a Data Controller

Merchant acknowledges and agrees that it shall:

  1. only provide Instructions to Truemed that are lawful;

  2. comply with and perform its obligations under Applicable Data Protections Law, including with regard to Data Subject rights, data security and confidentiality, and ensure it has an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this DPA; and

  3. provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice)and, where required by Applicable Data Protection Law, obtain all necessary consents, regarding its and Truemed's Processing of Personal Data for the purposes described in the Agreement, including this DPA.

5. Truemed's Obligations as a Data Controller

Truemed shall comply with and perform its obligations under Applicable Data Protection Laws when Processing Personal Data.

6. Definitions

Capitalized terms used but not defined in this DPA have the meanings ascribed to them in the Terms or an Order Form.

  1. "Applicable Data Protection Law" means Applicable Laws that apply to Personal Data Processing under the Agreement and this DPA, including federal, state, and local Applicable Laws relating in any way to privacy, data protection or data security.

  2. "Business Associate" has the meaning ascribed to it in HIPAA.

  3. "CCPA" means California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and its implementing regulations.

  4. "Covered Entity" has the meaning ascribed to it in HIPAA.

  5. "Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a "Business" as defined under the CCPA.

  6. "Data Breach" means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party's, or a party's subcontractor's, agent's or representative's, possession or control.

  7. "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a "Service Provider" as defined under the CCPA.

  8. "Data Security Measures" means physical, technical, and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing, including without limitation measures regarding user authentication; vulnerability, patch, and configuration management; application security; and encryption.

  9. "HIPAA" means the Health Insurance Portability and Accessibility Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, as each have been and may be amended from time to time, and their respective implementing rules and regulations.

  10. "Instructions" means any communication or documentation, including that which may be provided through a Truemed API or written agreements between you and Truemed through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.

  11. "Personal Data" means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes "personal information" as defined under the CCPA, but excludes Protected Health Information.

  12. "Process" means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under Applicable Data Protection Laws.

  13. "Protected Health Information" has the meaning ascribed to it by HIPAA.

  14. "Sensitive Data" means sensitive personal data to extent treated distinctly as a special category of Personal Data under Applicable Data Protection Laws, such as "sensitive personal information" as defined under the CCPA, but excludes Protected Health Information.

  15. "Sub-processor" means an entity a Data Processor engages to Process Personal Data on that Data Processor's behalf in connection with the Services.