Upper East Care LLC ("Upper East Care," "RecertMe," "we," "us," or "our") operates the RecertMe platform, mobile applications, and related websites (collectively, the "Service"), which provide healthcare credential management, compliance tracking, continuing education recordkeeping, and credentialing verification services to healthcare professionals, healthcare organizations, employers, and authorized third parties.
This Privacy Policy describes how we collect, use, disclose, store, retain, and protect Personal Information and, where applicable, Protected Health Information (PHI) when you access or use the Service. It also describes the rights and choices available to individuals with respect to their information.
This Privacy Policy is incorporated into and governed by our Terms of Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
This Privacy Policy applies to:
• The RecertMe website at www.recertme.com and any subdomains
• The RecertMe mobile applications for iOS and Android
• The RecertMe employer and organization portals
• Customer support communications, surveys, and other interactions with us
• Marketing materials, newsletters, and promotional communications
This Privacy Policy does not apply to information collected by third parties, including third-party websites, services, or applications that may be linked to or accessed from the Service.
For purposes of this Privacy Policy:
• "Personal Information"means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Protected Health Information" or "PHI"has the meaning set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations (45 C.F.R. § 160.103).
• "Sensitive Personal Information"includes, where applicable under law, government identifiers, precise geolocation, financial account information, biometric information, health information, racial or ethnic origin, religious beliefs, sexual orientation, and login credentials.
• "Covered Entity"means a health plan, health care clearinghouse, or health care provider that transmits health information electronically, as defined under HIPAA.
• "Business Associate"means an entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of PHI, as defined under HIPAA.
• "Data Controller" and "Data Processor"have the meanings set forth in the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR.
• "Authorized User"means an individual who has registered an account with RecertMe, including healthcare professionals, organization administrators, and credentialing reviewers.
When RecertMe processes Protected Health Information on behalf of a Covered Entity (such as a hospital, health system, or other healthcare provider organization), we act as a HIPAA Business Associate. In this capacity, we are bound by:
• The HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E)
• The HIPAA Security Rule (45 C.F.R. Part 164, Subpart C)
• The HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D)
• The Health Information Technology for Economic and Clinical Health Act ("HITECH")
• The terms of any Business Associate Agreement ("BAA") executed with the relevant Covered Entity
We enter into Business Associate Agreements with all Covered Entity customers prior to receiving, creating, transmitting, or maintaining PHI on their behalf. Where this Privacy Policy and an executed BAA conflict with respect to PHI handling, the BAA controls.
The majority of information processed by RecertMe is professional credentialing information about healthcare professionals themselves (license numbers, certifications, continuing education records, employment history) and is not PHI under HIPAA. However, certain information may constitute PHI when received from or on behalf of a Covered Entity, including:
• Records that link a healthcare professional to specific patients or patient encounters
• Health information about patients embedded in credentialing or peer-review documentation
• Communications from Covered Entities containing patient identifiers
Information about your own health (immunization records, TB tests, fitness-for-duty documentation, drug screening results, employee health records) that you upload directly to RecertMe in connection with your employment or credentialing is treated as Sensitive Personal Information and is protected under this Privacy Policy and applicable state and federal law. While such records are typically not PHI under HIPAA when you are the data subject acting in your capacity as an employee or job applicant, we apply HIPAA-equivalent safeguards to this information.
For users in the European Economic Area, United Kingdom, or Switzerland:
• When healthcare professionals create individual accounts and use the Service for their own credential management, RecertMe acts as a Data Controller with respect to their account information.
• When RecertMe processes Personal Information on behalf of an employer, healthcare organization, or credentialing body, RecertMe acts as a Data Processor for that information, and the employer or organization is the Data Controller.
Account Registration Information:
• Full legal name and any professional names or aliases
• Email address and phone number
• Password (we never store passwords in readable form and have no ability to retrieve your password)
• Date of birth (for identity verification)
• Mailing address
• Profile photograph (optional)
Professional Credentialing Information:
• Professional license numbers, types, issuing authorities, and expiration dates
• Board certifications and specialty certifications
• National Provider Identifier (NPI) number
• DEA registration number (where applicable)
• Educational history (degrees, schools, graduation dates, transcripts)
• Continuing education and continuing medical education (CE/CME) records
• Employment and clinical experience history
• Professional references and peer evaluations
• Curriculum vitae or résumé
• Malpractice and liability insurance information
• Disciplinary actions, sanctions, or adverse events (where disclosed)
• Background check authorizations and results
Health-Related Documentation:
• Immunization records (e.g., Hepatitis B, MMR, Varicella, Tdap, Influenza, COVID-19)
• Tuberculosis (TB) test results and chest X-ray reports
• Drug and alcohol screening results
• Fitness-for-duty examinations
• Mask fit testing records
• Other occupational health records required for healthcare employment
Government and Sensitive Identifiers:
• Social Security number (where required for licensing or background checks)
• Driver's license or government-issued ID
• Passport or visa documentation (for international users)
• Tax identification numbers (for contractors)
Financial Information:
• Billing address and payment card information (processed by a payment processor compliant with applicable payment card industry standards; we do not store full payment card numbers)
• Bank account information (for direct deposit or refunds, where applicable)
Communications:
• Messages, support tickets, feedback, and survey responses
• Records of phone calls with our support team (which may be recorded with notice)
When you use the Service, we automatically collect:
Device and Technical Information:
• IP address and approximate geographic location derived from IP
• Device type, model, manufacturer, and unique device identifiers
• Operating system and version
• Browser type and version
• Mobile carrier and network information
• Screen resolution and language settings
Usage Information:
• Pages, features, and content viewed
• Click and tap patterns
• Time spent on pages and within features
• Date and time of access
• Referring URLs and exit pages
• Error logs and crash reports
• Search queries within the Service
Mobile Device Permissions (with your permission):
When you use our mobile applications, we may request your permission to access certain device features. You will be prompted by your device's operating system before any access is granted, and you may revoke any permission at any time through your device settings.
• Location services— to provide location-aware features such as facility check-in and meeting reminders
• Camera and photo library— to allow you to upload documents, certificates, and identification
• Notifications— to deliver renewal reminders, compliance alerts, and other service-related messages
• Microphone— only if you use voice features within the Service
We access these device features only for the disclosed purposes and only with your permission.
Cookies and Tracking Technologies: See Section 12 for detail.
We may receive information about you from:
• Your employer or healthcare organization when they invite you to the Service or link your account
• Licensing boards, primary source verification services, and credential databases used in healthcare credentialing
• Background check vendors with your authorization
• Continuing education providers that report completed courses to us on your behalf
• Identity verification providers for fraud prevention and compliance
• Single sign-on providers, when you elect to authenticate through them
• Public records (e.g., state license verification websites, sanctions lists, OIG/SAM exclusion lists)
We do not knowingly collect information from children under the age of 16. The Service is intended for healthcare professionals and authorized organizational users, all of whom must be at least 18 years old. If we learn that we have collected information from a child under 16, we will delete it promptly. See Section 15 for our COPPA-related practices.
We use Personal Information (and PHI, where we are acting as a Business Associate) for the following purposes:
• Create, maintain, and authenticate your account
• Manage and display your credentials, certifications, and compliance records
• Track continuing education and CME hours toward licensing requirements
• Send renewal reminders, expiration alerts, and compliance notifications
• Verify uploaded documents through primary source verification
• Generate compliance reports for you and authorized organizations
• Facilitate document sharing with employers and credentialing bodies (only with your explicit consent)
• Process payments and manage subscriptions
• Analyze usage patterns to improve features and user experience
• Conduct research, A/B testing, and product development
• Train and improve machine learning models used for document classification, optical character recognition, and credential extraction (using de-identified or aggregated data where feasible)
• Diagnose technical problems and prevent service disruptions
• Respond to support inquiries and customer service requests
• Send transactional emails (account confirmations, password resets, billing receipts)
• Send service announcements and security notifications
• Send marketing communications (only where permitted by law and subject to your opt-out preferences)
• Conduct surveys and request feedback
• Detect, prevent, and respond to fraud, security incidents, and abuse
• Protect the rights, property, and safety of Upper East Care, our users, and the public
• Verify identity and prevent unauthorized account access
• Comply with legal obligations, court orders, subpoenas, and regulatory requests
• Enforce our Terms of Service and other agreements
• Establish, exercise, or defend legal claims
For users in the EEA, UK, or Switzerland, we process Personal Information on the following legal bases:
Purpose | Legal Basis |
Providing the Service to you under our Terms | Performance of a contract (Art. 6(1)(b)) |
Security, fraud prevention, product improvement | Legitimate interests (Art. 6(1)(f)) |
Marketing communications | Consent (Art. 6(1)(a)), withdrawable at any time |
Processing of health-related data | Explicit consent (Art. 9(2)(a)) or employment/social security obligations (Art. 9(2)(b)) |
Legal and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
We do not engage in automated decision-making that produces legal or similarly significant effects on individuals without human review. Compliance scoring, expiration flagging, and document classification are advisory tools subject to human verification.
We share information only as described below. We do not sell your Personal Information as that term is defined under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or analogous state laws.
We share information with employers, healthcare organizations, credentialing committees, recruiters, and other third parties only when you provide explicit, informed consent to share specific records with a specific recipient for a specific purpose. You can review and revoke active sharing permissions at any time in your account settings, subject to limits described in Section 6.5.
If you join the Service through an employer, healthcare system, staffing agency, or credentialing body that administers an organizational account, that organization may have visibility into:
• Your credential status, expiration dates, and compliance scores
• Documents you have explicitly designated as visible to that organization
• Activity logs related to your participation in the organization's compliance program
The organization is a separate Data Controller (or Covered Entity) with respect to information it accesses, and its use of your information is governed by its own privacy practices.
We share information with vetted third-party service providers that perform functions on our behalf, subject to written contracts that require them to protect Personal Information and use it only for our specified purposes. Categories include:
• Cloud hosting and infrastructure providers (selected for healthcare-grade compliance, with Business Associate Agreements where PHI is involved)
• Payment processors (compliant with applicable payment card industry standards)
• Email delivery and SMS providers
• Customer support and help-desk software
• Analytics providers (configured to limit collection of identifiable data)
• Identity verification and background check vendors
• Document storage and electronic signature providers
• Security and fraud prevention services
Where service providers process PHI, we execute Business Associate Agreements with them.
We may disclose information when we have a good-faith belief that disclosure is necessary to:
• Comply with a subpoena, court order, warrant, or other legal process
• Comply with applicable laws, regulations, or government requests
• Cooperate with law enforcement investigations
• Enforce our Terms of Service or investigate potential violations
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or personal safety of Upper East Care, our users, or the public
• Respond to a public health emergency or imminent threat to life
Where legally permitted, we will attempt to notify affected users of legal demands before disclosure.
If Upper East Care is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition to another provider, your Personal Information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify you (by email and/or prominent notice on the Service) of any change in ownership or use of your Personal Information, and any choices you may have.
We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you for research, benchmarking, industry reporting, marketing, or product development. Such information is not subject to this Privacy Policy.
We do not:
• Sell your Personal Information to data brokers or marketing companies
• Share your Personal Information with advertisers for cross-context behavioral advertising
• Use your PHI for marketing purposes without authorization
• Share your professional credentials with employers or recruiters without your explicit consent
• Disclose your health-related documentation except as you direct or as required by law
This section applies to PHI that we process as a Business Associate.
We use and disclose PHI only as permitted by the applicable Business Associate Agreement and HIPAA, which generally limits use and disclosure to:
• Performance of services for the Covered Entity
• Proper management and administration of our business
• Carrying out our legal responsibilities
• Data aggregation services for the Covered Entity (where authorized)
• Required disclosures by law
We use and disclose only the minimum necessary PHI to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).
We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule to protect the confidentiality, integrity, and availability of PHI. These include access controls, authentication, audit controls, transmission security, and encryption, as well as workforce training, sanction policies, and incident response procedures consistent with 45 C.F.R. Part 164, Subpart C. Specific implementation details are documented in our internal HIPAA Security policies, available to Covered Entities and authorized auditors under appropriate confidentiality terms.
In the event of a Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402), we will:
• Notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery (or such shorter period as required by the BAA)
• Provide all information required for the Covered Entity to fulfill its breach notification obligations
• Cooperate with the Covered Entity's investigation and response
Patients seeking to exercise HIPAA rights (access, amendment, accounting of disclosures, restriction requests, confidential communications) should contact the relevant Covered Entity. We will support the Covered Entity in fulfilling these requests as required by the BAA.
We do not engage subcontractors that create, receive, maintain, or transmit PHI without written agreements containing the same restrictions and conditions that apply to us under HIPAA and the BAA.
We are committed to protecting your information through a comprehensive information security program designed to safeguard the confidentiality, integrity, and availability of Personal Information and PHI. Our program includes administrative, technical, and physical safeguards aligned with industry-recognized frameworks for healthcare information security (such as the HIPAA Security Rule, HITRUST, NIST, and ISO 27001), and is regularly reviewed and updated.
Our safeguards include:
• Access controls— Information is accessible only to authorized personnel and systems with a documented business need, on a least-privilege basis.
• Authentication— Strong authentication is required for access to systems containing Personal Information, including multi-factor authentication for sensitive and administrative access.
• Encryption— Personal Information is encrypted both in transit and at rest using current, industry-accepted cryptographic standards.
• Network and systems protection— We employ layered network defenses, continuous monitoring, intrusion detection, and threat response capabilities.
• Workforce security— Our personnel undergo background checks, sign confidentiality agreements, and complete privacy and security training, with access promptly revoked upon role change or termination.
• Vendor management— Third-party service providers are evaluated for security and privacy practices, contractually bound to protect information, and audited where appropriate. Vendors with access to PHI sign Business Associate Agreements.
• Incident response— We maintain documented incident response, business continuity, and disaster recovery procedures, and regularly test these capabilities.
• Auditing and assessment— We conduct regular risk assessments, vulnerability assessments, and independent third-party audits.
• Physical security— Facilities used to host or process Personal Information are protected by industry-standard physical security controls.
For security reasons, we do not publicly disclose specific technical details about our infrastructure, vendors, configurations, or controls. Customers and partners with a legitimate need (such as procurement teams, hospital information security offices, and Covered Entities entering into BAAs) may request additional information under non-disclosure, including completed security questionnaires, third-party audit reports (such as SOC 2 reports), and HIPAA Security Rule documentation, by contacting security@recertme.com.
No System Is Perfectly Secure.Despite our safeguards, no method of transmission over the Internet or electronic storage is completely secure. While we work continuously to protect your information, we cannot guarantee absolute security. You play an essential role in protecting your account by:
• Choosing a strong, unique password and never sharing it
• Enabling multi-factor authentication
• Logging out of shared devices
• Promptly notifying us of any suspected unauthorized access by contacting security@recertme.com
In the event of a security incident affecting your Personal Information, we will notify you and applicable regulatory authorities as required by federal and state breach notification laws (including, where applicable, HIPAA, the GDPR, the CCPA/CPRA, the New York SHIELD Act, and other state laws). Notification will be provided without unreasonable delay and consistent with the requirements of applicable law. We will not, however, publicly disclose details that could facilitate further attacks or compromise ongoing investigations.
If you are a security researcher and believe you have identified a potential vulnerability in the Service, we appreciate your help in keeping our platform safe. Please report it confidentially to security@recertme.com rather than disclosing it publicly. We commit to acknowledging legitimate reports promptly and working with you in good faith to address verified issues. We do not pursue legal action against researchers who report vulnerabilities responsibly and in accordance with our disclosure guidelines.
We retain your information for as long as necessary to provide the Service, fulfill the purposes described in this Privacy Policy, and comply with our legal, regulatory, accounting, audit, and contractual obligations.
Information Category | Retention Period |
Active account information | For the life of your account, plus the period below after closure |
Professional credentialing records | 7 years after account closure (industry standard for credentialing audits) |
Continuing education records | 7 years after account closure |
PHI received as Business Associate | Per the applicable BAA (typically returned or destroyed at termination) |
Financial and tax records | 7 years (or as required by law) |
Marketing preferences | Until you opt out, plus 1 year |
Security and audit logs | 6 years (HIPAA) or as required by applicable law |
Backups | A limited, defined period after deletion from production systems, in accordance with our internal data lifecycle policies |
When information is no longer needed, we securely delete or de-identify it. Where deletion is not technically feasible (e.g., information stored in encrypted backups), we will isolate the information and delete it once the backup cycle expires.
Subject to applicable law and identity verification, you may:
• Access the Personal Information we hold about you
• Correct inaccurate or incomplete information
• Delete your account and associated information (subject to legal retention requirements)
• Export your information in a portable format (data portability)
• Object to certain uses of your information
• Restrict processing in certain circumstances
• Withdraw consent where processing is based on consent
• Opt out of marketing communications at any time
• Lodge a complaint with a supervisory authority
To exercise these rights, submit a request through your account settings or contact us at privacy@recertme.com. We will respond within the timeframes required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling your request.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
• Right to Know:Categories and specific pieces of Personal Information we have collected, sources, business or commercial purposes, and categories of recipients.
• Right to DeletePersonal Information, subject to enumerated exceptions.
• Right to Correctinaccurate Personal Information.
• Right to Opt Out of Sale or Sharing.We do not sell or share Personal Information for cross-context behavioral advertising as those terms are defined under the CPRA.
• Right to Limit Use of Sensitive Personal Information.You may request that we limit our use of Sensitive Personal Information to purposes specified in Cal. Civ. Code § 1798.121.
• Right to Non-Discriminationfor exercising your rights.
• Right to Designate an Authorized Agentto make requests on your behalf.
To exercise these rights, contact us at privacy@recertme.com or call [Insert toll-free number]. You may also submit a request through www.recertme.com/privacy-request.
Categories of Personal Information Collected (CCPA/CPRA Disclosure):
Category (Cal. Civ. Code § 1798.140) | Collected? | Sources | Disclosed To |
Identifiers (name, email, IP, SSN) | Yes | You; employer | Service providers; employers (with consent) |
Cal. Civ. Code § 1798.80(e) categories | Yes | You | Service providers |
Protected classifications | Yes (limited) | You | Employer (with consent) |
Commercial information | Yes | You | Payment processors |
Internet/network activity | Yes | Automatic | Analytics providers |
Geolocation (precise) | Yes (with consent) | You | None |
Sensory data | Limited | You | None |
Professional/employment information | Yes | You; employer | Employers (with consent) |
Education information | Yes | You | Employers (with consent) |
Inferences | Limited | Service usage | None |
Sensitive Personal Information | Yes | You | Service providers under BAAs |
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHDPA), Minnesota, Maryland, Rhode Island, Kentucky, and other states with comprehensive privacy laws have rights similar to those described in Section 10.1, including rights to access, correct, delete, port, opt out of targeted advertising, opt out of profiling, and limit processing of sensitive data. We do not engage in targeted advertising or profiling that produces legal or similarly significant effects.
To exercise these rights or appeal a denied request, contact privacy@recertme.com.
If you are located in the EEA, UK, or Switzerland, you have rights under the GDPR and UK GDPR including:
• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Rights related to automated decision-making (Art. 22)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with your supervisory authority
You may contact your local supervisory authority. A list is available at edpb.europa.eu/about-edpb/board/members_en. UK residents may contact the Information Commissioner's Office at ico.org.uk.
We are headquartered in the United States, and information we collect is processed in the United States and other countries where our service providers operate. When we transfer Personal Information from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission or UK Government, we rely on:
• Standard Contractual Clauses approved by the European Commission (EU SCCs) and the UK International Data Transfer Addendum
• Supplementary measures including encryption and access controls
• Your explicit consent, where appropriate
• Other lawful transfer mechanisms as they become available
You may request a copy of the relevant transfer mechanism by contacting our Data Protection Officer (Section 18).
• Canada (PIPEDA):Canadian residents have rights of access and correction. Contact privacy@recertme.com.
• Brazil (LGPD):Brazilian residents have rights similar to those under the GDPR.
• Australia:We comply with the Australian Privacy Principles where applicable.
This section consolidates the consents we ask of you, how each consent is obtained, what happens if you decline, and how you can withdraw consent at any time. You may exercise any opt-out right described below without penalty or reduction in service quality, except where the consent is necessary to provide a specific feature.
What You Consent To | How You Opt In | How to Opt Out / Withdraw | Effect of Opting Out |
Creating an account & using the Service | At registration (acceptance of Terms and this Policy) | Settings → Account → Delete Account, or email privacy@recertme.com | Account deactivated; data retained per Section 9 |
Processing of health-related data (immunizations, TB tests) | Explicit checkbox at upload, or at account creation for EEA/UK/Swiss users | Settings → Privacy → Health Data, or email privacy@recertme.com | Unverified health records deleted; verified records may be retained |
Sharing credentials with a specific employer | Explicit grant per recipient, per document, per purpose | Settings → Sharing → Active Permissions → Revoke | Future visibility ends immediately; recipient may have already retained copies |
Background check authorization | FCRA-compliant separate written authorization | Withdraw before report is run by emailing privacy@recertme.com | Background check is not initiated; pending checks may complete |
HIPAA authorization for PHI uses beyond TPO | Separate written HIPAA authorization form | Revoke in writing to privacy-officer@recertme.com | Authorized use stops prospectively; prior uses remain lawful |
Precise location (GPS) | OS-level permission prompt on first use | Device Settings → Apps → RecertMe → Location | Location-based features stop working |
Camera and photo library | OS-level permission prompt on first upload | Device Settings → Apps → RecertMe → Camera/Photos | Camera upload disabled; file upload still works |
Push notifications | OS-level permission prompt | Device Settings → Apps → RecertMe → Notifications | Reminders and alerts only sent via email |
Microphone / voice notes | OS-level permission prompt on first use | Device Settings → Apps → RecertMe → Microphone | Voice-note feature disabled |
Marketing emails | Opt-in checkbox at registration | Click "Unsubscribe" in any marketing email, or Settings → Communications | No marketing emails; transactional emails continue |
SMS / text messages | Express written consent (TCPA-compliant) | Reply STOP to any RecertMe SMS, or Settings → Communications → SMS | No SMS messages of any kind |
Phone marketing calls | Express written consent (TCPA-compliant) | Tell the caller to remove you, or email privacy@recertme.com | No marketing calls |
Non-essential cookies and analytics | Cookie banner on first visit (where required) | "Cookie Preferences" panel, browser settings, or Global Privacy Control signal | Analytics and functional cookies disabled |
International data transfers (EEA/UK/Swiss) | Implicit acceptance through use, or explicit consent where required | Email dpo@recertme.com | Some features may be unavailable |
Use of de-identified data for AI/ML training | Notice in this Policy; opt-out available | Settings → Privacy → AI Training, or email privacy@recertme.com | Your data excluded from future training datasets |
Affirmative, informed action.We obtain consent through clear, unambiguous opt-in mechanisms — not pre-checked boxes, not bundled blanket consents, and not dark patterns. For sensitive categories (health data, biometrics, precise location, financial information), we use layered notices that explain what you are consenting to, why, and what happens if you decline.
Granular consent.We separate consents by purpose. Agreeing to receive renewal reminders does not opt you into marketing communications. Agreeing to share credentials with Hospital A does not authorize sharing with Hospital B.
Verifiable consent for HIPAA authorizations.Where HIPAA requires written authorization, we use a separate, signed authorization form that meets the requirements of 45 C.F.R. § 164.508, including a statement of your right to revoke, the inability to condition treatment or payment on signing (where applicable), and an expiration date or event.
Parental consent for users under 18.The Service is restricted to adults, but if we ever knowingly collect information from a person aged 13–17 (e.g., a student in a healthcare training program), we will obtain verifiable parental consent as required by COPPA (for under-13) and analogous state laws.
You can withdraw any consent at any time through one or more of these methods:
• In-app:Settings → Privacy & Permissions → [specific permission]
• Email:privacy@recertme.com (general), privacy-officer@recertme.com (HIPAA), dpo@recertme.com (EEA/UK)
• Mail:Upper East Care LLC, [Insert Address], Attn: Privacy Officer
• Phone:[Insert toll-free number]
• Authorized agent:You may designate an agent in writing to act on your behalf
• Privacy request portal:www.recertme.com/privacy-request
Withdrawal is prospective only.Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and does not require us to delete information we are required to retain by law (see Section 9).
Confirmation.We will confirm receipt of your withdrawal request within 10 business days and complete processing within the timeframes required by applicable law (typically 30–45 days, extendable by 45 additional days for complex requests).
California residents have the following dedicated opt-out rights:
• Do Not Sell or Share My Personal Information.We do not sell or share Personal Information for cross-context behavioral advertising as those terms are defined under the CPRA. Nonetheless, you may submit a "Do Not Sell or Share" request at www.recertme.com/do-not-sell, and we will treat it as confirmation of our existing practice.
• Limit the Use of My Sensitive Personal Information.You may direct us to use your Sensitive Personal Information only for purposes specified in Cal. Civ. Code § 1798.121(a). Submit a request at www.recertme.com/limit-spi or email privacy@recertme.com.
• Global Privacy Control (GPC).We honor GPC signals as a valid opt-out request from California residents (and from residents of other states whose laws require GPC honoring).
Residents of states with comprehensive privacy laws (see Section 10.3) may opt out of:
• Targeted advertising —Not applicable; we do not engage in targeted advertising.
• Sale of Personal Information —Not applicable; we do not sell Personal Information.
• Profiling that produces legal or similarly significant effects —Not applicable; we do not engage in such profiling.
Even though these activities do not currently apply to us, you may still submit an opt-out request, which we will honor and document.
You have the absolute right to withdraw any consent given under GDPR Articles 6(1)(a) or 9(2)(a). To exercise this right:
• Contact our Data Protection Officer at dpo@recertme.com
• Use the in-app withdrawal mechanism for the relevant permission
• Lodge a complaint with your supervisory authority if you believe we have not honored your withdrawal
Withdrawal will not retroactively render unlawful any processing carried out on the basis of valid consent before the withdrawal.
We will not retaliate against you for exercising any privacy right. However, certain features of the Service inherently require certain processing. If you opt out of:
• Account creation:You cannot use the Service.
• Storage of credentials:We cannot manage credentials on your behalf.
• Sharing with your employer:You may not satisfy your employer's compliance program through RecertMe.
• Renewal notifications:You will need to track expiration dates yourself.
We will explain any feature impact at the time you exercise the opt-out so you can make an informed decision.
If you change your mind, you may reinstate any previously withdrawn consent at any time through the same channels listed in Section 11.3.
We and our service providers use cookies, web beacons, pixels, SDKs, and similar tracking technologies for purposes including authentication, security, preferences, analytics, and (where applicable) marketing.
Type | Purpose | Examples |
Strictly Necessary | Authentication, security, load balancing | Session cookies, CSRF tokens |
Functional | Remember preferences and settings | Language, dashboard layout |
Analytics | Understand usage and improve the Service | Privacy-respecting analytics tools, configured to limit identifiability |
Performance | Monitor uptime, errors, and performance | Error reporting, real user monitoring |
We do not use third-party advertising cookies or cross-site tracking pixels for advertising purposes.
You may:
• Adjust your browser settings to refuse or delete cookies (note that some Service features may not function properly)
• Use the "Cookie Preferences" panel available on our website
• Enable Global Privacy Control (GPC) signals, which we honor as opt-out requests where required by law
• Opt out of analytics tracking through your browser settings or our cookie preferences panel
Because there is no industry consensus on how to interpret "Do Not Track" browser signals, we do not currently respond to them. However, we honor Global Privacy Control (GPC) signals as required by California and other state laws.
We send marketing emails only where permitted by law. You can opt out at any time by:
• Clicking "Unsubscribe" in any marketing email
• Adjusting your communication preferences in your account settings
• Contacting privacy@recertme.com
Even after opting out of marketing emails, we may continue to send transactional or service-related communications (e.g., billing receipts, security alerts, license expiration warnings) that are necessary to your use of the Service.
For SMS communications, message and data rates may apply. Reply STOP to unsubscribe or HELP for help. Your consent to receive SMS is not a condition of any purchase.
The Service may contain links to third-party websites, services, plug-ins, or applications, or allow you to authenticate using third-party identity providers. Clicking those links or interacting with those services may allow third parties to collect information about you. We do not control these third parties and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service you visit or use.
The Service is intended for use by healthcare professionals and authorized organizational users, all of whom must be at least 18 years old. We do not knowingly collect Personal Information from children under 16, and the Service is not directed to children. If we learn that we have collected information from a child under 16 without verifiable parental consent, we will delete it as required by the Children's Online Privacy Protection Act (COPPA) and analogous laws.
If you believe we have inadvertently collected information from a child, contact privacy@recertme.com.
We are committed to making this Privacy Policy and the Service accessible to individuals with disabilities. If you require this Privacy Policy in an alternative format, contact accessibility@recertme.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
• Update the "Effective Date" and "Last Updated" date at the top
• Provide notice through the Service, by email, or by other reasonable means
• For material changes affecting your rights, obtain your consent where required by law
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acknowledgment of the revised Privacy Policy, except where additional consent is required.
A history of prior versions is available at www.recertme.com/privacy/archive.
For questions, concerns, or to exercise your privacy rights, contact us:
Upper East Care LLC
[Insert Mailing Address]
[Insert City, State ZIP]
United States
General Privacy Inquiries:privacy@recertme.com
HIPAA Privacy Officer:privacy-officer@recertme.com
HIPAA Security Officer:security-officer@recertme.com
Security / Vulnerability Reports:security@recertme.com
Data Protection Officer (EU/UK):dpo@recertme.com
Customer Support:support@recertme.com
Telephone:[Insert toll-free number]
Website:www.recertme.com
EU Representative (Art. 27 GDPR):[To be designated]
UK Representative:[To be designated]
This Privacy Policy is provided in English. Translations may be available; in the event of any conflict between the English version and a translation, the English version controls.
© [Year] Upper East Care LLC. All rights reserved.
being sent to your device. If you choose to refuse our cookies, you may not be able to use some portions of this service.
We may employ third-party companies and individuals due to the following reasons:
We value your trust in providing us with your personal information, so we are striving to use commercially acceptable means of protecting it. But remember that no method of transmission over the internet or method of electronic storage is 100% secure and reliable, and we cannot guarantee its absolute security.
This service may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the privacy policies of these websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
These services do not address anyone under the age of 13. We do not knowingly collect personally identifiable information from children under 13 years of age. In the event that we discover that a child under 13 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to take the necessary actions.
We may update our privacy policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new privacy policy on this page. This policy is effective as of 2024-03-15.
If you have any questions or suggestions about our privacy policy, do not hesitate to contact us at support@recertme.com.
