Last Updated: July 19, 2024
The purpose of this California HR Privacy Notice is to provide you with information on the categories of personal information that are collected by Curology, Inc., David Lortscher, MD, P.C., David Lortscher, MD, P.A., Lortscher Health of Hawaii, Professional Corporation, David Lortscher, MD, S.C., Lortscher Health of New Jersey, P.C., David Lortscher, MD, Professional Association, and our fully owned and operated brands, including Agency (collectively, “Curology,” “we,” “us,” or “our”) regarding the employment-related Personal Information that we collect and use from current and past employees, owners, directors, officers, and medical staff employees (“Employees”), independent contractors (“Contractors”) and job applicants (“Applicants”) and comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”) and related laws and regulations (“California Privacy Laws”). This California HR Privacy Notice applies to California Employees, Contractors, and Applicants (“Personnel,” “you” or “your”).
This California HR Privacy Notice does not apply to certain Personal Information that is excluded from the scope of the CPRA, like: (a) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and (b) Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. It also does not apply if you are a service provider or have a business-to-business relationship with us. Some of these exclusions may be applicable to the Personal Information we collect about you as part of background checks. If you have any questions on whether one of these exceptions apply to your Personal Information, please contact the People & Culture Team.
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. However, publicly available information that we collect from government records and deidentified or aggregated information (when deidentified or aggregated as described in the CPRA) are not considered Personal Information and this California HR Privacy Notice does not apply to such information. We will not collect additional categories of Personal Information without providing you notice.
We do not “sell” any categories of Personal Information (including Personal Information about children under 16) for monetary or other valuable consideration and we do not “share” any categories of Personal Information (including Personal Information about children under 16) for cross-context behavioral advertising.
Curology collects, and over the prior twelve (12) months has collected, the following categories of Personal Information about Personnel:
Personal Information Category | Applicable Pieces of Personal Information Collected |
A. Identifiers. | A real name, alias, postal address, unique personal identifier; online identifier; Internet Protocol (IP) address, email address, driver’s license number, and other similar identifiers. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, social security number; physical characteristics or description; address; telephone number; passport number; driver’s license or state identification card number; insurance policy number, education, employment, employment history, bank account number or any other financial information, health insurance information, and medical information. Some Personal Information included in this category may overlap with other categories. |
C. Protected classification characteristics under California or federal law. | Age (40 years or older); race; color; ancestry; medical condition; physical or mental disability; sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions). |
F. Internet or other similar network activity. | Browsing history; search history file access history; information on your interaction that occurs on our networks with a website or application. |
G. Geolocation data | Non-precise geolocation data. |
I. Professional or employment-related information. | Current or past job history or performance evaluations. |
K. Inferences drawn from other Personal Information. | Profile reflecting a person’s preferences; characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
L. Sensitive Personal Information (“Sensitive Personal Information”) | Government identifiers (driver’s license; state identification card; passport number, social security number or other taxpayer/government identification number) Usernames or account numbers combined with any required access code, security code, or password. Contents of mail and email Religious or philosophical beliefs Racial or ethnic origin Health; sex life; or sexual orientation information |
We collect your Personal Information:
Directly from our Employees, Contractors, and Applicants;
During the course of your relationship with us as an Employee, Contractor, or Applicant, including Personal Information automatically created when you use our technology systems;
From third-parties, such as former employers, background check companies, drug testing facilities (if you are required to submit to a drug test as a condition of your employment or continued employment), government entities, references supplied by former employers, or other recommendation lists.
Providing information about your racial or ethnic origin, religious or philosophical beliefs, and health, sex life, or sexual orientation is completely optional at your discretion, and we will collect this information only to the extent you choose to provide it in your resumé, as part of the equal opportunity forms you fill out when you are hired, as part of your voluntary disclosure, or as may be provided by a reference or other third party during reference and background checks.
We only use your Personal Information for the purposes described in this California HR Privacy Notice.
Depending on your role or relationship with Curology, we may use the Personal Information we collect for one or more of the following purposes:
Recruiting, including identifying and evaluating job applicants, including assessing skills, qualifications, and interests for the purposes of determining suitability for the position for which you have applied.
Publishing Employees’ work contact information in an intra-company directory for other Employees to view.
Creating profiles of contractors’ performance based on work product.
Managing all aspects of an employee’s employment relationship, including, but not limited to: determining eligibility for initial employment, including the verification of references and qualifications; pay and benefit administration; the issuance and management of stock options and phantom equity units; corporate travel and other reimbursable expenses; development and training; absence monitoring; project management; auditing, compliance, and risk management activities; conflict of interest reporting; employee communications; performance evaluation; disciplinary actions; internal investigation activities; career management, including the assessment of qualifications for a particular job or task; processing employee work-related claims (e.g., worker compensation, insurance claims); succession planning; relocation assistance; obtaining and maintaining insurance; the provision of employee related services; and other general operations, administrative, financial, and human resources related purposes.
Communicating with you and for you to communicate with other Curology Personnel and other third parties.
Assisting you with obtaining an immigration visa or work permit where required
Processing IT infrastructure, including email, internet, social media systems, and file shares.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations;
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Curology’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Curology about Curology’s Employees, Contractors, and Applicants is among the assets transferred;
Maintaining directories of employees
Employee engagement programs, including surveys
Administering any occupational safety and health programs
Protecting the safety and security of our workforce, guests, property, and assets (including controlling and facilitating access to and monitoring activity on and in our premises and activity using our computers, devices, networks, communications and other assets and resources) and prosecuting those that threaten the foregoing
Investigating and responding to claims against Curology
Maintaining emergency contact and beneficiary details
Complying with applicable laws (e.g. health and safety, employment laws, office of foreign asset controls regulations, tax laws), including judicial or administrative orders regarding individual employees (e.g., garnishments, child support payments)
Carrying out any additional purposes that we advise you of (if applicable law requires your express consent for such additional use or disclosure we will obtain it from you)
Carrying out other purposes as part of our business activities when reasonably required by us
Personal Information may also be used or disclosed as otherwise permitted or required by applicable law.
Curology will not use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Curology may disclose your Personal Information to third parties for one or more business purposes. When we disclose Personal Information to non-affiliated third-parties for a business purpose, we enter a contract that describes the purpose, requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for the specific business purposes for which the Personal Information was disclosed, and requires the recipient to otherwise comply with the requirements of the CPRA.
In the preceding twelve (12) months, Curology has disclosed the following categories of Personal Information for one or more of the business purposes described below to the following categories of third parties:
Personal Information Category | Categories of Third-Party Recipients |
A. Identifiers. | Service providers; benefits providers; building or property management and security personnel; affiliates of Curology; government entities (for taxes and other similar purposes that require us to provide Personal Information to government entities; business partners; credit reporting agencies (for background checks). |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Service providers; benefits providers; building or property management and security personnel; affiliates of Curology; government entities; business partners; credit reporting agencies (for background checks). |
C. Protected classification characteristics under California or federal law. | Service providers, benefits providers, and government entities. |
F. Internet or other similar network activity. | Service providers. |
G. Geolocation data | Service providers. |
I. Professional or employment-related information. | Service providers. |
K. Inferences drawn from other Personal Information. | Service providers. |
Sensitive Personal Information Category | Categories of Third-Party Recipients |
Government identifiers (social security, driver’s license, state identification card, or passport number) | Service providers (who manage our employee data, such as our enterprise resource planning systems and other systems that we use to manage our workforce); benefits providers; affiliates of Curology; government entities (for taxes and other similar purposes that require us to provide Personal Information to government entities; credit reporting agencies (for background checks). |
User names, account numbers, or card numbers combined with required access/security code or password | Service providers (who manage our employee data, such as our enterprise resource planning systems and other systems that we use to manage our workforce, including IT and other similar providers); and affiliates of Curology. |
Mail, email, or text messages contents not directed to us | We generally do not know of the existence of any such mail, email, or text messages. However, there should be no expectation of privacy in any such messages received or transmitted using Curology IT systems. Such messages may be disclosed to service providers; affiliates of Curology; and law enforcement personnel as appropriate. |
Religious or philosophical beliefs | Service providers (who manage our employee data, such as our enterprise resource management system that we use to manage our workforce) (if you choose to provide it to us). |
Racial or ethnic origin | Service providers (who manage our employee data, such as our enterprise resource management system that we use to manage our workforce) (if you choose to provide it to us). |
Health, sex life, or sexual orientation information | We do not disclose this type of Personal Information. |
We disclose your Personal Information to the categories of third parties listed above for the following business purposes:
Helping to ensure security and integrity of our facilities and IT infrastructure to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes.
Performing services on behalf of us, including maintaining or servicing accounts; providing Human Resources services; processing or fulfilling payroll and other similar transactions; verifying Curology personnel Personal Information; providing analytic services; providing storage; or providing similar services on behalf of us.
Providing retirement, health, and other benefits, services, or products to which Personnel and their dependents or beneficiaries receive through Curology.
In addition to the above, we may disclose any or all categories of Personal Information to any third-party (including government entities and/or law enforcement entities) as necessary to:
comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information;
comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
cooperate with law enforcement agencies concerning conduct or activities that we (or one of our service providers’) believe may violate federal, state, or local law;
comply with certain government agency requests for emergency access to your Personal Information if you are at risk or danger of death or serious physical injury; or
exercise or defend legal claims.
Data Requests
California Employees, Contractors, and Applicants have the following rights under California privacy laws, each subject to certain exceptions:
The right to know the Personal Information we have collected about them, including the categories of sources from which we collected the Personal Information, the purpose(s) for collecting, selling, or sharing your Personal Information, and the categories of third parties to whom we have disclosed your Personal Information. We will provide you with the relevant information that we have collected or maintained about you over the past 12 months, unless an exception applies.
The right to correct Personal Information;
The right to delete Personal Information;
The right to limit the use of Sensitive Personal Information as further described below;
The right not to receive discriminatory treatment for exercising their privacy rights.
If you are a California Employee, Contractor, or Applicant, or an authorized agent of any of the foregoing you can submit a request to exercise your Personal Information rights under California privacy laws by sending an email to privacy@curology.com with the subject line "Employee/Contractor/Applicant Privacy Rights Request" or contact the People & Culture Team at people@curology.com with the same subject line.
All requests must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an Authorized Agent of such a person. This may include verifying one or more of the following:
Full first & last name
Date of birth
Address provided, if any
Phone number
Any other appropriate individualized data point
You must describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm which Personal Information relates to you or the individual for whom you are making the request as their Authorized Agent.
If you fail to make your request in accordance with the ways described above, we may either treat your request as if it had been submitted correctly, in accordance with the methods described above, or provide you with information on how to submit the request or remedy any deficiencies with your request.
We will respond to your rights request within 45 days, though in certain cases we may inform you that we will need up to another 45 days to act on your request. If we suspect fraudulent or malicious activity on or from your account, we will delay taking action on your request until we can appropriately verify your identity and the request as authentic. Also note that each of the rights are subject to certain exceptions.
We reserve the right to decline to process, or charge a reasonable fee for, requests from an Employee, Contractor, or Applicant that are manifestly unfounded, excessive, or repetitive. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Notice of Right to Limit the Use of Sensitive Personal Information
We use or disclose your Sensitive Personal Information only for the following purposes:
To provide the employment relationship as reasonably expected by an average individual who wishes to have a relationship with us as an Employee, Contractor, or Applicant;
To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that our use of your Personal Information is reasonably necessary and proportionate for such purposes;
To resist malicious, deceptive, fraudulent, or illegal actions directed at Curology and to prosecute those responsible for those actions, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
To ensure the safety of natural persons, provided that our use of your Sensitive Personal Information is reasonably necessary and proportionate for this purpose;
For short-term, transient use;
To perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us; and
To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
Because we only use your Sensitive Personal Information for the above purposes (the "Permitted Purposes"), we do not, and are not required to, provide you with the ability to limit the use of your Sensitive Personal Information for these purposes.
Children’s Data
We do not knowingly collect or use the Personal Information of children under 16 as part of our HR information process. If you believe that we have collected the Personal Information of a child under 16 as part of our HR information process, please contact us at privacy@curology.com.
Authorized Agent Requests
You may authorize your agent to exercise your rights under the CPRA on your behalf by providing your agent (an “Authorized Agent”) with power of attorney to exercise your rights in accordance with applicable laws. We may request that your Authorized Agent submit proof of identity and that they have been authorized to exercise your rights on your behalf. We may deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.
Contact Us
If you have any questions or concerns regarding this California HR Privacy Notice, contact us at privacy@curology.com or people@curology.com.