PrivacyPolicy

Here is the short version. The full policy below controls if there is any conflict.

• We collect the information you, your employer, or your provider give us, plus standard technical information about how you use the Platform.
• We use it to deliver, secure, and improve the Platform, to coordinate occupational health visits and results, and to comply with the law.
• We share it with the parties you direct (your employer, the chosen provider/facility), with vetted vendors that help us run the Platform, and when the law requires.
• We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
• We do not train AI on Protected Health Information (PHI) or on identifiable customer data. We may use de-identified, aggregated data to improve the Platform.
• You have rights to access, correct, delete, port, and limit how we use your information. We honor Global Privacy Control (GPC) signals.
• Questions or requests? Use our contact form (subject: "Privacy Request") or call 260-969-4632.

This Policy applies to information processed through the Platform, including the Website, mobile and desktop applications, APIs, and email/text communications between you and BlueHive. It does not apply to information collected offline, on third-party sites, or through any other application not operated by BlueHive.

The Platform is intended for users 18 years of age or older located in the United States and its territories. By using the Platform, you represent that you meet these eligibility requirements. If you are accessing the Platform on behalf of an employer or another individual, you represent that you are authorized to do so and to bind that party to this Policy.

HIPAA Status

BlueHive is generally not a Covered Entity under HIPAA. When BlueHive processes Protected Health Information (PHI) on behalf of a HIPAA-regulated customer (such as an employer-sponsored health plan, a provider, or a facility), BlueHive acts as a Business Associate. In those cases, a separate Business Associate Agreement (BAA) governs that PHI and controls over this Policy to the extent of any conflict. To request a BAA, use our contact form (subject: "BAA Request").

Information You, Your Employer, or Your Provider Provide

• Identifiers and contact information (name, postal address, email, telephone number, employee ID).
• Employer and employment information (employer name, job role, location, work eligibility data).
• Demographic information (date of birth, gender, ZIP code).
• Occupational health information (questionnaire responses, medical-monitoring and surveillance results, fitness-for-duty determinations, drug and alcohol test results) — this may include Protected Health Information (PHI) and is generally governed by a BAA.
• Account credentials (username, hashed password, multi-factor authentication settings).
• Records and copies of correspondence, support tickets, and chat sessions.
• Transaction records (appointments scheduled, services ordered, payment metadata — full payment card data is held by our PCI-compliant payment processor, not by BlueHive).
• Content you submit to chat, AI assistants, intake forms, or document uploads.

Information We Collect Automatically

• Device and connection information (IP address, operating system, browser type and version, device identifiers, screen resolution, language settings).
• Usage information (pages and features accessed, referring/exit URLs, timestamps, session duration, error logs).
• Approximate geolocation derived from IP address; precise geolocation only with your explicit permission (for example, to find nearby providers).
• Authentication tokens and session cookies needed to keep you signed in and to protect your account.

Cookies and Similar Technologies

We use cookies and similar technologies only as strictly necessary to operate the Platform — specifically, authentication tokens, session-management cookies, CSRF and security-token cookies, and load-balancer affinity cookies. We do not use cookies for analytics, advertising, cross-site tracking, or marketing measurement, and we do not load third-party trackers, advertising pixels, or session-replay tools. Because we do not drop non-essential cookies, no cookie banner or preference-management UI is required.

• Strictly necessary — the only category we use today (authentication, session management, CSRF protection, load balancing, basic security). These cannot be disabled while still using the Platform.

We honor Global Privacy Control (GPC) signals as a valid opt-out of "sale" or "sharing" under the California Consumer Privacy Act and analogous state laws.

• Deliver, operate, and maintain the Platform, including appointment scheduling, results delivery, and payment processing.
• Authenticate users, secure the Platform, and prevent, detect, and respond to fraud or abuse.
• Communicate with you about your account, transactions, support requests, and important Service notices.
• Send marketing communications you have opted in to receive (you can opt out at any time).
• Comply with our legal obligations, respond to lawful requests, and enforce our Terms of Use.
• Analyze usage and improve the quality, performance, and accessibility of the Platform.
• Develop and improve features using de-identified or aggregated data only.

When BlueHive receives, maintains, or transmits Protected Health Information (PHI) on behalf of a HIPAA-regulated customer, BlueHive acts as a Business Associate as defined under 45 C.F.R. § 160.103. A separate Business Associate Agreement (BAA) executed between BlueHive and the customer governs that PHI, including permitted uses and disclosures, safeguards, breach notification, and termination.

In the event of a conflict between this Privacy Policy and an executed BAA, the BAA controls with respect to PHI. To request BlueHive's standard BAA template, use our contact form (subject: "BAA Request").

Individuals who believe their PHI has been used or disclosed in violation of HIPAA may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/hipaa/filing-a-complaint.

We share information only as described in this Policy, as authorized by you, or as required by law. Categories of recipients include:

• Your employer and the occupational health providers and facilities you select, in order to coordinate the services you have requested.
• Service providers and subprocessors that help us operate the Platform — specifically the vendors listed on our Subprocessors page, including cloud hosting and edge (Cloudflare, Google Cloud Platform), payment processing (Stripe), transactional messaging (Twilio), business productivity and email (Google Workspace), and AI inference for optional AI-assisted features (OpenAI, Anthropic). We do not use third-party analytics, advertising, or error-monitoring services.
• HRIS and integration partners that you or your employer have authorized to exchange data with BlueHive.
• Successors in interest in connection with a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy.
• Government, regulatory, or law-enforcement authorities when required by valid legal process or when we believe disclosure is necessary to protect rights, property, or safety.
• Aggregated or de-identified information that does not reasonably identify any individual — without restriction.

A current list of BlueHive's subprocessors is available at /legal/subprocessors. Customers can subscribe to receive notice of changes.

The Platform is designed for and offered to users in the United States. Our infrastructure and primary processing locations are in the United States. If you access the Platform from outside the United States, you acknowledge that your information will be transferred to, processed, and stored in the United States, where data-protection laws may differ from those of your jurisdiction.

Where required by EU, UK, or Swiss law, BlueHive relies on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. Customers requiring a Data Processing Addendum (DPA) with SCCs may request one through our contact form (subject: "DPA Request").

We retain personal information only as long as necessary to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements. Indicative retention periods:

• Account data — life of the account, plus 1 year after closure unless a longer period is required by HIPAA, by an executed BAA, or by applicable state law.
• Transactional and billing records — 7 years from the date of the transaction (consistent with IRS recordkeeping guidance for business records).
• Occupational health records and PHI — as required by the applicable BAA and by federal and state law (for example, 5 years for DOT examination records under 49 CFR § 391.43; 30 years for certain OSHA exposure records under 29 CFR § 1910.1020; longer where state law requires).
• Marketing leads and prospect data — 24 months from the last engagement, then deleted or de-identified.
• Support communications — 3 years from the date of the last interaction.
• Server, security, and audit logs — up to 18 months.
• De-identified or aggregated data — indefinitely.

Specific retention may be longer where required by law, by an executed BAA, or by a customer Order Form, or where information is the subject of a litigation hold.

BlueHive maintains administrative, physical, and technical safeguards designed to protect personal information and PHI consistent with the HIPAA Security Rule and industry standards. Our security program includes:

• Encryption of data at rest using AES-256 and in transit using TLS 1.2 or higher.
• Multi-factor authentication for administrative access and least-privilege access controls.
• A SOC 2 Type II program with regular independent audits.
• Continuous monitoring, vulnerability management, and security event logging.
• Mandatory security and HIPAA training for all employees and contractors with access to personal information.
• A documented incident response and breach notification program.

No system is perfectly secure. You are responsible for keeping your account credentials confidential, enabling multi-factor authentication when offered, and notifying us promptly through our contact form (subject: "Security") if you suspect unauthorized access. In the event of a breach affecting your information, we will notify you and the relevant authorities as required by HIPAA, state breach-notification laws, and any applicable BAA.

Subject to verification and applicable law, every BlueHive user may request to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete information we hold (subject to legal retention obligations).
• Receive a portable copy of information you provided to us.
• Restrict or object to certain uses.
• Withdraw consent where processing is based on consent.
• Opt out of marketing communications at any time.

To exercise any of these rights, sign in to your account and visit your profile settings or use our contact form (subject: "Privacy Request"). We respond within the timeframes required by applicable law (generally 30–45 days). Note that information entered by your employer or your occupational health provider must generally be corrected through them; BlueHive does not control the accuracy of that source data.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the rights described below. Information that is governed by HIPAA or the California Confidentiality of Medical Information Act is exempt from these rights to the extent provided by law.

Categories of Personal Information We Process

• Identifiers (name, contact info, IP address, account identifiers).
• Customer records (employer, billing details).
• Protected classification characteristics (age, gender — where collected for occupational health purposes).
• Commercial information (transactions, services ordered).
• Internet or network activity (browsing within the Platform).
• Geolocation (approximate from IP; precise only with consent).
• Professional or employment information.
• Inferences drawn from the above to support the Platform.
• Sensitive personal information: account log-in credentials, precise geolocation (when granted), and health information processed for occupational health purposes.

We collect these categories from the sources and use them for the purposes described in Sections 3 and 4. We retain them as described in Section 8.

Sale and Sharing

We do not "sell" personal information and do not "share" it for cross-context behavioral advertising as those terms are defined under CCPA. We have not done so in the preceding 12 months.

Your CCPA Rights

• Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
• Right to access a copy of your personal information.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing (we do not engage in either).
• Right to limit the use and disclosure of sensitive personal information to what is necessary to provide the Platform.
• Right to non-discrimination for exercising your CCPA rights.
• Right to designate an authorized agent to make a request on your behalf.

Submit a request through our contact form (subject: "CCPA Request") or by calling 260-969-4632. We will verify your identity before responding and will respond within 45 days (extendable by another 45 days where reasonably necessary). We honor Global Privacy Control (GPC) signals as a valid opt-out request.

Residents of states with comprehensive consumer-privacy laws — including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Minnesota (MCDPA), Tennessee (TIPA), Maryland (MODPA), and Indiana (ICDPA) — have rights similar to those described in Section 11, including the right to access, correct, delete, port, and opt out of targeted advertising, sale, and certain profiling.

To exercise your rights, use the same channels described in Section 11. If we deny your request, you may appeal by replying to our response email; we will respond to appeals within the timeframe required by your state's law. If your state offers an additional complaint right, you may also contact your state Attorney General.

Several U.S. states have enacted laws that apply specifically to consumer health data — broadly defined as personal information that identifies a consumer's past, present, or future physical or mental health status. These laws apply to information we collect outside the HIPAA-covered context (for example, information from website visitors, marketing form fills, or wellness inquiries that BlueHive does not receive in its role as a HIPAA Business Associate).

Washington — My Health My Data Act (MHMDA)

If you are a Washington consumer or your consumer health data is collected from Washington, the Washington My Health My Data Act ("MHMDA") applies. We will: (a) obtain your affirmative, opt-in consent before collecting consumer health data for purposes outside of providing the services you have requested; (b) not sell consumer health data, and — if our practices ever change — obtain a separate, valid authorization before any such sale; (c) honor your requests to access, delete, and withdraw consent for consumer health data; and (d) not use a geofence around any in-person healthcare facility to identify, track, collect data from, or send notifications to consumers regarding their consumer health data.

To exercise MHMDA rights, use our contact form with the subject line "MHMDA Request." We will respond within 45 days. You may also contact the Washington Attorney General at atg.wa.gov.

Nevada — SB 370 Consumer Health Data Privacy

If you are a Nevada consumer, Nevada SB 370 provides analogous protections for consumer health data, including affirmative consent for collection beyond providing requested products or services, restrictions on selling consumer health data without separate authorization, and a prohibition on geofencing around healthcare facilities. Submit Nevada requests through our contact form with the subject line "Nevada Health Data Request."

Connecticut — CTDPA Consumer Health Data Amendment

Connecticut's 2023 amendments to the Connecticut Data Privacy Act ("CTDPA") add specific protections for consumer health data, including reproductive and sexual health data. We treat such data as sensitive personal information requiring opt-in consent, and we apply the same prohibition on geofencing healthcare facilities described above. CTDPA rights may also be exercised under the channels described in Section 12.

BlueHive does not make solely-automated decisions that produce legal or similarly significant effects on individuals. Certain features of the Platform use artificial intelligence and machine learning to assist (not replace) human judgment — for example, suggesting nearby providers, summarizing intake responses, and routing support requests. A qualified human reviews any output that materially affects a user's access to services or employment.

You may opt out of optional AI-assisted features through your account settings or through our contact form (subject: "AI Opt-Out"). As stated in Section 4, BlueHive does not train AI or machine-learning models on PHI or on identifiable customer data.

The Platform is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to BlueHive, please contact us through our contact form and we will delete it promptly. The Platform is not intended for users under 18 (see Section 2).

There is no industry-standard interpretation of "Do Not Track" browser signals, and we do not separately respond to them. We do honor Global Privacy Control (GPC) signals as a valid opt-out of sale or sharing under CCPA and analogous state laws. The GPC signal applies to the browser or device on which it is enabled.

We will post any changes to this Policy on this page and update the "Last modified" date above. If we make a material change — for example, to the categories of information we collect, the purposes of processing, or your rights — we will display a brief summary of the change at the top of this page for at least 30 days. Because we do not currently maintain a privacy-update mailing list, you are responsible for periodically reviewing this Policy. Your continued use of the Platform after the effective date of a change constitutes acceptance of the updated Policy.

For questions, requests, or complaints regarding this Policy or our privacy practices, contact our Privacy Officer:

• Web: /contact — use this for all privacy questions, requests, and complaints.
• Phone: 260-969-4632.

You may also file a complaint with your state Attorney General, with the U.S. Department of Health and Human Services Office for Civil Rights for HIPAA matters (https://www.hhs.gov/hipaa/filing-a-complaint), or with another regulator with jurisdiction. We ask that you contact us first so we can try to resolve your concern directly.