Privacy Policy

Scope

NOCD, Inc. (“NOCD”, “we”, “us”, or “our”) is committed to protecting the privacy of Personal Information (as defined below) and wants you to be familiar with how we collect, use and disclose Personal Information in accordance with the laws applicable to us. This Privacy Policy (“Policy”) is intended to describe our practices regarding information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual (collectively “Personal Information”), for what purposes Personal Information may be used, and with whom we may share Personal Information. This Policy applies to any Personal Information we collect or receive about you, from any source, including our websites, mobile applications, the tools and services we provide (collectively the “Services”) and platforms where the Policy is located (collectively the “Platform”).

Our Platform is available only to users who can form legally binding contracts under applicable law. By using the Platform, you represent and warrant that you are: (i) at least eighteen (18) years of age, (ii) otherwise recognized as being able to form legally binding contract under applicable law, or (iii) using the Platform under your parent or guardian’s supervision and with all appropriate consents. If you discover that information of anyone under eighteen (18) years of age was submitted to the Services without the necessary consent from a parent or guardian, please contact us using any methods in the “Contacting Us” section below and we will remove such information.

OVERVIEW OF HOW USERS INTERACT WITH OUR SITE

The information NOCD collects and how we use that information varies based on how you interact with NOCD’s platform – in other words, if you (i) are a visitor to our website (“Website Visitor”), (ii) register for a NOCD log-in (“NOCD App/Community Member”), or (iii) receive treatment from one of our therapists (“NOCD Therapy Member”).  

Within the “Types of Information We Collect” section, the descriptions in the Website Visitor section apply to anyone visiting our website outside of the app, for example, someone researching OCD and different forms of treatment, whether they are a NOCD Therapy Member or not. The descriptions below that pertain to our members discuss how NOCD’s website and information collection works once you log into our portal.  As this section explains, for our NOCD Therapy Members, no information about your treatment, such as treatment notes, messaging with your therapist, how you are using our treatment tools, is made available to anyone other than as needed for your treatment or insurance coverage. 

For visitors to our website, we do use tools such as cookies and pixels that enable us to make the site functional and help us with our marketing efforts, as discussed below. We also use these tools to help us promote our Services to you, to enhance your experience. We do not use pixels and cookies to enable third parties to serve ads to our website visitors about their own products or services, nor do we sell or rent our website visitors’ personal information to any third parties for their own advertising or marketing purposes. As discussed below, there is always the option to turn off cookies so that this tracking does not occur.

TYPES OF PERSONAL INFORMATION WE COLLECT

NOCD collects the following categories of information from you and about you that may, alone or in combination with other information, constitute Personal Information. We may have collected the following Personal Information about you within the past 12 months:

Website Visitor:

• Internet or Electronic Network Activity Information. Like most companies, we work with third parties, such as Facebook and Google, to collect information on page visits via cookies and pixels so that we can serve our members ads about our Services. This includes information regarding your interactions with advertisements and other websites, the type of device you use to access our Platform, and other unique or online identifiers like your device hardware model, IP address, or mobile operating system. 
• Identifiers. These include your name, state, telephone number (possibly including your mobile phone number), email address, and IP address. This information is collected if you choose to “Book a free call” to learn more about our therapy services or request information about a clinical trial. 
• Geolocation Data. We do not use location tracking. We can see data broadly related to location, such as emergency address and ip address, but the location tracking feature is not enabled.
• Employee Information. Please see our Employee Privacy Notice for information about our collection, use, and disclosure of information pertaining to job applicants and current and past employees.

NOCD App/Community Member:

• We collect data for the purposes of providing the product, such as (1) the posts our members may leave in the community feed, and (2) data collected by and required for our ERP tools to work for members to do exercises. The information that you post and your username (which can be updated at any time) will be visible to others.
• Unlike many companies, NOCD has not configured our site with a Facebook login option to pull information about our members that is stored with Facebook. So, to give some examples, we are not collecting information about our members’ Facebook likes, profile information, or the messages they send. 
• Members may log into our site using an email and password they create or via Google login. If they use Google login, Google, by default, will make available to us the member’s name, email address, language preference, and profile picture stored with Google. However, from that data, NOCD stores and processes only the member’s email address for the purpose of login.

NOCD Therapy Member:

• We must collect basic information like first name, last name, date of birth, emergency contract, insurance member ID (if choosing to use insurance to cover care), and credit card information for payment of services in order to provide treatment, and all in compliance with HIPAA. 
• For the same reason, we must also collect our treatment members’ messages with their provider (so that the provider can read and respond), data about their progress through self-assessment tools, notes, and other treatment-related information.
• Categories listed in California Civil Code 1798.80(e): (1) identifiers listed above; (2) your physical characteristics or descriptions that you provide to us; (3) medical insurance information; and (4) payment information, which may include your credit or debit card number.
• Protected classifications. This includes characteristics protected under state or federal law like age, physical or mental disability, sex, and gender.
• Health Information.* This includes information about your condition including but not limited to obsessions, compulsions, triggers, intensity levels, time spent, and location (which we are required to collect in order to provide treatment and obtain insurance coverage). This also includes demographic information like your date or birth, age, gender, and zip code.  Please note that upon the commencement of treatment with NOCD, all health information collected from you is considered protected health information under HIPAA and is subject to our Notice of Privacy Practices.  
• We limit third-party data collection to ensure that there is no collection of information about our members’ treatment (such as their messaging with their therapists or use of our tools) through cookies or pixels by third parties (such as Facebook and Google).

We also receive the contact information for healthcare providers.

The information marked with an asterisk (*) above is considered “sensitive information” under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

We intend to retain each of the above categories of Personal Information for as long as necessary for the purposes of providing and fulfilling your requests relating to our Services, complying with legal obligations, and improving our Platform and Services.  As discussed further below, we make it easy for our Website Visitors to request that this non-treatment-related information that we have collected be deleted using this form. 

HOW WE COLLECT YOUR INFORMATION

NOCD collects Personal Information about you in different ways. Below are some examples of how we may collect Personal Information on our Platform.

• Directly From You. For example, when you:
  • Register for an account.
  • Engage with our online communities.
  • Submit a request for information about a clinical trial.
  • Send our team a message through our portal.
  • Log in and use the mobile or desktop app.
  • Apply for a job through our Platform.
  • Sign up to receive our communications.
  • Participate in one of our surveys or focus groups.
  • Submit a request to our customer service team.
  • Interact with NOCD social media pages.
  • Upload images or files to make a community post or for your own private treatment tools (such as for a looptape or exposure tool).
• Passively By Means of Software. For example, when you:
  • Install and use NOCD mobile apps.
  • Visit and navigate our Platform on any device.

For information about how to manage or opt out of targeted advertising, please see below Data Subject Rights.

• From Third Parties. We may receive Personal Information about you from other sources with your consent or as permitted by applicable law. For example, this may include receiving Personal Information from:
  • Our business partners, including health care providers, organizations that sponsor medical trials, online advertising networks, and data analytics vendors.
  • Social media sites, including Facebook, Twitter, YouTube, and Instagram.
  • Our therapy members, when such members share with us the contact information for their healthcare providers.
  • Companies that provide information to supplement what we already know about you. This include third-party service providers that help us provide treatment and obtain insurance coverage, as well as third parties that help us track information about website visitor activity. We receive this information in de-identified form. These parties do not receive any information about your treatment.
• By Combining Information. For example, we may:
  • Combine Personal Information that we collect offline with information we collect through our Platform, such as when you are using our self-assessment tools for ERP therapy exercises.
  • Combine Personal Information we collect about you from the different devices you use to access our Platform.
  • Combine Personal Information we get from third parties with information we already have about you as needed to provide treatment and obtain insurance coverage. 

HOW WE USE PERSONAL INFORMATION ABOUT YOU

This section is not broken out by Website Visitors, Community Members, and Therapy Members, as the usage described below makes this breakdown clear. 

Examples of how we may use the Personal Information that we collect we collect include:

• To Provide Our Services. This could include fulfilling your requests for tools or services. It could also include processing purchases or other transactions.
• To Improve Our Platform and Services. We may use Personal Information about you to make our Platform and Services better. We may also use Personal Information to customize your experience with us.
• To Advance OCD Treatment. We use information we collect in aggregated form to understand and identify potential future resources or research for OCD treatment. For example, if many of our users, in the aggregate, discuss one subtype of OCD, we may offer more resources to the community on that subtype of OCD.
• To Respond to Your Requests or Questions. This may include responding to your feedback.
• To Communicate With You. We may communicate with you about your account or our relationship. We may also contact you about this Policy or our Platform terms and conditions. We may communicate with healthcare providers about their patients and about our services that may be relevant to such and other patients.
• To Determine Your Eligibility. If you apply for a job at NOCD, we may use Personal Information about you to verify your identity or determine your eligibility for a job that we offer through our Platform. If you fill out a form indicating your interest in a clinical trial, we will use Personal Information about you to determine your eligibility for certain clinical studies offered by our business partners.
• For Marketing Purposes. We use Personal Information about you to send you ads or other news about our Services. For more information about your choices related to these communications and marketing practices, see the Choices and Rights Regarding Personal Information About You sections below. 
• For Security Purposes. This could include protecting our company and consumers who use our Services. It may also include protecting our Platform.
• As Otherwise Permitted By Law or As We May Notify You.

HOW WE SHARE PERSONAL INFORMATION ABOUT YOU

We do not sell Personal Information about you. 

The California definition of selling data includes disseminating Personal Information for valuable consideration, and may be interpreted to include having a contract with a third party with which you share data. We do share data with third parties as needed for treatment, and we share limited non-treatment related data with third parties with which we have contracts to help with our marketing and analytics efforts, through cookies and pixels. This practice may be considered ‘selling’ data according to the CCPA’s broad definition, even though it is not a “sale” under the conventional definition of the word or under the laws in Virginia and Utah. Additionally, as further clarification, we do not use cookies to enable third parties to serve ads to our website visitors about their own products or services.

We may share Personal Information about you in the following ways:

Website Visitor:

• With Our Service Providers. We may share Personal Information about you with third parties who perform services on our behalf and with whom we have a contract that includes appropriate privacy obligations. For example, this may include companies that serve marketing advertisements about our Services on our behalf or other operating systems that help us run our Platform.
• With Clinical Trial Sites. If you ask for more information about a particular clinical trial, after we have a call with you to discuss the trial, we may share the contact information you submit to us with the clinical trial site.
• With Data Analytics Providers for Targeted Advertising.  Like many established companies, we work with third parties like Meta (Facebook) and Google to help us with our marketing efforts. These third parties use technologies, like pixels or cookies, to gather Personal Information about you when you visit our Platform so that we know when to send you messages about our Services. This includes information about your website activity and does not include any information about your health or treatment. We work with these third parties to serve you with our ads and content only—we do not sell or share Personal Information about you with any third parties for their own advertising or marketing purposes. For information about how to manage or opt out of targeted advertising, please see the below Rights Regarding Personal Information About You.  
• With Any Successors to All or Part of Our Business or One of Our Brands. For example, if NOCD assesses or actually merges with, acquires or is acquired by, or sells a brand or part of its business to another business entity. This may include an asset sale, corporate reorganization, or other change of control. We may transfer our customer information as part of such a transaction or as stand-alone assets. You hereby consent to such transfers and NOCD may assign and transfer all of the rights, benefits, duties, and obligations of this Policy, under the circumstances described in this paragraph.
• To Comply with the Law or To Protect Ourselves. For example, this could include responding to a court order or subpoena. It could also include sharing information if a government agency or investigatory body requests. We might share information when we are investigating a potential fraud. This could include fraud we think has occurred during a sweepstakes or promotion. Such uses shall only be as necessary or appropriate, and only as permitted under the Health Insurance Portability & Accountability Act and amendments thereto (HIPAA) or other applicable law: (a) to comply with legal process; (b) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (c) to protect our operations or those of any of our affiliates, including in connection with investigating security incidents; or (d) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
• For Such Other Purposes as You May Consent.
• For Other Reasons We May Describe to You.

NOCD App/Community Member:

• On our Platform. For example, we may display information you post for that purpose in our community forums. 
• With Research Partners. We may share insights derived from aggregate data with research institutions in order to advance and better inform OCD treatment.

NOCD Therapy Member:

• Internally. We may share Personal Information about you internally at NOCD as needed to provide the Services.
• With Essential Third Party Service Providers: We share data that is needed to provide treatment, in accordance with HIPAA, and so that you can obtain insurance coverage.  For example, we share information about how long of a session a member had with the service provider that submit claims to our insurance company partners so therapy sessions can be covered. We also work with service providers that securely store a member’s credit/debit card and process billing charges and insurance claims to fulfill the core product services. 
• To Continuously Improve Our Services. We may look at outcomes scores in the aggregate in order to demonstrate in peer reviewed research that our ERP approach is an effective model for OCD treatment. 
• Upon Your Request: A member may also request a release of information in order to work with their own clinician or for other purposes, which requires an explicit consent. All healthcare institutions will release information subject to such a request. 

CHOICES REGARDING PERSONAL INFORMATION ABOUT YOU

You have certain choices about how we use Personal Information about you. Certain choices you make are browser and device-specific.

Marketing Communications:

You can opt-out of receiving our marketing communications. Note that you will still receive transactional messages from us, including information about your account and responses to your inquiries. To opt-out of receiving our marketing communications, you can follow the instructions included with the communication.

Push Notifications

You may opt out by adjusting the settings on your mobile device.

Cookies & Other Tracking Technologies:

Cookies are small text files that websites place on your device as you are browsing, which are stored by your web browser. By storing data, cookies serve crucial functions for websites. If you prefer not to share data, you can disable them. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Services. One helpful summary of the different types of cookies websites use is available on the European Union’s privacy legislation website, which explains:

• Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
• Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
• Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
• Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.

To learn more, you can review the EU’s Cookies explanation here.

Your browser may give you the ability to control cookies or other tracking tools. How you do so depends on the type of tool. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to automatically decline cookies or be given the choice of declining or accepting the transfer to your computer of a particular cookie (or cookies) from a particular site. You may also wish to refer to aboutcookies.org/how-to-control-cookies. 

Our Do Not Track Policy:

• Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. If you block cookies, certain features on our sites may not work. If you block or reject cookies, not all of the tracking described here will stop.
• Options you select are browser and device-specific.

LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION ABOUT RESIDENTS OF THE UNITED KINGDOM AND/OR THE EUROPEAN ECONOMIC AREA

NOCD will process Personal Information about residents of the United Kingdom (“UK”) or the European Economic Area (“EEA”) only if and to the extent that at least one of the following applies:

• The processing is necessary for the purposes of the legitimate interests pursued by NOCD; or
• The processing is necessary for the performance of a contract to which you are a party; or
• You have given consent to the processing of Personal Information for a specific purpose; or
• The processing is necessary for NOCD’s compliance with a legal obligation.

RIGHTS REGARDING PERSONAL INFORMATION

You have the following rights (“Data Subject Right”) in relation to Personal Information that we hold about you. These rights may differ depending on where you live (including specifically in California, Virginia, Colorado, Connecticut, Utah, the UK, or the EEA), but we will endeavor to respect these rights no matter your country or state of residence.

• Right of Access: If you ask us, we will confirm whether we are processing Personal Information about you and, if so, provide you with a copy of all Personal information you are lawfully entitled to receive along with certain other details. If you require additional copies, we may need to charge a reasonable fee. In addition, you may request the categories of third parties with whom we share that Personal Information, and if we disclosed Personal Information about you, the categories of Personal Information that each category of recipient obtained.
• Right to Request Rectification: If you believe Personal Information is inaccurate or incomplete, you are entitled to request that we correct or complete it. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared Personal Information about you so you can contact them directly.
• Right to Erasure: You may ask NOCD to delete or remove Personal Information, such as where you withdraw your consent, where applicable. If we shared Personal Information about you with others, we will tell them about the erasure as directed by law. 
• Right to Restrict Processing: You may ask us to restrict or ‘block’ the processing of Personal Information in certain circumstances, such as where you contest the accuracy of the data, or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared Personal Information with others, we will tell them about the restriction as directed by law. If you ask us, and where possible and legally required, we will also tell you with whom we shared Personal Information about you so you can contact them directly.
• Right to Data Portability: You have the right to obtain Personal Information from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by us by automated means. We provide the Personal Information we have collected about you in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
• Right to Object: You may ask us at any time to stop processing Personal Information about you, and we will do so:
  • If we are relying on a legitimate interest to process Personal Information about you — unless we demonstrate compelling legitimate grounds for the processing; or
  • If we are processing Personal Information about you for direct marketing.
• Right to Withdraw Consent: If we rely on your consent to process Personal Information about you, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
• Rights in Relation to Automated Decision-Making: Individuals residing in the European Union (“EU”)/ European Economic Area (“EEA”) and UK have the right to be free from decisions based solely on automated processing of Personal Information about you, (including profiling) unless this is necessary in relation to a contract between you and us or you provide your explicit consent to this use.
• Right to Lodge a Complaint with the Data Protection Authority: Individuals residing in the EEA and UK that have a concern about our privacy practices, including the way NOCD handles Personal Information about you, can report it to the data protection authority that is authorized to hear those concerns.
• Right to Non-Discrimination: We will not discriminate against you for exercising these rights, but we may charge a reasonable fee as permitted by law in fulfilling these rights.

If you or your authorized agent wish to exercise any of these Data Subject Rights, please contact us via at the information provided in the HOW TO CONTACT US section below. Before responding to your request to exercise Data Subject Rights, we may require you to confirm your name, email address on file, and potentially additional information to verify your identity or clarify your specific request. We will try to comply with your request as soon as reasonably practicable and in compliance with applicable law. Where appropriate, we will transmit the amended information to third parties having access to Personal Information about you.

We may deny your request to exercise any of your Data Subject Rights above as permitted by law, including if any such exercise of those rights might prevent NOCD from:

1. Complying with legal obligations.
2. Detecting security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debugging products to identify and repair errors that impair existing intended functionality.
4. Making other internal and lawful uses of that information that are compatible with the context in which you provided it.

CHILDREN

We believe our Services can help young adults and children, too. However, we do not knowingly allow children under the age of 13 to use our Platform without appropriate consent from a parent or guardian. If we learn that a child under the age of 13 uses our Platform, and we do not have the appropriate consent, we will delete the child’s Personal Information that we have collected through the Platform.

SECURITY AND RETENTION

NOCD seeks to use administrative, physical, and technical safeguards that are reasonable and appropriate for the protection of the Personal Information in our custody or control. When you access the Platform using modern web browsers, Secure Socket Layer (SSL) or Transport Layer Security (TLS) technology protects your information using both server authentication and data encryption. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contacting Us” section below.

We will retain Personal Information about you in a file specific to you in the data centers of our service providers. We will retain Personal Information about you for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

TRANSFERS OF PERSONAL INFORMATION

All Personal Information that we collect is stored in the US, is subject to US laws, and may be subject to disclosure to US governments, courts, law enforcement, or regulatory agencies pursuant to those laws. NOCD is based in the United States. If you are using NOCD’s Services from or in another country with laws governing processing of Personal Information, please note that Personal Information about you will be transmitted to our servers in the United States as necessary to provide you with the information that you requested, administer our contract with you or to respond to your requests as described in this Policy, and such Personal Information may be transmitted to our service providers supporting our business operations. The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. When we transfer Personal Information about you out of your country, we will take steps to ensure that Personal Information about you receives an adequate level of protection where it is processed, and your rights continue to be protected.

LINKS

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any site or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates. In addition, we are not responsible for the information collection, use, disclosure or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including with respect to any Personal Information you disclose to other organizations through or in connection with the Services.

HOW TO CONTACT US

If you have any questions, comments, or concerns with respect to our privacy practices or this Policy, wish to update Personal Information about you, or would like to exercise your Data Subject Rights, please feel free to contact us at privacy@nocdhelp.com or at 312-766-6780. For residents of the European Union or United Kingdom, you can use this form to submit a request regarding Personal Information about you that is processed by NOCD.

You may also write to us at the following address:

NOCD Attention: Privacy Officer 225 N Michigan Ave, Suite 1430 Chicago, IL 60601

CHANGES IN POLICY

From time to time, we may change our Policy. We will notify you of any material changes to our Policy as required by law. We will also post an updated copy on our Platform.