Definitive Healthcare U.S. supplemental privacy policy

Effective date: July 1, 2023 (Last updated July 26, 2024)

This U.S. Supplemental Privacy Policy (“Supplement”) supplements the information in Definitive Healthcare’s Global Privacy Policy for residents of U.S. states with Comprehensive State Privacy Laws, as defined below. This Supplement describes the types of Personal Information that Definitive Healthcare may collect or process from U.S. residents in those states, how we may use and disclose that information, and how you may exercise any rights you may have regarding our processing of your Personal Information.

This Supplement applies to Personal Information collected or processed by Definitive Healthcare from or about U.S. residents in states with comprehensive policy laws (collectively, hereafter, “Comprehensive State Privacy Laws”), including, for example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CPRA”), together referred to as (“CCPA”); the Colorado Privacy Act (“CPA”); the Connecticut Personal Data Privacy and Online Monitoring Act (“CTDPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Oregon Consumer Data Privacy Act (“OCDPA”); the Texas Data Privacy and Security Act (“TDPSA”); the Utah Consumer Privacy Act (“UCPA”); and similar state privacy and data protection laws. This Supplement only applies to residents in those states unless otherwise noted.

Personal Information subject to this Supplement does not include the information covered by certain federal and state laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), clinical trials, or other exemptions as described in Comprehensive State Privacy Laws. In addition, even Personal Information covered in this Supplement may be collected and processed—including by disclosure to governmental entities or third parties—outside the requirements of this Supplement where applicable Comprehensive State Privacy Laws allow, including where such action is necessary to comply with federal, state, and local laws; to prepare for any law suit; to protect the vital interests of a consumer or other individual; to act in the public interest in areas of public health; to cooperate with government authorities; or to protect against security threats and illegal, fraudulent, or malicious activity and any subsequent investigation of that activity.

This Supplement uses the terms “consumer,” “personal data” or “personal information,” and “sale” as defined in their respective laws. References to “Personal Information” include personal data or personal information as defined under Comprehensive State Privacy Laws.

Personal Information collected

Personal information we collect. In the past 12 months, we may have collected and processed the following categories of Personal Information in developing and providing the Definitive Healthcare Services and we license such Services to categories of third parties as described in the table below:

Categories of Personal Information Processed for Each Processing Purpose	Personal identifiers and personal contact information such as name, E-mail address, and mobile phone number. Education and employment information such as employment status, place of employment, job history, job title, professional position, leadership or executive role, name of employer, business E-mail, business phone, business postal address, National Provider Identification Number, hospital affiliation, LinkedIn profile, and national and state license information. Personal characteristics such as birth year. Internet activity such as IP Address and information about how consumers interact with our website or other online materials. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Categories of Sources for Personal Information	Publicly available information from federal, state, and local government agencies, and web research through use of technology and by our in-house research team Proprietary research by our in-house research team through publicly accessible websites and electronic and phone surveys Licensed data from third parties including data like clinical practice history of healthcare providers (HCPs) based upon HIPAA-certified de-identified patient data Directly from consumers Directly and indirectly from consumers by their activities on our website or their devices Directly and indirectly from our customers Through communications with prospective customers
Business and Commercial Purposes for which Personal Information is Processed	To fulfill the purpose for which the information was provided; To include in Definitive Healthcare’s platform licensed to customers, which is used for business-to-business sales and marketing efforts; To provide consumers with information about Definitive Healthcare and its products, services, events, or other information, and to enhance their experience on our website and with our product, services, and marketing materials; To research, develop, test, evaluate future product features and enhancements and improve the services; To provide product customer service; As necessary to comply with applicable federal, state, and local laws; and To protect against security threats and protect against illegal, fraudulent, or malicious activity, and any subsequent investigation of that activity.
Categories of Third Parties with Which Personal Information is Disclosed	Definitive Healthcare customers Service providers Third parties integrated into our services Third parties as required by law Third parties in relation to a merger, sales, or asset transfer Other third parties with consumers’ consent Our affiliates
Categories of Third Parties with Which Personal Information is Sold	Definitive Healthcare customers In the last 12 months, Definitive Healthcare has sold Personal Information related to healthcare providers (HCPs) and other individuals affiliated with healthcare organizations (HCOs), including name, place of employment, professional title, business e-mail address and phone number, office address, social media links, and work or educational history. Personal Information is sold to Definitive Healthcare’s enterprise customers, including for commercial strategy, analytics, and business-to-business sales and marketing.
Categories of Personal Information that the Controller Sells to or shares with Third Parties	Personal identifiers and personal contact information such as name, E-mail address, and mobile phone number. Education and employment information such as employment status, place of employment, job history, job title, professional position, leadership or executive role, name of employer, business E-mail, business phone, business postal address, National Provider Identification Number, hospital affiliation, LinkedIn profile, and national and state license information. Personal characteristics such as birth year. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Sensitive Personal Information: At the time of this Supplement, Definitive Healthcare does not collect or process Sensitive Personal Information subject to the Global Privacy Policy.

Disclosure and Sale of Personal Information. During the last year, Definitive Healthcare has sold Personal Information related to healthcare providers (HCPs) and other individuals affiliated with healthcare organizations (HCOs), including name, place of employment, professional title, business e-mail address and phone number, office address, social media links, and work or educational history. Personal Information is sold to Definitive Healthcare’s enterprise customers, including for commercial strategy, analytics, and business-to-business sales and marketing.

During the last year, Definitive Healthcare has disclosed Personal Information to service providers (e.g., cloud computing and storage vendors; security contractors, and consultants), for our own operational business purposes.

Your privacy rights

As a resident of a state with a Comprehensive State Privacy Law, you may have some of the following privacy rights, subject to some limitations or exemptions as required or allowed by law:

To opt-out of sharing your Personal Information for cross-context behavioral advertising or, in other states, to opt-out of targeted advertising;
To opt-out of the sale of your Personal Information;
To request to know and access your Personal Information,
To obtain a copy of your Personal Information, i.e., a right to data portability;
To request that we correct your Personal Information;
To request that we delete your Personal Information;
To request that we limit the use of your Sensitive Personal Information (if applicable);
To opt-out of processing of Sensitive Personal Information;
To not be discriminated against for exercising any of the rights above; and
To appeal the denial of a request.

Right to opt-out of the sharing your Personal Information for targeted advertising: For web-based activities, you can opt-out of sharing Personal Information or opt-out of targeted advertising for any website you visit by clicking on the Your Privacy Choices link located at the bottom of that website.

Right to opt-out of the sale of your Personal Information: Under Comprehensive State Privacy Laws, Consumers have the right to opt-out of the sale of any Personal Information that was collected and retained by Definitive Healthcare. We will also inform our customers and service providers of your decision to opt-out.

For web-based activities, you can opt-out of sale of your Personal Information for any website you visit by clicking on the Your Privacy Choices link located at the bottom of that website.

To opt-out of offline sale of your Personal Information, please contact us by:

Completing this online form: Right to Opt Out
Contacting us by phone at: 1-866-679-6461

Right to know and access your Personal Information: You may have the right to request that we disclose what Personal Information we collect, use, disclose, or sell. You may request to view a report of the categories of your Personal Information across our systems or a view report of your Personal Information across our systems. To do so, please submit a Privacy Rights Request by:

Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Right to obtain a copy of your Personal Information. Consumers have the right to obtain a portable copy of their data. You may ask us for a package of your data to be downloaded and transferred to another recipient. To do so, please submit a Privacy Rights Request by:

Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Right to delete your Personal Information: Consumers have the right to request the deletion of any Personal Information that was collected and retained by Definitive Healthcare for certain purposes. To do so, please submit a Privacy Rights Request by:

Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Right to correct your Personal Information: Consumers have the right to request that we correct any Personal Information that was collected and retained by Definitive Healthcare for certain purposes. To do so, please submit a Privacy Rights Request by:

Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Right to opt-out of sensitive Personal Information processing or request to limit the use of sensitive Personal Information: At the time of this Supplement, Definitive Healthcare does not collect or process Sensitive Personal Information subject to the Global Privacy Policy

Right to appeal: You have the right to appeal any denial of a Privacy Rights or Opt-Out Request. You will be provided instructions on how to do so in any response letter that is denying your request. If you have questions, you may contact us at privacy@definitivehc.com

Exercising your privacy rights

To exercise your any of your privacy rights in the previous section, please contact us in one of the following designated methods:

For Opt-Out of Sale, Sharing, or Targeted Advertising:

For web-based, by clicking: Your Privacy Choices
Completing this online form: Right to Opt Out
Contacting us by phone at: 1-866-679-6461

For Requests to Know, Access, Obtain, Delete, or Correct:

Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Definitive Healthcare will not discriminate in pricing and services against a consumer for exercising their Comprehensive State Privacy Laws rights.

Verifiable requests

We will make reasonable efforts to promptly respond to your requests in accordance with applicable laws, but your rights under Comprehensive State Privacy Laws are not absolute. For example, any such request must provide sufficient information that allows Definitive Healthcare to verify that you are the consumer whose Personal Information we have collected. We may, after receiving your request, require additional information from you to honor your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

Requests by Authorized Agents

Where required by applicable Comprehensive State Privacy Laws, we permit residents of certain states to designate an authorized agent to submit certain requests on your behalf, as outlined below.

California residents may designate an authorized agent to submit a request to opt-out of sale or share of Personal Information, to limit the use of Sensitive Personal Information, or to access, correct, or delete your Personal Information. In each case, the agent must provide us with documentation demonstrating that you have provided signed permission to the agent to exercise these rights with us on your behalf. We may deny the request if we do not receive such proof. In addition, for requests to access, correct, or delete your Personal Information, we may also require you to do either of the following: (1) verify your own identity directly with us; or (2) directly confirm with us that you have provided the authorized agent permission to submit the request on your behalf. These requirements of proof do not apply if the agent has a power of attorney pursuant to California Probate Code.

Colorado, Connecticut, Oregon, Montana, and Texas residents may designate an authorized agent to submit a request to opt-out out of our processing of personal data for the purposes of targeted advertising or sale. If you use an authorized agent to submit a request, we will not act on that request unless we are able to authenticate, with commercially reasonable effort, both your identity and the authorized agent’s authority to act on your behalf.

For all requests via authorized agents, we require that your agent provide us with your Personal Information as required on the request form and provide signed documentation demonstrating that you authorized the agent to submit a request on your behalf. The request must also include sufficient detail that allows us to properly understand, evaluate, and respond to the request. If we need more information to process your request, we will contact you via e-mail or in writing.

Authorized agents may submit requests using one of the following designated methods.

Completing this online form: Right to Opt Out
Completing this online form: Privacy Request Form
Contacting us by phone at: 1-866-679-6461

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with your state’s law pertaining to powers of attorney.

Opt-out signals

Certain web browsers and other programs may transmit “opt-out” signals, also called a Global Privacy Control (or GPC) signal (we refer to these as “GPC Signals”), to websites with which the browser communicates.

For users that access our websites from states that require recognition of universal opt-out signals under a Comprehensive State Privacy Law, we will recognize and apply the GPC Signal as a browser-level opt-out to inactivate all of the cookies for that website, except for cookies that are essential/strictly necessary for the website to operate. Additionally, you can determine if your browser GPC Signal has been recognized by clicking on the “Your Privacy Choices” link in the footer of the website that will include a short message at the top of the preference center indicating that your GPC Signal has been received.

For users from states not currently requiring recognition of the GPC Signal, our website servers will not recognize the GPC Signal, but you can always check and adjust your cookie settings by going to the Your Privacy Choices link in the footer of this website.

Children’s information

Definitive Healthcare’s products and services are directed at business professionals. Definitive Healthcare’s products and services are not targeted to children under the age of 16. We do not knowingly collect or maintain any Personal Information for children under the age of 16. If we discover we have collected any information for persons under the age of 16, we will delete their Personal Information.

Consumer rights requests metrics (California)

As a registered data broker in California, Definitive Healthcare is obliged to compile the number of requests received and complied with the previous calendar year.

During the previous calendar year Definitive Healthcare received the following number of verified requests from individuals in California (including requests submitted by authorized agents).

	Received	Complied with in whole or in part	Mean number of days to respond
Requests to know	4	4	13
Requests to delete	39	39	19
Requests to opt-out	2	2	4
Requests to correct	0	0	0

Data broker registrations

Definitive Healthcare is registered as a “data broker” in US states where such registration is required, including, California, Vermont, Oregon and Texas.

Definitive Healthcare is a data broker under Texas law. To conduct business in Texas, a data broker must register with the Texas Secretary of State (Texas SOS). Information about data broker registrants is available on the Texas SOS website https://www.sos.state.tx.us.

Questions?

Definitive Healthcare is committed to protecting the privacy of Consumers’ Personal Information and being transparent about our privacy practices. If you would like to submit an opt-out or privacy request, please use one of the designated methods in the section Exercising your privacy rights. We welcome questions, comments, or feedback on this Supplement or our Privacy Policy. To obtain more information or submit feedback or questions, please contact us:

E-mail: privacy@definitivehc.com
Phone: 1-866-679-6461

Mail:

Definitive Healthcare
Attn: Data Privacy Officer
492 Old Connecticut Path
Suite 401
Framingham, MA 01701