HIPAA Notice of Privacy Practices
United States Website Privacy Policy

European Website Privacy Policy
GDPR Commitment
Medical Release Authorization Form


United States Website Privacy Policy

Effective February 2024
iRhythm Technologies, Inc. ("iRhythm"), values the security of your personal information. This Website Privacy Policy ("WPP") is intended to inform you of what data is gathered through iRhythm's iRhythmtech.com website (the "Website"), how this information is used, and what measures are taken to maintain the privacy of your information.

To Whom Does This Website Privacy Policy Apply?
This WPP applies to all users of the Website, and the California Supplement applies to users of the Website who are residents of California. This document does not explicitly refer to the privacy policies surrounding protected health information, which are governed by the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act and each Act’s implementing regulations. If you are a patient, including patients who are California residents, please see our Notice of Privacy Practices ("NPP") at www.irhythmtech.com. The NPP addresses our privacy practices, our legal duties, and your rights concerning protected health information, including any protected health information collected through an iRhythm cardiac monitor or provided by your health care provider. If you are a patient who made or is making use of myZio, the privacy policy located at www.myzio.com/privacy covers our collection, use and disclosure of information collected through that platform.

A Word about External Websites
External websites that may be referenced within this Website are not covered by this WPP. These external websites may have their own policies, and we encourage you to review those policies prior to using such external sites.

What Information Do We Gather About You And What Do We Do With It?
When using the Website, iRhythm collects any information you provide and automatically collects certain activity and session information from you. What we gather and how we use it is explained below.

Information You Provide: We collect any information that you provide when you use the Website. For example, the Website may include web pages that give you the opportunity to provide us with information about yourself such as your name and email address. You do not have to provide us with this information if you do not want to. Your decision not to provide this information, however, may limit your ability to use certain functions or to request certain services or information.

Information Automatically Collected From You: We may automatically collect certain technical information from your computer or mobile device when you visit the Website, such as hardware specifications, your Internet Protocol address, your browser type, your operating system, the pages you view, and the search terms you enter.

We and our service providers may collect information using cookies or similar technologies. Cookies are pieces of information that are stored by your browser on the hard drive or memory of your computer or other Internet access device. Cookies may enable us to personalize your experience on the Website, maintain a persistent session, and carry out marketing and other activities. The Website may use different kinds of cookies and other types of local storage (such as browser-based or plugin-based local storage). Most browsers will tell you how to stop accepting new cookies, how to be notified when you receive a new cookie, and how to disable existing cookies. Disabling cookies, however, may limit your ability to take advantage of all the features on the Website.

In addition, we may collect statistical information regarding Website visitors’ navigation on the Website (e.g., IP address, geographic location, browser type, referral source, length of visit and pages viewed). We engage with third-party service providers Freshmarketer, Hubspot, and Google Analytics & Google Optimize to collect such information on our behalf. The collection of such information involves the use of cookies and similar technologies, as described above. Google provides some additional privacy options described at www.google.com/policies/privacy/partners; Freshmarketer also provides additional information about its operations and privacy options.

How Do We Use the Information Collected?

Operation of the Website
We use and store information we collect about and from you to respond to requests that you make, improve and manage the Website, better tailor content, offers and features, and for purposes disclosed at the time you provide your information or otherwise with your consent.

Marketing and Communications
We may use your information to send you electronic newsletters or promotional emails, unless you have requested not to receive such promotional communications from us or doing so would be prohibited by applicable law. If you fill out a form on the Website to receive a piece of content, we may collect information regarding your interactions with that content (e.g., clicking on content). We may also collect information about you that is publicly available on the Web which is then tied to the information you provided to us (e.g., email address, name) or otherwise collected about you. You can opt-out of receiving further promotional messages from us by following the unsubscribe instructions provided in the promotional email you receive or by contacting us directly.

Patients and physicians who provide testimonials for use by iRhythm are required to sign consent and release forms.

Can Third Parties View Your Information?
We will only share your information with third parties outside the iRhythm group as outlined below or described elsewhere in this WPP and as otherwise permitted by law.

Merger, Sale or Other Asset Transfer
In the event that iRhythm is acquired by or merged with a third-party entity, we may transfer or assign the information that we have collected as part of such a merger, acquisition, sale, or other change of control as well as in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

As Required By Law and Similar Disclosures
We may disclose information about you: (i) if we are required to do so by law, regulation, or legal process, such as a court order or subpoena; (ii) in response to requests by government agencies, such as law enforcement authorities; (iii) when we believe disclosure is necessary or appropriate to protect against or respond to physical, financial or other harm, injury, or loss to property; or (iv) in connection with an investigation of suspected or actual unlawful activity.

Service Providers
We may also share information we have collected with other third party companies that we work with to perform services on our behalf. For example, we may hire a company to help us send and manage email, and we might provide the company with your email address and certain other information in order for them to send you an email message on our behalf.

International Data Transfers
iRhythm complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  iRhythm has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, iRhythm commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact iRhythm at Support@irhythmtech.com or (888) 693-2401. 
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, iRhythm commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to TrustArc, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://trustarc.com/dispute-resolution/ for more information or to file a complaint.  The services of TrustArc are provided at no cost to you.

What Measures Are Taken To Protect Your Information?
We maintain reasonable administrative, technical and physical safeguards designed to protect the information that you provide on the Website. However, no security system is impenetrable, and we cannot guarantee the security of the Website, nor can we guarantee that the information you supply will not be intercepted while being transmitted to us over the Internet, and we are not liable for the illegal acts of third parties.

How Can You Access and Edit Your Information?
You may request to verify and edit any of your personal information by contacting iRhythm Clinical Center Customer Service Department via the contact information listed below.

 

Children’s Privacy
This Website may not be used by persons under the age of 18. As a result, we do not knowingly collect personally identifiable information from children under the age of 18. If iRhythm is made aware of information collected from a child under 18, we will delete that information.

How Can You Contact Us About This Website Privacy Policy?
If you have any questions or concerns about this WPP, we encourage you to contact the iRhythm Customer Service Department either at 1-888-693-2401 (24 hours, 7 days a week), via email at privacy@irhythmtech.com, or via the Website through our Contact Us form.

Updates to the Website Privacy Policy
Any changes to this WPP will be posted on this Website so that you can be aware of our information practices. Your continued use of the Website constitutes your agreement to this WPP. If we make any revisions that materially change the ways in which we use or share the information previously collected from you through the Website, we will give you the opportunity to consent to such changes before applying them to that information.

California Supplement to Our United States Website Privacy Policy
Effective December 31, 2019
Last Updated March 31, 2020

This California Supplement to the Website Privacy Policy ("California Supplement") is intended to inform California residents of Personal Information that iRhythm Technologies, Inc. ("iRhythm"), collects through iRhythm's iRhythmtech.com website (the "Website"), the purposes for which it is used, and to whom iRhythm may disclose such Personal Information.

To Whom Does This California Supplement Apply?
This California Supplement applies to the Personal Information of certain California residents, who are Consumers receiving products or services for which we are a Business, as those terms are defined under the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (the “CCPA”), and is effective upon the date that the CCPA enters into operation. This California Supplement adds to the information and disclosures contained in our United States Website Privacy Policy (“WPP”). If you are not a California resident, this California Supplement does not apply to you. If you are a California resident and/or a patient, please see our Notice of Privacy Practices ("NPP") at www.irhythmtech.com. The NPP addresses our privacy practices, our legal duties, and your rights concerning protected health information, including any protected health information collected through an iRhythm cardiac monitor or provided by your health care provider. If you are a patient who made or is making use of myZio, the privacy policy located at www.myzio.com/privacy covers our collection, use and disclosure of information collected through that platform.

Briefly, and as more fully defined in the CCPA, Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or Household; however, certain categories of information may be excluded, including, for example, deidentified or aggregate information, information lawfully made available from government records, medical information, data subject to HIPAA, data maintained by healthcare providers in the same manner as data subject to HIPAA, clinical trial data, consumer credit reporting agency data or data subject to the Fair Credit Reporting Act, data subject to the Gramm-Leach-Bliley Act, data subject to the Driver’s Privacy Protection Act, and data relating to vehicle ownership or warranty information.

Any capitalized terms herein are intended to have the same meaning as in the CCPA.

What Information Do We Gather About You And What Do We Do With It?

California Consumers’ Rights and Choices
If you are a Consumer, California law may permit you to request information regarding the:

  • Categories of Personal Information (as defined by applicable California law) collected, sold or disclosed by us;
  • Purposes for which categories of Personal Information collected by us are used
  • Sources of information from which we collect Personal Information
  • Specific pieces of Personal Information we have collected about you

In addition, if you are a Consumer you may:
  • Opt-out of the sale or disclosure of your Personal Information, in some circumstances;
  • Opt-out of receiving marketing communications from us; however, you may still receive administrative communications regarding the Services;
  • Opt-in to certain financial incentive programs we may offer related to the collection, sale, or deletion of your Personal Information; and
  • Request deletion of your Personal Information by us and our service providers, in some circumstances.
Further, California law provides Consumers with the right not to receive discriminatory treatment by a business for the exercise of these rights regarding Personal Information.
Personal Information Collection, Disclosure, and Sale

 

 

 

 

 

 

 

 

Category of Personal Information Collected:
Professional or employment- related information
Examples: Job application or resume information, past and current job history, and job performance information, unless exempt.

Categories of Sources of Collection

  • Directly from you, e.g., forms you complete or products and services you purchase.

Business or Commercial Purpose for Use

  • Our business purposes, including detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
  • Disclosure to a Third Party, bound not to further disclose such information and prohibited from selling such information.

Categories of Third Parties (If Any) With Whom Personal Information is Shared
Data analytics providers; Government entities; Affiliates; Vendors and service providers; Third parties integrated into our services; Third parties as required by law and similar disclosures; Third parties in connection with a merger, sale, or asset transfer; Other third parties for whom we have obtained your permission to disclose your Personal Information.

 

 

Category of Personal Information Collected
Inferences Drawn from Personal Information
Examples: Consumer profiles reflecting a consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Categories of Sources of Collection
Business or Commercial Purpose for Use
Categories of Third Parties (If Any) With Whom Personal Information is Shared

 

We have not collected inferences drawn from personal information in the last 12 months and do not plan to collect it in the next 12 months.

 

Such information may be used for the purposes for which it was collected or as otherwise permitted or required by applicable law.

As of the date of last update and review of this California Supplement, we have no reason to believe that we have collected, disclosed, sold or otherwise processed the Personal Information of more than 4 million California Consumers.

Requests you can make requests related to your California privacy rights as follows:

  • Access My Personal Information: Email: privacy@irhythmtech.com; Phone: 1-888-693-2401; Website through our Contact Us form.
  • Delete My Personal Information: privacy@irhythmtech.com; Phone: 1-888-693-2401; Website through our Contact Us form.
  • Do Not Sell My Personal Information: Not applicable. We have not sold Personal Information in the preceding twelve months from the date of last review of this Privacy Policy; we do not currently sell, and we will not sell your personal information for twelve months from the date of the last review of this Privacy Policy.
Please be aware that we do not accept or process requests through other means (e.g., via fax or social media).

We will review the information provided and may request additional information to ensure we are interacting with the correct individual. If you have an online account with us, you may be required to log-in to your account for identity verification. If you do not have an account with us, additional information to verify your identity may be required by law before we may take action upon such a request. This additional information may vary depending on the nature of your request and/or the nature of the information about which your request relates. In some cases, we may also be required by law to obtain a signed declaration under penalty of perjury from you that you are the subject of the request being made. If we suspect fraudulent or malicious activity on or from your account, we will delay taking action on your request until we can appropriately verify your identity and the request as authentic.

By law, we are not required to collect personal information that we otherwise would not collect in the ordinary course of our business, retain personal information for longer than we would otherwise retain such information in the ordinary course of our business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. If we have not requested specific additional information from you to verify your request, please do not send such information.

We generally will aim to avoid requesting additional information from you for the purposes of verification. However, if we cannot reasonably verify your identity or more information is needed for security or fraud-prevention purposes, we may consider any of the following factors, alone or in combination, in requesting additional information:
  • The type, sensitivity, and value of the personal information collected and maintained about the consumer, as applicable law requires a more stringent verification process for sensitive or valuable personal information;
  • The risk of harm to the consumer posed by any unauthorized access or deletion;
  • The likelihood that fraudulent or malicious actors would seek the personal information;
  • Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;
  • The manner in which the business interacts with the consumer
  • Available technology for verification; and
  • Other factors that may be reasonable if the circumstances are consistent with industry practice, are recommended by California government officials, or which may be required by law or regulation following the effective date of this Privacy Policy.

If your request is regarding household information, the same verification steps above are required before we can provide you with aggregate household information. For us to process a request for access to or deletion of specific pieces of information regarding your household, all members of the household must make the request, and we must be able to verify each household member.

In some cases, we may not have sufficient information about you or your household to be able to verify your identity or sufficiently differentiate you from another consumer or household to the degree of certainty required by law, in which case, we will not be able to act upon your request. In such cases, it may be unlikely that we would be able to identify you or your household in the future without collecting significantly more information or seeking to reidentify deidentified information. At this time, we do not intend to take such steps in response to a request made pursuant to this Privacy Policy and applicable law does not require that we do so. If, in the future, we determine a reasonable method to identify you or your household absent such steps, we will provide an update to you through this Privacy Policy and in response to any such request at that time.
Information that you submit for the purpose of allowing us to verify your identity in furtherance of a consumer-related or household-related request pursuant to California law will only be used by us, and our service providers if any, for that purpose and no other. Except where we are required by law to maintain such information for record-keeping purposes, we will take steps to delete any new personal information collected for the purpose of verification as soon as practical after processing your request.

Please also be aware that making any such request does not ensure complete or comprehensive removal or deletion of Personal Information or content you may have posted, and there may be circumstances in which the law does not require or allow us to fulfill your request, including, for example, where fulfilling your request may infringe upon the rights and freedoms of other consumers.

We reserve the right to charge a reasonable fee or take other appropriate action in response to requests from a consumer or household that are manifestly unfounded or excessive, in particular because of their repetitive character.

You may designate an authorized agent to make a request on your behalf pursuant to applicable law. We accept documentation of your designation in the form of a valid power of attorney and/or a notarized statement. You must submit evidence of your designation of an authorized agent in writing to: iRhythm Technologies, Inc., 699 8th Street, Suite 600, San Francisco, CA 94103. We may require verification of your authorized agent in addition to the information for verification above for consumers and households.

Children
Our Services are not directed to children, and we do not knowingly collect or sell Personal Information from children under the age of 16. If you learn that a child has provided us with Personal Information, then you may contact us as indicated above.

Do Not Track
iRhythm does not currently take steps to respond to browsers’ “Do Not Track” signals as no uniform standard to respond to such signals has been developed at this time.

 

Questions? Call 1-888-693-2401 (If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.)

Have a question?