JOURNI, Inc. PRIVACY NOTICE

We, at Journi, Inc. ("Journi"), know you value your privacy. That is why we are committed to the confidentiality and security of your personal information. We maintain physical, administrative and technical safeguards to protect against unauthorized access, use, or disclosure of your personal information, including information we share internally either orally, electronically, or in writing.

We will use and disclose your information consistent with this Privacy Policy, or if you give us express consent to use or disclose your data in other ways. If you have questions about this Privacy Policy, please contact help@journi.com. 

This policy applies specifically to Journi's use and disclosure of your data with regard to this mobile application (the "App") or any service Journi provides you including customer support through the App, the website, and telephone. By using the Journi App or any other Journi service, you acknowledge that we collect, use, share, and store information as described by this Privacy Policy. 

Information we collect 

User entered information

We need some information from you so that you can create an account with the App, such as your name, email address, password, and date of birth. If you contact Journi, we may need to ask you for additional information such as a phone number so that we may contact you. 

You can also manually enter certain types of data such as entering additional information about your care team and personal health history. You also have the ability to upload photos. We may also ask you to respond to a survey or fill out a form. 

Usage Data & Data that is Automatically Collected

We collect data on how you use the App and other Journi services. 

We may also collect information about you through automatic means such as cookies, pixels, web beacons, and other technologies as described in the Journi Terms of Use. 

Information from your employer

With respect to personal information that Journi collects when you participate through your employer, Journi will collect, use, share, store, or otherwise process your personal information (such as address and e-mail address) so that we may contact you about Journi services. 

Linking your health data

We collect your health plan group number, member ID number, and member prefix or other necessary credentials to authenticate you as a member of your health plan. 

If Journi is not acting as a business associate, as defined by the Health Insurance Portability and Accountability Act (HIPAA) to your health plan, and your health plan is integrated with Journi, you have the choice to link your health plan information. This is voluntary. If you wish to link your health plan, you will be asked to provide your authorization to allow your health plan to disclose your data to Journi. If you choose to sign the authorization allowing your health plan to send your data to Journi, once Journi receives your data, it is no longer governed by HIPAA and we will use and share your data in the ways described below and in the Journi Terms of Use. We regularly fetch and receive available data from your health plan and will continue to do so, until you choose to stop the collection of the data. To unlink your health plan from your Journi App, you may go to the App settings and choose to stop sharing data. When you stop sharing the data, you will not receive any new information from your health plan. The data already in the App will remain. 

If you are unsure whether Journi is acting as a HIPAA business associate to your health plan, you can find that information in the specific connected account under Settings, Health Accounts. 

If Journi is acting as a HIPAA business associate to your health plan, once you have been authenticated, your health plan information is automatically populated because Journi receives this information directly from your health plan. Journi will continue to receive information directly from your health plan until your health plan terminates its contract with Journi.

Third Party Information

Journi will use other sources of data, including purchased data, to enrich and inform your consumer healthcare journey. 

In addition, the Journi App may provide links to Third-Party Partner services. 

If you use Third-Party Partner services, you agree to let those parties share back to Journi your identifiable information that Third-Party Partner collected in accordance with its privacy statement and terms of service. This information may include utilization data, specific services you used, and any transcripts between you and other care professionals. 

Once you leave the Journi App, you are subject to the Third-Party Partner's terms of use, privacy policy, and any other disclosure the Third-Party Partner makes. We are not responsible for the content, security, or the privacy practices of Third-Party Partners. Review the privacy statement and any terms of use of each Third-Party Partner you visit. 

See the Journi Terms of Use for more information about Third-Party Partners' terms of use. 

Device Data: How this App accesses other data

The Journi App may request access to other device data or applications, such as your phone's camera, photos, or contacts; Journi will only access other device data or applications with your permission. 

With your permission, the App may connect to:

  • Camera or Photos in order for you to upload a photo of a bill or information to add to your care timeline
  • Location services in order to provide you with care resources near your location or ensure providers you interact with are licensed to practice in your location
  • Microphone in order to facilitate conversations with care partners
  • Health monitoring devices, contacts, or device data (device and application identifiers, cookies, etc.)

You can check your settings, including permissions set as default in your device's "Settings" function. If you have any questions about the privacy settings of your device, please contact the manufacturer or your mobile service provider for help.

How we use your information

Our App is used primarily to provide you with a clear picture of your care history and examine your health information to provide you with insights and suggestions to better manage your health.

We collect and use your identifiable data (data, such as your name, phone number, email, address, or health services and conditions that can be used on its own or with other information to identify you) to:

  • Provide the primary service of the App
  • Communicate with you, make recommendations, and to send you alerts and notifications
  • Facilitate your provider selection, provide you with cost estimates, and provide you with benefits information
  • Develop specific programs and materials that are relevant to you and communicate with you about those programs 
  • Support company operations (e.g., quality control, fraud detection, training)
  • Support and develop marketing and promotional materials, including but not limited to user stories. 
  • Develop and improve new and current products and services (e.g., analytics, build and test data science models, reporting)

As permitted by law and by Journi's agreements with its customers and Third-Party Partners, Journi, or any Journi subcontractor acting on Journi's behalf, may aggregate and/or de-identify your information.

How we share your information

We share your IDENTIFIABLE data to:

  • Provide the primary service of the App
  • Provide additional services you choose to use
  • Facilitate communications between you and your care team if you authorize us to do so 
  • Develop specific programs and materials that are relevant to you
  • Support company operations (e.g., quality control, fraud detection, training)
  • Develop and improve new and current products and services (e.g., analytics, build and test data science models, reporting)

If your Journi subscription is sponsored by your employer, we will not share your identifiable health information with your employer. If we are a business associate to your employer's group health plan, we will share identifiable information, including identifiable health information, with your plan sponsor as allowed under applicable law. 

We share your AGGREGATE and ANONYMIZED demographic, health, cost, utilization and engagement data with:

  • Employers
  • Third-Party Partners
  • Affiliated companies

Third parties receiving aggregate and de-identified data will be obligated by contract to protect the data they receive, will not have permission to re-identify it, and will not have permission to sell or share the data. 

User Stories

We also share user stories with employers, prospective customers, Third-Party Partners, and our affiliated companies. We also use stories in public advertising and marketing campaigns and on our website. While we remove your name and change some details in the stories, your story may be recognizable to those otherwise familiar with your story.

How you can share your information

The Journi App allows you to access and share the data we have about you. If you choose to share your data with other Journi users through the sharing feature, the recipient is able to make and add notes to your Care Timeline. When you stop sharing your information with another Journi user, the Care Timeline and any added notes in the App will no longer be seen by the person with whom you had shared your information. If you enabled the Bill Pay feature, if someone made a payment against your bill, you will continue to see that a payment was made. 

If you have concerns about the accuracy of your data, send questions to help@journi.com.

How we protect your information 

We maintain physical, administrative, and technical safeguards to protect against unauthorized access, use, or disclosure of your personal information, including information we share internally either orally, electronically, or in writing. 

We have security measures in place to protect against the loss and misuse or alteration of information under our control. These safeguards vary based on the sensitivity of the information that we collect, process, and store and the current state of technology. However, we cannot guarantee the confidentiality or security of electronic transmissions because they may potentially be lost or intercepted by anauthorized parties during transmission.

We store limited data on your device in order to improve app performance. We also store your data outside the device at our company or through Infrastructure Vendor, including cloud-based providers. 

We automatically encrypt your data in the Journi App. That means we use methods of converting an original message of regular text into encoded text in such a way that only authorized parties can read your data in the Journi App. We encrypt your data when stored on our company servers or with an outside cloud computing services provider and we encrypt your data while it is transmitted. 

We store limited data on your device in order to improve app performance. We also store your data outside the device at our company or through an Infrastructure Vendor, including cloud-based providers. 

Deactivating or Deleting Your Account 

You may ask Journi to delete the data you have consented to share with Journi (your claims data, health data, wearable device data, etc.) by contacting Customer Support. When you request Journi to delete your data, it will be deleted within 60 days after your request. 

If you previously chose to share your data with other Journi users or other Third-Party Partners, your request will not affect data shared before Journi received your request for data deletion. 

Journi will permanently retain the information used to create your account (name, email address, password, date of birth and phone number) and data collected as part of your interactions with Journi (for example when you gave or revoked permission to connect your health plan data).

California Citizen Rights

If you reside in California, you may have additional rights described below. 

Policy Changes: How we will notify you if our privacy policy changes

We reserve the right to change our privacy practices and this notice at any time without advance notice. We will notify you of any material changes to this policy and as required by law and give you an opportunity to review the revised policy before deciding if you would like to continue to use the App. 

Breach: How we will notify you and protect your data in case of an improper disclosure

Journi complies with all applicable laws regarding breaches. In the event of a breach (unauthorized disclosure that meets the definition of breach), we will contact you by using the information you provided to create your account. 

If Journi is acting as a business associate of your health plan, Journi will work directly with your health plan to notify you.

How to contact us

If your  personal information changes or you have questions about this policy, or about our use of your information, please contact us at help@journi.com or by writing Journi, PO Box 1271, Portland, OR 97207. 

Effective Date of Policy: April 1, 2021

California Citizen Rights

Individuals who reside in the state of California, a "consumer," as that term is defined under California law, have additional rights reserved under the California Consumer Privacy Act (CCPA) and the California Shine the Light law:

  • Right to Opt-Out. We do not sell personal information.
  • Right to Request Personal Information. As a consumer, you have the "right to know" and request that we disclose what personal information we collect, use, and disclose. See the instructions below for submitting a verifiable request, including through the online request form offered by us. You have the right to request that categories of personal information, as detailed under the CCPA, we have collected and store about you. In addition, you have the right to request categories of sources of personal information we collected about you, the business or commercial purpose for collecting, the categories of third parties with whom we share that personal information, and the specific pieces of personal information we have collected about you. Categories of personal information that we disclosed about you for a business purpose may also be requested, with the appropriate lists provided under the CCPA. Upon receipt of a verifiable consumer request, described below in this Privacy Statement/Notice, from you to access personal information, we will promptly take steps to disclose and deliver, free of charge to you, the personal information required by this section and within the timeframes permitted for responding to exercise of this or other applicable right(s). The information may be delivered by mail or electronically, dependent on portability and technical considerations under the CCPA. We may provide personal information to you at any time following a verified request, but shall not be required to provide personal information to you more than twice in a 12-month period. 
  • Right to Delete Personal Information. You have the right to delete personal information we, or our service providers, store about you. Please keep in mind our response to such a request, upon verification, may include an explanation of the business purpose under which we may retain your information (for example, we would need to retain copies of a business transaction for financial records) in accordance with the CCPA. 
  • Non-Discrimination. If you elect to exercise any right(s) under this section of our Privacy Statement, we will not discriminate or retaliate against you. 

If you are a California consumer and would like to submit a request based on this section of our Privacy Statement, please use this web form, email us a help@journi.com or by writing Journi, PO Box 1271, Portland, OR 97202, or call us toll-free at (877) 878-2273. Also, be sure to check this policy for updates as we will review it at least every 12 months and make updates as necessary.

Identity Verification Requirement

We are required by law to verify that any data access request submitted under the authority of the CCPA was made by someone with the legal right to access the personal information requested. Therefore, prior to accessing or divulging any information pursuant to a data subject access request, under the terms of the CCPA, we may request that you provide us with additional information in order for us to verify your identity, your request, and legal authority (ex: authorized representative). Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. Please indicate in your request if either of these apply, as additional verification may apply (ex. verify consumer's identity and confirm with impacted person(s) that the authorized agent has permission to submit the request.)

A verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. A verifiable request must also include sufficient detail that allows us to properly understand, evaluate, and respond to it. 

In general, our verification process includes reviewing the information submitted in the request, comparing it to the right(s) requested; the number of verification points/methods required by the CCPA; and the type, sensitivity, and risk of information requested, including to the consumer, from unauthorized disclosure or deletion. An account is not required with us in order to make a request. We will use personal information provided in a verifiable consumer request to verify the requestor's identity and authority to make the request, or otherwise as permitted by the CCPA (ex. record retention). We will respond to a verifiable consumer request within 45 days of receipt, and if we require more time (up to 90 total days), we will inform you of the reason of the extension in writing. A response to a consumer request will be provided as required by the CCPA, such as through an account (if one exists), or otherwise by mail or electronically.

Access Request Responses

Under the CCPA, there may be certain circumstances where we would deny your request to access, receive, or delete personal information we hold. For example, we would deny requests where any such access or disclosure would interfere with our regulatory or legal obligations, where we cannot verify your identity, and/or where exemptions/exceptions permitted by the CCPA apply. We also have the ability under the CCPA to deny requests if it would result in our disproportionate cost or effort. Further, certain rights granted by the CCPA will not be effective until January 1, 2021. However, even where we will not substantively complete a request made under the CCPA, we will still provide a response and explanation to your request within a reasonable time frame as required by law. 

Disclosure of Categories

As defined by the CCPA, categories of personal information collected from consumers by us within the past 12 months include: 

Categories Examples Collected (Yes or No)
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. Yes 
B. Personal information categories listed in the California Customer Records statue (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. Yes
C. Protected classification characteristics under California or federal law Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Yes
D. Commercial information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.  No
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, face prints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. No
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.  Yes
G. Geolocation data. Physical location or movements. Yes
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. No
I. Professional or employment-related information. Current or past job history or performance evaluations. No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 24 C.F.R. Part 99)). Education records directly related to a student maintained by an educational  institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. No
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.  Yes


Personal information may also be collected in the course of a natural person acting as a current or former job applicant, employee, director, officer, or contractor within the context of that natural person's role. Additional information collected may include emergency contact and information to administer benefits, including to another person. 

"Personal information" does not include publicly available information, meaning information that is lawfully made available from federal, state, or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge. "Personal information" also does not include consumer information that is deidentified or aggregate consumer information. This Notice addresses online and offline practices by us. Information excluded from the CCPA's scope includes health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Other information excluded includes those covered by the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach Billey Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994. 

Personal information is collected and may be used to provide the services to you, to perform obligations under agreements, to provide information and notifications to you or an authorized representative, to protect the rights and safety of you and/or others, to comply with court and other legal requirements, for business purposes and as otherwise set forth in the CCPA, to conduct organizational and operational needs, and as otherwise described when collecting personal information or within this page. A request for personal information collected and/or deletion, noted above, may involve categories and/or specific pieces of information. However, certain exemptions may apply in responding to a request. 

We have not sold categories of personal information within the meaning of the CCPA, including minors under 16 years of age. 

Categories of personal information from our consumers disclosed for a business purpose within the past 12 months include: 

(A) Identifiers such as real name, alias, postal address, unique identifiers, online identifiers, internet protocol address, email address, account name, social security number, driver's license number, passport number or similiar identifiers;

(B) Categories of personal information as described in California Civil Code 1798.80(e);

(C) Characteristics of protected classifications under California or federal law;

(F) Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;

(G) Geolocation data;

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Business purposes may include auditing (ex. auditing and legal/regulatory compliance), security (ex. detecting security breaches), debugging (ex. identifying and fixing technical errors), short-term uses (ex. ad customization), performing services (ex. processing transactions), internal research (ex. product development), and testing/improvement (ex. improvement of technology). 

Categories of sources from which personal information was directly and indirectly collected in the past 12 months include from you and/or authorized agents (ex. documents provided to us related to the services for which you/they engage us, and information we collect in the course of providing services to you/them); interaction with our platforms and services (ex. website portal); and third parties (ex. those that provide services such as purchased information, advertising networks, internet service providers, operating systems and platforms, social networks, and data brokers). This could include information obtained on websites and services from third parties that interact with us in connection with the services we perform or are linked to. 

Categories of third parties with whom the business shared personal information in the past 12 months include authorized agents, affiliates, service providers (such as those described previously), contractors, and authorized third parties. 

Contact Us

To make requests please contact us at help@journi.com with "CCPA Personal Information Request" in the subject line, and provide us with full details in relation to your request, including your contact information, the specific name of this business, and any other detail you feel is relevant. You can also use the other contact methods mentioned previously. If you are from another area (ex. state) and believe you are entitled to exercise applicable right(s), please use the email address and/or phone number given and include relevant details. If you have questions or concerns about our privacy policies and practices, you can use the contact methods mentioned above (ex. telephone, email) in this Notice to contact us. 

Last Updated: June 29, 2020