Quantum Health California Privacy Policy
Last Updated on: 7/10/2026
This California Privacy Policy describes how Quantum Health and its subsidiaries, affiliates, and related entities (including but not limited to Embold Health, Inc. and Cirrus M.D.) (collectively, “Quantum Health,” “we,” or “us”) collect and process personal information about individuals who reside in California. The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and their implementing regulations (collectively referred to as “CCPA”) requires us to provide our California consumers with a privacy policy that contains a comprehensive description of our online and offline practices regarding our collection, use, sale, sharing, and retention of their personal information, along with a description of the rights they have regarding their personal information. This California Privacy Policy provides the information the CCPA requires, together with other useful information regarding our collection and use of personal information. Any terms defined in the CCPA have the same meaning when used in this policy.
This California Privacy Policy does not apply to our collection and use of personal information in an employment capacity. Employees, job applicants, contractors, interns, or other workers seeking more information our employment-related personal information policies and practices should see our employee privacy policy entitled Quantum Health, Inc. Privacy Policy and Notice of Collection of Personal Information of California Employees and Applicants Under the California Consumer Privacy Rights Act (CPRA) [insert QH California Employee and Job Applicant link here] and which is posted on Quantum Health’s employee intranet/[other location].
This California Privacy Policy does not apply to our collection and use of personal information from residents outside of California. Consumers residing in other locations should see, as applicable, our Quantum Health Corporate Website Privacy Policy at https://www.quantum-health.com; the Quantum Health Member Website Privacy Policy; the Embold Health Website Privacy Policy at https://emboldhealth.com; or the Cirrus M.D. Website Privacy Policy at https://www.cirrusmd.com.
If Quantum Health collects personal information from and about you pursuant to your use of Quantum Health services as a member of a health plan or employee benefits plan contracted with Quantum Health, or as a patient of a health system contracted with Quantum Health, much of the personal information Quantum Health collects from and about you is considered Protected Health Information (“PHI”) that is protected by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This California Privacy Policy does not apply to such information.
I. Notice at Collection
This Notice at Collection (“Notice”) is to inform you that Quantum Health is collecting information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”).
Information about the categories of personal information we have collected within the last twelve (12) months, including the business purposes for which we collect the information, is set forth in the tables below. Of note, Quantum Health does not share or sell personal information or sensitive personal information.
Category | Examples | Collected | Purpose |
|---|---|---|---|
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. | Yes |
|
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, membership in professional organizations, professional licenses and certifications, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. | Yes |
|
C. Protected classification characteristics under California or federal law | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, reproductive health decision-making, military and veteran status, or genetic information (including familial genetic information). | No | N/A |
D. Commercial information. | Records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Yes |
|
E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | No. | N/A |
F. Internet or other similar network activity. | Activity on our websites, mobile apps, or other digital systems, such as internet browsing history, search history, system usage, electronic communications with us, postings on our social media sites. | Yes |
|
G. Geolocation data. | Physical location or movements, such as your zip code, the time and physical location related to use of our internet website or mobile application, or other information about your location or locations you visited. | Yes |
|
H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information[, including customer service call monitoring and store video surveillance. | No | N/A |
I. Professional or employment-related information. | Current or past job history or performance evaluations. | No. | N/A |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)) ("FERPA Information"). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | No. | N/A |
K. Inferences drawn from other personal information. | Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | No | N/A |
Sensitive Personal Information Categories Chart
Sensitive personal information is a subtype of personal information consisting of the specific information categories listed in the chart below. Importantly, the CCPA only treats this information as sensitive personal information when we collect or use it to infer characteristics about a consumer.
The chart below identifies which sensitive personal information categories, if any, we have collected from consumers to infer characteristics about them in the last 12 months.
Sensitive Personal Information Category | Collected to Infer Characteristics? |
|---|---|
L.1. Government identifiers, such as your Social Security number (SSN), driver's license, state identification card, or passport number. | No. |
L.2. Complete account access credentials, such as usernames, account logins, account numbers, or card numbers combined with required access/security code or password. | No. |
L.3. Precise geolocation, such as GPS data from a consumer's mobile device that can provide its location in a geographic area, with an approximate radius of 1,850 feet. | No. |
L.4. Racial or ethnic origin. | No. |
L.5. Citizenship or immigration status. | No. |
L.6. Religious or philosophical beliefs. | No. |
L.7. Union membership. | No. |
L.8. Mail, email, or text messages not directed to the Company. | No. |
L.9. Genetic data. | No. |
L.10. Neural Data, such as information generated by measuring a consumer's central or peripheral nervous system's activity that is not inferred from nonneural information. | No. |
L.11. Unique identifying biometric information. | No. |
L.12. Health information. | No. |
L.13. Sex life or sexual orientation information. | No. |
L.14. Children's personal information (under age 16). | No. |
Business Purposes for Collection of Personal Information and Sensitive Personal Information.
Quantum Health collects personal information and sensitive personal information for the following business purposes:
· Auditing related to:
o counting ad impressions to unique visitors;
o verifying positioning and quality of ad impressions;
o compliance with the CCPA and other standards.
· Helping to ensure security and integrity (as defined at Cal. Civ. Code § 1798.140(ac)).
· Debugging.
· Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, if the consumer's personal information is not:
o disclosed to another third party; or
o used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.
· Performing services for the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing other similar services.
· Providing advertising and marketing services to the consumer (excluding cross-context behavioral advertising), if the service provider or contractor does not combine personal information from the business's opted-out consumers with personal information received from, or on behalf of, another person or persons or that it collected independently.[1]
· Undertaking internal research for technological development and demonstration.
· Verifying or maintaining quality or safety or improving or upgrading a service or device owned, manufactured, or controlled by or for the business.
Retention Periods.
Quantum Health retains personal information and sensitive personal information for as long as necessary to provide the services and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We determine retention periods using factors such as statutory limitation periods, contractual obligations, and operational needs. Because these needs can vary for different data types, the context of our interactions with you or your use of services, actual retention periods can vary significantly. We retain each category of personal information for no longer than reasonably necessary for the purposes disclosed.
If you have any questions about this Notice or need to access it in an alternative format due to having a disability, please contact privacy@quantum-health.com.
I. Sources of Personal Information
We obtain the categories of personal information listed above from the following categories of sources:
· Directly from you, such as from the forms or other information you provide to Quantum Health.
· Indirectly from you, such as from your interactions with the Company's websites, mobile applications, or customer service.
· From our customer health plans, employee benefits plans, and health systems.
· From our service providers, such as data analytics providers and IT vendors.
· Government databases.
· Inferences generated by the Company's or our service providers' computer systems.
II. How We Use Personal Information
We may use and disclose the personal information we collect to advance our business and commercial purposes, specifically to:
· Develop, offer, and provide you with our products and services.
· Meet our obligations and enforce our rights arising from any contracts with you/our customers, including for billing or collections, or to comply with legal requirements.
· Fulfill the purposes for which you provided your personal information or that were described to you at collection, and as the CCPA otherwise permits.
· Improve our products or services, marketing, or customer relationships and experiences.
· Notify you about changes to our products or services.
· Administer our systems and conduct internal operations, including for troubleshooting, data analysis, testing, research, statistical, and survey purposes.
· Enable your participation in our websites or mobile apps.
· Protect our Company, employees, or operations.
· Measure or understand the effectiveness of the advertising we serve to you and others, and to deliver relevant advertising to you.[2]
· Manage your consumer relationship with us, including for:
o online account creation, maintenance, and security; and
o reaching you, when needed, about your account.
· Perform data analytics and benchmarking.
· Administer and maintain our systems and operations, including for safety purposes.
· Comply with all applicable laws and regulations.
· Exercise or defend the legal rights of the Company and its employees and affiliates.
· Respond to law enforcement requests and as required by applicable law or court order.
With respect to the sensitive personal information (“SPI”) we collect, we may use or disclose sensitive personal information for the following statutorily approved reasons (Permitted SPI Purposes):
- Performing actions that are necessary for our consumer relationship and that an average consumer in a relationship with us would reasonably expect.
- Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
- Defending against and prosecuting those responsible for malicious, deceptive, fraudulent, or illegal actions directed at Quantum Health.
- Ensuring physical safety.
- Short-term, transient use, such as non-personalized advertising shown as part of your current interactions with us, where we do not:
o disclose the sensitive personal information to another third party; or
o use it to build a profile about you or otherwise alter your experience outside your current interaction with us.
- Services performed for Quantum Health, including maintaining or servicing accounts, processing or fulfilling transactions, verifying consumer information, processing payments, or providing financing, analytic services, storage, or similar services for Quantum Health.
- Activities required to:
o verify or maintain the quality or safety of a product, service, or device that we own, manufacture, had manufactured, or control; or
o improve, upgrade, or enhance the service or device that we own, manufacture, had manufactured, or controlled.
- Collecting or processing sensitive personal information that we do not use for the purpose of inferring characteristics about a consumer.
We do not use or disclose sensitive personal information for purposes other than the Permitted SPI Purposes.
Automated Decision-Making Technology (ADMT)
“ADMT” means technology that processes personal information and uses computation to replace or substantially replace human decision-making—for example, where a decision is made without human involvement using the technology’s output.
Quantum Health does not use ADMT to make decisions that produce legal or similarly significant effects about consumers. We therefore do not offer consumers the ability to opt out of the use of ADMT in the processing of consumer personal information.
Additional Categories or Other Purposes
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice. If required by law, we will also seek your consent before using your personal information for a new or unrelated purpose.
We may collect, process, and disclose aggregated or de-identified consumer information for any purpose, without restriction. When we collect, process, or disclose aggregated or deidentified consumer information, we will maintain and use it in deidentified form and will not to attempt to reidentify the information, except to determine whether our deidentification processes satisfies any applicable legal requirements.
III. Disclosing, Selling, or Sharing Personal Information
We may disclose personal information, including sensitive personal information, to a third party for a business purpose. We only make these disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.
[1] The Quantum Health Member Website does not provide any advertising or marketing services to its members who use the Quantum Health Member Website.
[2] The Quantum Health Member Website does not provide any advertising or marketing services to its members who use the Quantum Health Member Website.
Personal Information Category | Business Purpose Disclosures | Categories of Third Party Recipients |
|---|---|---|
Identifiers, such as name and contact information |
|
|
Personal information categories listed in California Customer records statute |
|
|
Commercial information |
|
|
Internet or other similar network activity |
|
|
Geolocation data |
|
|
Inferences drawn from other personal information |
|
|
Sensitive Personal Information Category | Business Purpose Disclosure | Categories of Third Party Recipients |
|---|---|---|
Precise Geolocation data |
|
|
Selling or Sharing Personal Information
We do not sell your personal information, including sensitive personal information, to third parties and have not sold it in the preceding 12 months. We do use cookies and other technologies on our public-facing websites for online advertising and analytics.[1] We may disclose certain online identifiers to our advertising partners and analytics providers. Disclosing these identifiers with third parties for advertising or analytics purposes may be defined as the “sale” or “sharing” of your data under the CCPA/CPRA. You may opt out of the sale of sharing of your data for marketing or analytics purposes. See Exercising the Right to Limit or Opt-Out, at paragraph VI(B) below.
I. Your Rights and Choices
If you are a California resident, the CCPA grants you the following rights regarding your personal information:
A. Right to Know and Data Portability Requests
You have the right to request that we disclose certain information to you about our collection and use of your personal information (the "right to know"), including the specific pieces of personal information we have collected about you (a "data portability request"). Our response will cover the 12-month period preceding the request, although we will honor requests to cover a longer period that do not extend past January 1, 2022, unless doing so would be impossible or involves disproportionate effort. You may exercise your right to know twice in any 12-month period. Once we receive your request and confirm your identity (see How to Exercise Your Rights, at paragraph VI below), we will disclose to you:
· The categories of:
o personal information we collected about you; and
o sources from which we collected your personal information.
· The business or commercial purpose for collecting your personal information and, if applicable, selling or sharing your personal information.
· If applicable, the categories of persons, including third parties, to whom we disclosed your personal information, including separate disclosures identifying the categories of your personal information that we:
o disclosed for a business purpose to each category of persons; and
o sold or shared to each category of third parties.
· When your right to know submission includes a data portability request, a copy of your personal information, subject to any permitted redactions.
For more on exercising this right, see Exercising the Rights to Know, Delete, or Correct, at paragraph VI(A) below.
B. Right to Delete and Right to Correct
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions and limitations (the "right to delete"). Once we receive your request and confirm your identity, we will delete your personal information from our systems unless an exception allows us to retain it. We will also notify our service providers, contractors, and any other recipients to take appropriate action.
You also have the right to request correction of personal information we maintain about you that you believe is inaccurate (the "right to correct"). We may require you to provide documentation, if needed, to confirm your identity and support your claim that the information is inaccurate. Unless an exception applies, we will correct personal information that our review determines is inaccurate and notify our service providers, contractors, and any other recipients to take appropriate action.
For more on exercising these rights, see Exercising the Rights to Know, Delete, or Correct, at paragraph VI(A) below.
C. Right to Limit Sensitive Personal Information Use and Disclosure to Permitted SPI Purposes
As we do not use or disclose sensitive personal information beyond the CCPA’s Permitted SPI Purposes, we do not currently provide this consumer right.
D. Personal Information Sales or Sharing Opt-Out and Opt-In Rights
We do not sell your personal information, including sensitive personal information, to third parties and have not sold it in the preceding 12 months. We do use cookies and other technologies on our public-facing websites for online advertising and analytics.[2] We may disclose certain online identifiers to our advertising partners and analytics providers. Disclosing these identifiers with third parties for advertising or analytics purposes may be defined as the “sale” or “sharing” of your data under the CCPA/CPRA. You may opt out of the sale of sharing of your data for marketing or analytics purposes. See Exercising the Right to Limit or Opt-Out, at paragraph VI(B) below.
E. ADMT Rights
We do not currently use ADMT to make significant decisions about consumers, so we do not provide ADMT access, opt-out, or appeal rights.
F. Right to Non-Discrimination
You have the right not to be discriminated or retaliated against for exercising any of your privacy rights under the CCPA.
II. How to Exercise Your Rights
In this section, we describe how you may exercise your CCPA rights.
A. Exercising the Rights to Know, Delete, or Correct
To exercise the right to know (including data portability), delete, or correct described above, please submit a verifiable request to us by either:
· Calling us at 1-800-257-2038
· Emailing us at privacy@quantum-health.com
Please describe your request with sufficient detail so we can properly understand, evaluate, and respond to it. You or your authorized agent may only submit a request to know, including for data portability, twice in a 12-month period.
B. Exercising the Right to Limit or Opt-Out
You can submit your request to limit or opt-out of personal information sharing through:
· Calling us at 1-800-257-2038
· Emailing us at privacy@quantum-health.com
You can also opt out by visiting our website with a legally recognized opt-out preference signal enabled, such as the Global Privacy Control. Please note that you may need to renew your opt-out choice if you visit the website with another device or browser, or if you clear your cookies. You may opt back in to personal information sharing at any time using the same link. If you opt-out of this type of “sharing” of your data, we will not deliver customized advertising to you. You may still see non-targeted advertising about our products and services.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sharing. However, you may change your mind and opt back in to personal information sharing at any time by clicking “Your Privacy Choices” in the footer of our website.
C. Verification Process and Authorized Agents
Only you, or someone legally authorized to act on your behalf, may make a request to know, delete, or correct related to your personal information. If your minor child is our consumer, you may also make a verifiable request on their behalf. To designate an authorized agent, please email us at privacy@quantum-health.com. We may request specific information from you or your authorized representative to confirm your or their identity before we can process your right to know, delete, or correct your personal information.
We cannot respond to your request to know, delete, or correct if we cannot verify your identity or authority to make the request and confirm the personal information relating to you. We will only use personal information provided in the request to verify the requestor’s identity or authority to make the request.
You do not need to create an account with us to submit a request to know, correct, or delete.
For requests to limit or opt-out, we may ask for the information necessary to complete the request, which may include, for example, the consumer's name, email address, or account username.
D. Responding to Your Requests to Know, Delete, or Correct
We will confirm receipt of your request within ten business days. If you do not receive confirmation within the ten-day timeframe, please contact privacy@quantum-health.com.
We endeavor to substantively respond to a verifiable request within 45 days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. We will deliver our written response to your verified email address. Our substantive response will tell you whether or not we have complied with your request. If we cannot comply with your request in whole or in part, we will explain the reason, subject to any legal or regulatory restrictions. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, deleted, or made your personal information anonymous in compliance with our record retention policies and obligations.
Any disclosures we provide will cover information for the 12-month period preceding the request's receipt date. We will consider requests to provide a longer disclosure period that do not extend past January 1, 2022, unless providing the longer timeframe would be impossible or involves disproportionate effort.
For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
E. Response and Timing on Rights to Limit or Opt-Out
In response to your request to limit or opt-out, we will process your request, as soon as feasibly possible, but no later than 15 business days from the date we receive the request. You do not need to create an account with us to exercise your limitation and/or opt-out right[s]. We will only use personal information provided from your request to comply with the request.
We will also notify our service providers, contractors, and certain other downstream recipients of your request to limit or opt-out and instruct them to both:
· Comply with your request.
· Forward the request to their own downstream recipients, if applicable.
We may deny opt-out requests if we have a good-faith, reasonable, and documented belief that the request is fraudulent and will clearly explain our denial decision to the requestor.
Once you make a request to limit and/or opt-out, we will wait at least 12 months before asking you to reauthorize the use or disclosure of your sensitive personal information for purposes other than the Permitted SPI Purposes or personal information sales or sharing. However, you may change your mind and opt back in at any time by clicking the cookie icon on the bottom right side of the Platforms and switching the “Do Not Sell or Share My Personal Information” toggle to the left and clicking save.
III. Privacy Policy Changes
We reserve the right to update this California Privacy Policy at any time, as we continue to develop our compliance program in response to legal developments of the CCPA. If we make any material changes to this California Privacy Policy, we will update the policy’s effective date and post the updated policy on our website.
IV. Contact Information
If you have any questions or comments about this policy, the ways in which we collect and use your information described here, or your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Phone: 1-800-257-2038
Email: privacy@quantum-health.com
If you need to access this California Privacy Policy in an alternative format due to a disability, please contact privacy@quantum-health.com.
[1] The Quantum Health Member Website does not share your personal information with third parties for cross-context behavioral advertising purposes.
[2] The Quantum Health Member Website does not share your personal information with third parties for cross-context behavioral advertising purposes.