GDPR Notice
Scope and Applicability
This General Data Protection Regulation (GDPR) notice describes how Bonnie Doon HealthNet processes personal data in connection with its website and services. While Bonnie Doon HealthNet operates in the United States of America, we apply the GDPR to the extent we offer services to, or monitor the behavior of, individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland, and we align our practices with applicable U.S. federal and state privacy laws.
This notice supplements, and does not replace, any other privacy disclosures we may provide. If any provision conflicts with mandatory local law, the latter will prevail to the extent of the conflict.
Identity of the Controller
Controller: Bonnie Doon HealthNet
Owner: Tiffany Ravenshaw
Postal Address: 449 Broadway, Cambridge, MA 02138, United States
Email: [email protected]
Categories of Personal Data We Process
- Identification and contact data: name, email address, postal address, telephone number.
- Account and authentication data: usernames, credentials (hashed), role and preference settings.
- Communications and content: inquiries, feedback, survey responses, support tickets, and any information you voluntarily submit (which may include health-related information if you choose to provide it).
- Usage and device data: IP address, device identifiers, browser type, operating system, pages viewed, links clicked, referral URLs, timestamps, and approximate location derived from IP address.
- Cookies and similar technologies: identifiers, preferences, analytics information, and advertising-related identifiers where applicable.
- Transactional data: subscription status, payment method metadata (processed by payment providers; we do not store full payment card numbers).
Purposes and Legal Bases for Processing
- Service delivery and operations: to provide, maintain, and improve our website and services; Legal basis: performance of a contract and legitimate interests.
- Account management: to create and administer user accounts and preferences; Legal basis: performance of a contract and legitimate interests.
- Communications and support: to respond to inquiries, send administrative notices, and provide customer support; Legal basis: legitimate interests and, where applicable, consent.
- Research and analytics: to analyze usage, quality, and performance, and to develop new features; Legal basis: legitimate interests and, where required for non-essential cookies, consent.
- Personalization: to tailor content and user experience; Legal basis: legitimate interests and, where required, consent.
- Marketing: to send newsletters or promotional communications; Legal basis: consent and legitimate interests (for similar products/services to existing customers where permitted).
- Security and fraud prevention: to detect, prevent, and investigate security incidents or abuse; Legal basis: legitimate interests and legal obligation.
- Compliance: to comply with legal obligations, enforce terms, and protect rights; Legal basis: legal obligation and legitimate interests.
- Sensitive data: where you voluntarily provide health-related information in communications, we process it only as necessary to respond to your request and only with your explicit consent.
Cookies and Similar Technologies
We use essential cookies necessary for the website to function and, where permitted, analytics and preference cookies to improve our services. Non-essential cookies are used only with your consent where required by law. You can manage cookies via your browser settings and, where available, our on-site preferences tools. Disabling cookies may affect certain features.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this notice or as required by law. Typical retention periods include: account data for the life of the account and for a reasonable period thereafter; support communications for up to three years after resolution; analytic logs for up to twelve months; and transaction records as required by tax and accounting laws. We may anonymize data for statistical purposes.
Disclosures and Recipients
We disclose personal data to the following categories of recipients, strictly as necessary and subject to appropriate safeguards:
- Service providers and processors: hosting, cloud infrastructure, analytics, email delivery, customer support tools, and payment processors.
- Professional advisors: legal, compliance, and accounting advisors.
- Authorities: governmental, regulatory, or law enforcement authorities where required by applicable law or to protect rights, safety, and security.
- Business transfers: in connection with a merger, acquisition, or asset sale, subject to continued protection of personal data.
We do not sell personal information for monetary consideration. We may allow certain third parties to collect information via cookies and similar technologies for analytics and limited personalization; in some jurisdictions this may be considered “sharing” or “targeted advertising.” You may opt out of such processing as described below.
International Data Transfers
We process and store personal data in the United States. Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and UK-approved transfer mechanisms) and implement supplementary measures where necessary. Copies of relevant safeguards can be requested via [email protected].
Security Measures
We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, least-privilege practices, logging and monitoring, and secure development procedures. No security measure is infallible; we cannot guarantee absolute security. We assess and improve controls periodically.
Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights, subject to limitations under applicable law:
- Access: obtain confirmation of processing and a copy of your personal data.
- Rectification: correct inaccurate or incomplete personal data.
- Erasure: request deletion of personal data in certain circumstances.
- Restriction: request restriction of processing in certain circumstances.
- Portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Object: object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
- Withdraw consent: withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
- Complaint: lodge a complaint with a supervisory authority in your country of residence, place of work, or place of alleged infringement.
To exercise your rights, contact us at [email protected]. We may need to verify your identity and may ask for additional information to process your request. We will respond within the timelines required by law.
U.S. State Privacy Rights
Depending on your state of residence (e.g., California, Colorado, Connecticut, Utah, Virginia), you may have rights to access, correct, delete, obtain a copy of your personal information, and to opt out of sales, sharing for targeted advertising, or certain profiling. We honor browser-based opt-out signals where legally required, such as Global Privacy Control (GPC) for California residents. We do not sell personal information for monetary consideration. We may enable limited “sharing” or “targeted advertising” via cookies; you can opt out by adjusting cookie preferences in your browser and by contacting us at [email protected]. If we deny your request, you may appeal by replying to our decision, and we will explain our reasoning and further options.
Children’s Data
Our services are intended for individuals aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact [email protected] so we can take appropriate action.
Automated Decision-Making and Profiling
We do not engage in automated decision-making that produces legal or similarly significant effects. We may perform limited profiling for analytics and service personalization, based on consent where required.
Medical Information Disclaimer
Bonnie Doon HealthNet provides educational health information and does not offer medical diagnosis or treatment. We are not a HIPAA-covered entity or business associate. Do not submit protected health information. Always consult a licensed healthcare professional for medical advice.
How to Exercise Your Rights and Contact Us
To submit a privacy request, withdraw consent, object to processing (including targeted advertising), or raise a question, contact us at:
Email: [email protected]
Postal Address: Bonnie Doon HealthNet, Attn: Privacy, 449 Broadway, Cambridge, MA 02138, United States
Authorized agents (where permitted by law) may submit requests on behalf of consumers, subject to verification of the agent’s authority and the consumer’s identity.
Updates to This Notice
We may update this notice from time to time to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the “Last Updated” date below and, where appropriate, by providing additional notice.
Last Updated: August 25, 2025
Related Post
Type your Comment
Your E-mail Address is secured. Required Fields are marked (*)