This Privacy Policy describes how Springside Infusion, Inc. (the “Business,” “Company,” “we,” or “us”) collects and processes personal data about our consumers who reside in Maryland. The Maryland Online Data Privacy Act of 2024 (“MODPA”) requires us to provide our Maryland consumers with a privacy policy that contains a transparent description of our practices regarding our collection, use, disclosure, sale, sharing, of their personal data, along with a description of the rights they have regarding their personal data. This Privacy Policy provides the information the MODPA requires, together with other useful information regarding our collection and use of personal data. Any terms defined in the MODPA have the same meaning when used in this policy. This Privacy Policy does not apply to any protected health information (“PHI”) regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any information derived from exempt health information and de-identified using the HIPAA Privacy Rule’s de-identification standards and approved methodologies. This Privacy Policy also does not apply to any data processed or maintained about an applicant, employee, agent, or independent contractor when collected and used within the context of the person’s role.

Collection of Information

We collect and use data linked to or reasonably linked to an identified or identifiable consumer (“personal data”). Personal data does not include:

• Publicly available information, including information that a person (i) lawfully obtains from government entity records or (ii) reasonably believes a consumer or widely distributed media has lawfully made available to the general public, or (iii) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information. 
• Deidentified data.

Sensitive Personal Data

Sensitive personal data is a subtype of personal data. Sensitive personal data is defined as:

• Personal Data Revealing:
  - Racial or ethnic origin
  - Religious beliefs
  - Consumer health data (personal data a controller uses to identify a consumer’s physical or mental health status, including data related to gender-affirming treatment or reproductive or sexual health care)
  - Sex life, sexual orientation, or transgender or nonbinary status
  - National origin
  - Citizenship or immigration status
• Genetic or biometric data 
• Personal data of a consumer that the controller knows or should know is a child. The MODPA defines the term “child” with the federal Children’s Online Privacy Protection Act (COPPA) definition, namely, as an individual under 13 years of age
  
• Precise geolocation data
  

Other Categories of Personal Data

Depending on how you interact with us, we may collect and process the following categories of personal data: identifiers and contact information (such as name, postal address, email address, and phone number); customer records information (such as billing and payment-related information); commercial information (such as products or services purchased, obtained, or considered); internet or other electronic network activity information (such as device information, log data, and browsing activity on our website); approximate location information (and, if you provide permission, precise geolocation data); and inferences drawn from personal data to create a profile about preferences and interests. We may also process sensitive personal data as described above.Content on the Website is provided for general informational purposes only and does not constitute medical advice, diagnosis, or treatment and is not a substitute for professional medical advice from your physician or other qualified health care provider. DO NOT USE THE WEBSITE FOR MEDICAL EMERGENCIES; IF YOU BELIEVE YOU MAY HAVE A MEDICAL EMERGENCY, CALL 911 IMMEDIATELY. DO NOT DISREGARD OR DELAY SEEKING PROFESSIONAL MEDICAL ADVICE BECAUSE OF INFORMATION YOU READ ON THE WEBSITE.

Sources of Personal Data

We obtain the categories of personal data listed above from the following categories of sources:

• Directly from you, such as from the forms or other information you provide to the Company.
• Indirectly from you, such as from your interactions with the Company's websites, mobile applications, or social media platforms.
• From our service providers, such as customer service support providers, payment processing providers, data analytics providers, data brokers, and advertising networks.
  
• From other technologies that help us improve our services to deliver a better and more personalized experience. These technologies can include cookies and web beacons. A cookie is a small file placed on your device when you interact with the website. You may refuse to accept or disable cookies by activating the appropriate setting on your browser or device. However, if you select this setting, you may be unable to access certain features of the website. The website may contain a small electronic file known as a web beacon that permits us, for example, to count users who have opened the website and for other related statistics. 
  

Third Parties

If you make a purchase, pay an invoice, or otherwise submit payment information through our Services, your payment may be processed by one or more third-party payment processors (for example, credit card networks and payment processing vendors). When you provide payment information, you are providing it directly to the payment processor and/or through a payment interface operated by the payment processor. The payment processor may collect and process personal data such as your name, billing address, payment card information, bank account information, transaction details, device identifiers, and fraud-prevention signals.We do not control, and are not responsible for, the payment processor’s privacy, security, or data handling practices. The payment processor’s collection, use, disclosure, retention, and protection of your personal data are governed by its own privacy policy and terms. We encourage you to review the applicable payment processor’s privacy policy before submitting payment information.

How We Use Personal Data

Our Obligations

If you make a purchase, pay an invoice, or otherwise submit payment information through our Services, your payment may be processed by one or more third-party payment processors (for example, credit card networks and payment processing vendors). When you provide payment information, you are providing it directly to the payment processor and/or through a payment interface operated by the payment processor. The payment processor may collect and process personal data such as your name, billing address, payment card information, bank account information, transaction details, device identifiers, and fraud-prevention signals.We do not control, and are not responsible for, the payment processor’s privacy, security, or data handling practices. The payment processor’s collection, use, disclosure, retention, and protection of your personal data are governed by its own privacy policy and terms. We encourage you to review the applicable payment processor’s privacy policy before submitting payment information.

Personal Data Collection, Use, and Disclosure Purposes

We retain personal data for as long as reasonably necessary and proportionate to achieve the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law (for example, to comply with legal obligations, resolve disputes, enforce agreements, or for security and fraud-prevention purposes). We consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorized use or disclosure; the purposes for which we process the data; and whether we can achieve those purposes through other means.

We may use and disclose the personal data we collect for the purposes described below:

• Develop, offer, and provide you with our products and services.
• Meet our obligations and enforce our rights arising from any contracts with you, including for billing or collections, or to comply with legal requirements.
• Fulfill the purposes for which you provided your personal data or that were described to you at collection, and as applicable law otherwise permits.
• Improve our products or services, marketing, or customer relationships and experiences.
• Notify you about changes to our products or services.
• Administer our systems and conduct internal operations, including for troubleshooting, data analysis, testing, research, statistical, and survey purposes.
• Protect our Company, employees, or operations.
• Measure or understand the effectiveness of the advertising we serve to you and others, and to deliver relevant advertising to you, including targeted advertising where permitted by law and subject to your opt-out rights.
• Make suggestions and recommendations to you and other consumers about our goods or services that may interest you or them, including developing profiles.
• Manage your consumer relationship with us, including for reaching out to you, when needed, about our services. 
• Perform data analytics and benchmarking.
• Administer and maintain the Company's systems and operations, including for safety purposes.
• Engage in corporate transactions requiring review of consumer records, such as for evaluating potential Company mergers and acquisitions.
• Comply with all applicable laws and regulations.
• Exercise or defend the legal rights of the Company and its employees, affiliates, customers, contractors, and agents. 
• Respond to law enforcement requests and as required by applicable law or court order.

Sensitive Personal Data

We limit our sensitive data collection, processing, and sharing to what is strictly necessary to provide or maintain a specific product or service the consumer requested. We may not sell sensitive data. 

Additional Categories or other Purposes

We will not collect additional categories of personal data or use the personal data we collected for materially different, unrelated, or incompatible purposes without your consent.

We may collect, process, and disclose aggregated or deidentified consumer information for any purpose, without restriction. When we collect, process, or disclose aggregated or deidentified consumer information, we will maintain and use it in deidentified form and will not to attempt to reidentify the information, except to determine whether our deidentification processes satisfies any applicable legal requirements.

Disclosing, Selling, or Sharing Personal Data

We may disclose personal data to the following categories of third parties: (i) service providers and processors that perform services on our behalf (such as hosting, IT support, analytics, payment processing, customer support, security, and marketing vendors); (ii) professional advisors (such as lawyers, auditors, and insurers); (iii) affiliates and entities involved in corporate transactions (such as a merger, acquisition, financing, or sale of assets); (iv) advertising and marketing partners (including for targeted advertising, where permitted and subject to your opt-out rights); and (v) government entities, regulators, and law enforcement where required or permitted by law.

Business Purpose Disclosures

We may disclose the personal data we collect, including sensitive personal data, to third parties for the business purposes described in the Personal Data Collection, Use, and Disclosure Purposes section, such as to engage third parties and service providers to support our business functions. For example, we may disclose information from your visits to the Company’s website to a cybersecurity consultant to help secure the website. 

We only make these disclosures under written contracts that describe the purposes, require the recipient to keep the personal data confidential, and prohibit using the disclosed data for any purpose except performing the contract or as otherwise permitted by applicable law.

Selling Personal Data

We do not sell personal data.

Your Maryland Privacy Rights and Choices

If you are a Maryland resident, the MODPA grants you the following rights regarding your personal data, subject to certain exceptions: 

Right to Access and Data Portability

You have the right to access certain information about our collection and use of your personal data. Although exercising this right cannot require the controller to reveal a trade secret. This right to access includes the right to:All matters relating to the Website and these Terms of Service, and any dispute or claim arising therefrom or related thereto (in each case, including non-contractual disputes or claims), shall be governed by and construed in accordance with the internal laws of the State of Maryland without giving effect to any choice or conflict of law provision or rule (whether of the State of Maryland or any other jurisdiction).

• Confirm whether a controller processes the consumer’s personal data.
• Access the consumer’s personal data. 
• Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data and, where available, a list of the specific third parties to which the controller has disclosed the consumer’s personal data: 
  - The specific consumer’s personal data, if available; or 
  - Any consumer data, if the controller does not maintain the data in a format specific to the consumer. 

The MODPA provides consumers with a data portability right. Exercising this right cannot require the controller to reveal a trade secret. The right applies to personal data that the controller processes by automatic means. Controllers must provide the data in a format that is: 

• Portable
• Readily useable so that the consumer may transmit the data to another controller without hindrance, to the extent technically feasible. 

Right to Delete and Right to Correct

You have the right to request that we delete personal data provided by or obtained about the consumer, unless the law requires its retention (“Right to Delete”). Controllers may retain data as needed to meet the purposes listed in the MODPA’s general limitations section, such as to comply with other laws, cooperate with law enforcement perform certain internal operations, or conduct internal research to improve products or services. Once we receive your request and confirm your identity, we will delete your personal data from our systems unless an exception allows us to retain it.

You also have the right to request correction of personal data (“Right to Correct”). This correction right allows consumers to correct inaccuracies in their personal data, considering the personal data’s nature and the processing purposes. We may require you to provide documentation, if needed, to confirm your identity and support your claim that the data is inaccurate. Unless an exception applies, we will correct personal data that our review determines is inaccurate and notify our service providers to take appropriate action. 

Right to Opt Out of Targeted Advertising and Sales

You have the right to opt out of (1) personal data processing for targeting advertising purposes and (2) personal data sales.

A controller cannot process personal data for targeted advertising when the controller knows or should know the consumer is under age 18.

A controller cannot sell sensitive data or personal data of consumers it knows or should know is under 18 years old. 

Right to Opt Out of Targeted Advertising and Sales

When a business uses any profiling activity that furthers a solely automated decision producing legal or similarly significant effects, you may have the right to opt out. Profiling means automated personal data processing performed to evaluate, analyze, or predict personal aspects about an identified or identifiable consumer’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.  Decisions are significant when they result in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Advertising is not a significant decision.

We do not currently use ADMT to make significant decisions about consumers, so we do not provide ADMT access or opt-out rights.

Right to Non-Discrimination

You have the right not to be discriminated or retaliated against for exercising any of your privacy rights under the MODPA. We cannot deny a good or service, charge a different price or rate, or provide a different level of quality if you exercise your personal data rights, subject to several exceptions in the MODPA.

Additional Rights 

The MODPA provides you with specific protections for consumer health data, including the restriction on geofencing use around mental health, reproductive, or sexual health facilitates for certain purposes. You have the right to transparency from third parties who obtain your personal data. Third parties that use or share your information inconsistently with any promises made to you during the collection of such data must notify you before implementing the new or changed practice in a manner and time reasonably calculated to allow you to exercise your MODPA rights. 

How to Exercise Your Rights

Exercising the Rights to Access, Delete, or Correct

To exercise the rights described above, please submit a request to us by either:

• Calling us at 410-357-1125 or
• Emailing us at info@springsideinfusion.com.

Please describe your request with sufficient detail so we can properly understand, evaluate, and respond to it.

Exercising Opt Out of Personal Data Sales, Targeted Advertising, and Profiling

You can submit your opt out request by: (i) contacting us at info@springsideinfusion.com.

Verification Process and Authorized Agents

Only you, or someone legally authorized to act on your behalf, may make a request to access, delete, or correct related to your personal data.

We cannot respond to your request to access, delete, correct if we cannot verify your identity or authority to make the request and confirm the personal data relating to you. We will only use personal data provided in the request to verify the requestor's identity or authority to make the request.

For requests to limit or opt-out, we ask for the data necessary to complete the request, which may include, for example, the consumer's name, email address, or phone number.

Responding to Your Requests to Access, Delete, or Correct

We will confirm receipt of your request within ten business days. If you do not receive confirmation within the ten-day timeframe, please contact info@springsideinfusion.com.

We endeavor to substantively respond to a verifiable request within 45 days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. We will deliver our written response to your email address. Our substantive response will tell you whether or not we have complied with your request. If we cannot comply with your request in whole or in part, we will explain the reason, subject to any legal or regulatory restrictions. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, deleted, or made your personal data anonymous in compliance with our record retention policies and obligations. 

Any disclosures we provide will cover the personal data we have processed about you, subject to applicable law and any permitted exceptions.

For data portability requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the data from one entity to another entity without hindrance.

If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, we may (i) charge you a reasonable fee to cover the administrative costs of complying with the request or (ii) decline to act on the request.

Response and Timing on Rights to Opt Out

In response to your request to opt out, we will process your request, as soon as feasibly possible, but no later than 15 business days from the date we receive the request. We will only use personal data provided from your request to comply with the request.We may deny opt-out requests if we have a good-faith, reasonable, and documented belief that the request is fraudulent and will clearly explain our denial decision to the requestor.

Once you make a request to opt-out, we will wait at least 12 months before asking you to reauthorize the use or disclosure of your personal data. However, you may change your mind and opt back in at any time.

Appeals

If we refuse to take action on your request, you may appeal our decision. Your appeal must be submitted within a reasonable time after you receive our decision, and in any event no later than 60 days after the date of our decision notice.

You may submit an appeal by emailing us at info@springsideinfusion.com with the subject line “MODPA Appeal,” or by calling us at 410-357-1125 and stating that you are submitting an appeal. Please include your name, the email address or other identifier you used when submitting your original request, the date of our decision, and the reasons you believe our decision was incorrect.

We will acknowledge receipt of your appeal and will respond in writing within 60 days after receiving your appeal. Our response will explain the outcome of the appeal and the reasons for our decision. If we deny your appeal, our response will also include information on how you may submit a complaint to the Maryland Office of the Attorney General.

How We Protect Your Personal Data

We use commercially reasonable administrative, physical, and technical measures designed to protect your personal data from accidental loss or destruction and from unauthorized access, use, alteration, and disclosure. However, no website, mobile application, system, electronic storage, or online service is completely secure, and we cannot guarantee the security of your personal data transmitted to, through, using, or in connection with the Services. In particular, email, texts, and chats sent to or from the Services may not be secure, and you should carefully decide what information and data you send to us through these communications channels. Any transmission of personal data is at your own risk. 

The safety and security of your data also depends on you. You are responsible for taking steps to protect your personal data against unauthorized use, disclosure, and access.

Privacy Policy Changes

We reserve the right to update this Privacy Policy at any time. If we make any material changes to this Privacy Policy, we will update the policy's effective date and post the updated policy on our website.

Contact Information

If you have any questions or comments about this policy, the ways in which we collect and use your data described here, your choices and rights regarding such use or wish to exercise your rights under Maryland law, please do not hesitate to contact us at:

‍Phone: (410) 357-1125
‍Website: https://springsideinfusion.com/
‍Email: info@springsideinfusion.com 
‍Postal Address: 647 Ridgely Ave, Suite 102, Annapolis, MD 21401

If you need to access this Privacy Policy in an alternative format due to a disability, please contact us at info@springsideinfusion.com or (410) 357-1125.