top of page

Privacy Policy

Secure Draw Holdings Inc.
 

Effective Date: January 1, 2025
Last Updated: January 1, 2025

Introduction

Secure Draw Holdings Inc. ("we," "our," or "us") and our portfolio companies are committed to protecting the privacy and security of personal information and protected health information (PHI). As a healthcare-focused holding company, we understand the critical importance of maintaining the confidentiality, integrity, and availability of all information entrusted to us.


This Privacy Policy describes how Secure Draw Holdings Inc. and our portfolio companies—including Secure Draw Mobile, Secure Draw Medical Services Inc., Secure Draw Healthcare Facilities Inc., and Secure Draw Connect Inc.—collect, use, disclose, and safeguard information when you:

  • Visit our corporate website

  • Interact with our portfolio companies

  • Receive healthcare services from our subsidiaries

  • Engage with our business operations

Holding Company Structure and Liability Shield

Critical Legal Distinction: Secure Draw Holdings Inc. functions exclusively as a passive investment holding company. The holding company does not operate healthcare facilities, provide medical services, handle patient care, or directly process protected health information. All healthcare operations, patient relationships, clinical decisions, and associated legal liabilities remain solely with the individual licensed subsidiary entities
.
Each portfolio company maintains independent:

  • Professional liability insurance and coverage

  • State healthcare licensing and regulatory compliance

  • HIPAA compliance and Notice of Privacy Practices

  • Medical malpractice and operational liability

  • Patient care standards and quality assurance


The holding company's role is strictly limited to strategic investment oversight, shared administrative services coordination, and corporate governance functions that do not involve direct patient care or clinical operations.

Data Minimization and Collection Principles

We collect only the minimum personal information necessary to fulfill stated business purposes and healthcare service delivery. Our data collection is guided by the principles of necessity, proportionality, and purpose limitation.

​

Personal Information

  • Contact Information: Name, address, phone number, email address

  • Identification Information: Date of birth, Social Security number, driver's license number (collected only when legally required)

  • Insurance Information: Insurance carrier, policy numbers, group numbers

  • Emergency Contacts: Names and contact information for emergency situations only

  • Billing Information: Payment methods, billing addresses, financial account information (limited to transaction processing)


Protected Health Information (PHI)

Our healthcare service portfolio companies may collect PHI solely for treatment, payment, and healthcare operations:
 

  • Medical History: Previous diagnoses, treatments, medications, allergies (treatment-relevant only)

  • Clinical Information: Test results, vital signs, physician notes, treatment plans

  • Appointment Information: Scheduling details, service locations, provider assignments

  • Insurance Claims: Claims processing information, prior authorizations, coverage determinations


Biometric Data Protections

When biometric identifiers are collected (fingerprints, voice prints, facial recognition), we:

  • Obtain explicit written consent before collection

  • Limit use to specific healthcare authentication purposes

  • Apply enhanced encryption and access controls

  • Provide clear opt-out mechanisms without service penalties

  • Retention Limitations: Biometric identifiers are retained for no longer than reasonably necessary for the stated purpose and deleted within 3 years of last interaction or immediately upon written request

  • California CCPA Compliance: Biometric data is considered sensitive personal information subject to enhanced protection and deletion rights
     

Website and Technology Information

  • Usage Data: IP address, browser type, device information, pages visited (anonymized when possible)

  • Cookies and Tracking: Session cookies, preference settings, analytics data (see Cookie Management section)

  • Communications: Email correspondence, customer service interactions, feedback

HIPAA Notice of Privacy Practices

Important: Each healthcare portfolio company maintains separate, comprehensive HIPAA Notice of Privacy Practices that govern the use and disclosure of protected health information for healthcare services. These notices are:

​

  • Available at each point of service

  • Posted on individual portfolio company websites

  • Provided to patients at first service encounter

  • Updated according to federal and state requirements


Patients receiving healthcare services should refer to the specific Notice of Privacy Practices for the portfolio company providing their care.

How We Collect Information

Direct Collection

  • Patient Registration: Information provided when enrolling for healthcare services

  • Website Forms: Contact forms, appointment requests, newsletter subscriptions

  • Phone Communications: Information provided during customer service calls (may be recorded for quality assurance with notice)

  • In-Person Interactions: Information collected at healthcare facilities

Automatic Collection

  • Website Analytics: Google Analytics and similar tools to understand site usage (anonymized data preferred)

  • Security Monitoring: System logs for cybersecurity and fraud prevention

  • Performance Monitoring: Service quality metrics and system performance data

Third-Party Sources

  • Healthcare Providers: Medical records transferred from referring physicians (with patient authorization)

  • Insurance Companies: Coverage verification and claims processing

  • Government Agencies: Regulatory compliance reporting and verification

How We Use Information

Healthcare Service Delivery

  • Provide mobile phlebotomy, medical services, and healthcare facility operations

  • Coordinate care between multiple providers and facilities

  • Schedule appointments and manage patient flow

  • Process laboratory results and diagnostic information

  • Communicate test results and follow-up care recommendations

Automated Decision-Making Disclosure

Some portfolio companies may use automated systems for:

  • Appointment scheduling optimization

  • Insurance coverage verification

  • Quality assurance monitoring

  • Fraud detection algorithms
     

Important: No automated systems are used for clinical diagnoses, treatment decisions, or patient care determinations without direct physician oversight.
 

Data Controller and Processor Roles


HIPAA Compliance Structure:

  • Covered Entities: Each portfolio company (Secure Draw Mobile, Secure Draw Medical Services Inc., Secure Draw Healthcare Facilities Inc., and Secure Draw Connect Inc.) operates as an independent HIPAA Covered Entity for their respective healthcare operations

  • Business Associate: Secure Draw Holdings Inc. serves as a Business Associate to portfolio companies solely for shared administrative services (finance, IT support, compliance monitoring) that do not involve direct patient care or clinical decisions
     

California Consumer Privacy Act (CCPA) Structure:

  • Data Controllers: Portfolio companies act as independent Data Controllers for all healthcare data and direct patient relationships

  • Service Provider: Secure Draw Holdings Inc. functions as a Service Provider under CCPA for corporate administrative functions only, with no independent use of personal information beyond contracted services

Data Processing Limitations:

  • Holding company access to personal information is limited to aggregated, de-identified data for portfolio management purposes

  • No direct patient data processing except as specifically required for contracted administrative services

  • All data processing agreements clearly define scope and limitations of holding company access

Enhanced Data Retention Schedules

Healthcare Information

  • Medical Records: 7 years post-final treatment or as required by state law (whichever is longer)

  • Laboratory Results: 7 years from date of testing

  • Billing Information: 7 years post-final payment or resolution of account

  • Insurance Information: 6 years post-coverage termination

  • HIPAA Accounting of Disclosures: 6 years from disclosure date


Business Information

  • Corporate Records: Per applicable corporate law requirements (typically 7 years)

  • Employee Information: 3 years post-employment termination

  • Website Analytics Data: Maximum 2 years, anonymized after 6 months

  • Vendor Contracts and Communications: 7 years post-contract termination

  • Audit and Compliance Records: 10 years from audit completion


Secure Deletion Procedures

We implement secure, verified deletion procedures including:

  • Multi-pass data wiping for electronic storage

  • Certified destruction for physical media

  • Cryptographic key destruction for encrypted data

  • Documentation of deletion completion and verification

Information Sharing and Disclosure

Business Transactions - Restricted Scope

Information may be transferred only in connection with:
 

  • Planned mergers or acquisitions where Secure Draw Holdings maintains control of the transaction process and user notification procedures

  • Strategic asset sales involving specific portfolio companies with 30-day advance notice to affected individuals

  • Succession planning for business continuity purposes

  • Due diligence activities with potential investors or partners under comprehensive confidentiality agreements
     

Excluded: Hostile takeovers, distressed asset sales, or transactions where user data protection cannot be guaranteed.
 

Acquisition Integration Protections: Target companies must demonstrate equivalent privacy and security standards before any data integration occurs.
 

Enhanced Vendor Oversight

All service providers handling personal information must:
 

  • Execute comprehensive Business Associate Agreements (BAAs) for PHI

  • Undergo annual third-party security assessments

  • Provide audit rights and compliance monitoring access

  • Notify us of security incidents within 24 hours

  • Agree to geographic data processing restrictions

  • Maintain equivalent privacy and security standards

Tiered Data Breach Response

Level 1 - Minor Security Incidents

  • Scope: No unauthorized access to personal information

  • Response: Internal notification and system hardening

  • Timeline: 24-hour internal assessment

  • Notification: Internal teams only
     

Level 2 - Regulatory Reportable Breaches

  • Scope: Potential unauthorized access to personal information

  • Response: Immediate containment and investigation

  • Timeline: Breach notifications will comply with the most restrictive applicable timeline: HIPAA (60 days), California SB-24 (as applicable), state-specific requirements where services are provided, or other applicable regulations (whichever is shorter)

  • Notification: Affected individuals within the required regulatory timeframe for the applicable jurisdiction
     

Level 3 - High-Risk Breaches

  • Scope: Confirmed unauthorized access with identity theft risk

  • Response: Immediate public notification and credit monitoring services

  • Timeline: Immediate regulatory and law enforcement notification

  • Notification: Affected individuals within 24 hours
     

Breach Documentation

All security incidents are documented with:

  • Detailed timeline of events and response actions

  • Assessment of information types and volume affected

  • Mitigation measures implemented

  • Lessons learned and system improvements made

Enhanced Privacy Rights and Procedures

Data Portability Rights

Upon request, we will provide personal information in commonly used, machine-readable formats including:

  • Medical Records: PDF and HL7 FHIR standards

  • Personal Data: CSV or JSON format

  • Communications: Email archives in standard formats

  • Timeline: 30 days for fulfillment, no charge for first request annually
     

Consent Withdrawal Mechanisms

Users may withdraw consent through:

  • Online Portal: Immediate processing for non-essential communications

  • Written Request: Certified mail to Privacy Officer with 10-day processing

  • Phone Request: Verification required, 5-day processing timeline

  • In-Person: Immediate processing at any portfolio company location
     

Important: Consent withdrawal may limit or prevent certain healthcare services where information processing is necessary for treatment.
 

Enhanced Complaint Process

Internal Escalation:

  1. Initial Contact: Response within 5 business days

  2. Privacy Officer Review: Resolution within 15 business days

  3. Executive Review: Final internal appeal within 30 business days
     

External Options:

  • U.S. Department of Health and Human Services Office for Civil Rights

  • California Attorney General Privacy Enforcement Unit

  • Better Business Bureau healthcare division

Privacy Impact Assessments

New data processing activities undergo comprehensive Privacy Impact Assessments before implementation, including:
 

  • Risk Analysis: Identification of privacy risks and mitigation strategies

  • Legal Compliance Review: Verification of regulatory compliance

  • Stakeholder Input: Consideration of patient and user concerns

  • Quarterly Reviews: Ongoing assessment of existing processes

  • Documentation: Maintained records of all assessments and outcomes

International Data Transfer Restrictions

Protected Health Information Limitations: Protected Health Information is not transferred internationally except for:
 

  • Emergency medical care coordination with explicit patient consent

  • Required regulatory reporting to international health organizations

  • Patient-directed transfers for continued care while traveling abroad


Non-Healthcare Data Transfers: For corporate administrative data only, international transfers are protected through:
 

  • Standard Contractual Clauses (SCCs): For EU data protection compliance

  • Adequacy Decisions: Transfers only to countries with adequate protection

  • Certification Programs: Vendors certified under Privacy Shield successors

  • Data Localization: Healthcare data maintained within the United States when possible

  • Encryption Requirements: All international transfers use end-to-end encryption
     

Patient Consent for International Transfers: All international transfers of healthcare data require explicit patient consent except for emergency medical situations where consent cannot be reasonably obtained.

Dispute Resolution and Legal Framework

Governing Law: This Privacy Policy and all related disputes shall be governed by the laws of the State of California, without regard to conflict of law principles.


Jurisdiction: Any legal proceedings must be brought in the state or federal courts located in Los Angeles County, California.


Binding Arbitration: Except where prohibited by law, disputes arising from this Privacy Policy shall be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. Each party bears its own costs and attorney fees unless otherwise awarded by the arbitrator.


Class Action Waiver: To the maximum extent permitted by law, you waive any right to participate in class action lawsuits or class-wide arbitration against Secure Draw Holdings Inc. or its portfolio companies.


Arbitration Exceptions: The following disputes are specifically excluded from arbitration requirements and may be pursued in court:
 

  • Individual claims under $10,000

  • Claims seeking injunctive or equitable relief

  • Medical malpractice and clinical care disputes

  • Healthcare regulatory matters and licensing issues

  • Situations where arbitration is prohibited by applicable healthcare licensing laws

  • Claims involving biometric data violations under state law

Limitation of Liability and Indemnification

Liability Cap: Except where prohibited by law, our total liability for any claims arising from this Privacy Policy or data processing activities shall not exceed the amount paid by you for services in the twelve (12) months preceding the claim.


Excluded Damages: We shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to lost profits, data loss, or business interruption.

 

Enhanced Professional Liability Shield: Secure Draw Holdings Inc. exercises no clinical oversight, makes no treatment decisions, maintains no direct patient relationships, and employs no healthcare providers. The holding company cannot be held liable for medical malpractice, clinical negligence, patient care decisions, or any healthcare services provided by licensed professionals within portfolio companies. All clinical liability remains solely with the individual licensed healthcare providers and the specific portfolio company employing them.


User Indemnification: By using our services, you agree to indemnify and hold harmless Secure Draw Holdings Inc. from claims arising from your policy violations, service misuse, false information, or third-party rights violations.

Employee Access Controls and Monitoring

Employee access to personal information is:

  • Role-Based: Limited to specific job functions and responsibilities

  • Regularly Reviewed: Quarterly access audits and immediate updates for role changes

  • Immediately Terminated: Automatic access revocation upon employment changes

  • Monitored: System logs track all data access with regular anomaly detection

  • Trained: Annual privacy and security training with competency verification

​Emergency Contact Information and Incident Reporting

Privacy Incident Reporting: info@securedrawholdings.com
Subject Line: Please use "PRIVACY INCIDENT" or "BREACH REPORT" for urgent matters

Response Commitment: We monitor this email address continuously and will respond to privacy incidents within our committed timeframes based on severity and regulatory requirements.

Additional Contact Methods: As we establish and verify additional 24/7 contact capabilities, we will update this section with confirmed, monitored contact information.

Regulatory Reporting: This same email address serves as our primary contact for regulatory breach reporting and executive escalation of privacy matters.

Document Control and Legal Review

Legal Review Status: This Privacy Policy has been prepared with comprehensive legal protections pending final review by qualified healthcare privacy counsel.

Implementation Checklist:

  • Healthcare privacy attorney final review

  • State-specific compliance verification

  • Board resolution adopting policy

  • Employee training materials developed

  • Vendor contract updates completed

  • Portfolio company policy alignment verified


Document Version Control:

  • Version: 2.0 (Comprehensive Legal Enhancement)

  • Effective Date: January 1, 2025

  • Last Legal Review: [To be completed]

  • Next Scheduled Review: April 1, 2025

  • Emergency Review Triggers: Regulatory changes, security incidents, business structure changes


Acknowledgment and Acceptance

By accessing our website, receiving services from our portfolio companies, or engaging with our business operations, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and its terms. You further acknowledge understanding of our holding company structure and the separate legal obligations of our portfolio companies.


Mandatory Discontinuation: If you do not agree with any provision of this Privacy Policy, you must discontinue use of our services and website immediately and contact us to discuss data handling for any ongoing healthcare relationships.

bottom of page