This privacy policy (“Policy”) covers the information you share with us and/or which may be acquired or produced by athenahealth, Inc., its subsidiaries and its affiliates including, but not limited to, VVC Holding Corp. and Epocrates, LLC, (collectively, “athenahealth”, “we”, or “us”) during the application or recruitment process, including:

• What information we collect during our application and recruitment process and why we collect it; and
• How we use that information.

This athenahealth Policy applies to athenahealth’s websites that link to this Policy but does not apply to those athenahealth websites that have their own Privacy Statement or Policy.

• Your name, address, email address, telephone number and other contact information;
• Your resume or CV, cover letter, previous and/or relevant work experience or other experience, education, transcripts, or other information you provide to us in support of an application and/or the application and recruitment process;
• Information from interviews and phone-screenings you may have, if any;
• Details of the type of employment you are or may be looking for, current and/or desired salary and other terms relating to compensation and benefits packages, willingness to relocate, or other job preferences;
• Details of how you heard about the position you are applying for which may include the name and information related to an individual who referred you to the application or recruitment tool for athenahealth;
• Any sensitive and/or demographic information obtained during the application or recruitment process such as gender, information about your citizenship and/or nationality, medical or health information, eligibility to work in the country of hire, and/or your racial or ethnic origin;
• Reference information and/or information received from background checks (where applicable), including information provided by third parties;
• Information relating to any previous applications you may have made to athenahealth and/or any previous employment history with athenahealth;
• Information about your educational and professional background from publicly available sources, including online, that we believe is relevant to your application or a potential future application (e.g. your LinkedIn profile);
• Information related to any assessment you may take as part of the interview screening process;
• Information related to the expenses (as applicable) incurred during the interview process which may include transportation, hotel and incidental costs;
• Your social security number, date of birth, Permanent Account Number (PAN) and/or ADDHAR number, as applicable; and/or  Any other information you provide to us.

• Your information will be used by athenahealth for the purposes of carrying out its application and recruitment process which includes:
• Assessing your skills, qualifications and interests against our career opportunities;
• Verifying your information and carrying out reference checks and/or conducting background checks (where applicable) if you are offered a job;
• Communicating with you about the recruitment process and/or your application(s), including, in appropriate cases, informing you of other potential career opportunities at athenahealth;
• Proactively conducting research about your educational and professional background and skills and contacting you if we think you would be suitable for a role with us.
• Where requested by you and only as applicable, assisting you with obtaining an immigration visa or work permit where required; and/or
• Making improvements to athenahealth’s application and/or recruitment process including improving diversity in recruitment practices.
   

We may also use your information, where applicable, to:

• Improve our application or recruitment process, in order to ensure we recruit the best possible candidates;

• Create and/or submit reports as required under any local laws and/or regulations;
• Comply with applicable laws, regulations, legal processes or governmental requests; and/or
• Detect, prevent or otherwise address fraud, security or technical issues, or to protect against harm to the rights, property or safety of athenahealth, our users, applicants, candidates, employees or the public or as otherwise required by law.

If you are offered and accept employment with athenahealth, the some of the information collected during the application and recruitment process will become part of your employment record, including, but not limited to, your resume (or similar output provided), text of the job description for the role you were hired into, background check information including the authorization and report, offer letter and your employee agreement.

• Your information may be shared with our affiliates, subsidiaries or joint ventures in the US and in other jurisdictions, in relation to the purposes described above.
• If you have been referred for a job at athenahealth by a current athenahealth employee, with your consent, we may inform that employee about the progress of your application and let the athenahealth employee know the outcome of the process. In some cases, if it is identified that you have attended the same university/school or shared the same previous employer during the same period as a current athenahealth employee we may consult with that employee for feedback on you.
• athenahealth may also use service providers acting on athenahealth’s behalf to perform some of the services described above (for example services providers who perform verification / background checks). These service providers may be located outside the country in which you live or the country where the position you have applied for is located;
• athenahealth may sometimes be required to disclose your information to external third parties such as to local labor authorities, courts and tribunals, regulatory bodies and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process;
• We will also share your personal information with other third parties if we have your consent (for example if you have given us permission to contact your references);
• It is your responsibility to obtain consent from references before providing their personal or contact information to athenahealth;
• An actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger, or acquisition of all or any part of our business.

While we maintain your information, we protect it using administrative, physical, and technical security safeguards designed to protect your information. When we collect certain sensitive information, we encrypt the transmission of that information using secure socket layer technology (SSL). Despite these measures, we cannot guarantee the security of the information we maintain about you.

We retain information for different periods of time depending on the purposes for which we collect and use it, as described in this Policy. We will not retain information for longer than needed to fulfill these purposes unless a longer retention period is required to comply with legal obligations. Also, there may be technical or other operational reasons where we are unable to delete or de-identify your information. Where this is the case, we will take reasonable measures to prevent further processing your information.

athenahealth operates globally, which means your information may be stored and processed outside of the country or region where it was originally collected including in the United States. In some of these countries, you may have fewer rights with respect to, your information than you do in your country of residence. By submitting your information to us, you consent to the processing, storage, transfer of your personal information by athenahealth in and to the United States.

If you do not want us to retain your information for consideration for other roles, or want us to update it, please contact askhr@athenahealth.com. Please note, however, that we may retain some information to comply with a legal obligation or for purposes connected to legal claims.

Below, please find the categories of personal information we may have collected about you in the last twelve months, the purposes for the collection, and the third parties with whom your personal information may have been disclosed. Applicant personal information is not sold to third parties. For more information regarding the specific types of personal information, the purpose for collection, and why your personal information may have been disclosed to third parties, please see Sections II-IV.

If you are a California resident, you may have the following rights with respect to the personal information we process about you:

• To request information about the categories of personal information we have collected about you, the categories of sources from which we collected the personal information, the purposes for collecting or sharing the personal information, the categories of third parties with whom we have shared or sold your personal information, and the specific pieces of personal information we have collected about you.
• To request that we delete personal information that we have collected from you.
• To request that we correct inaccurate personal information that we maintain about you.
• To opt out of the sale or sharing of your personal information
   

California residents may exercise the above rights by:

• Submitting a request at www.athenahealth.com/consumer-privacy-request
• Calling our toll-free number at 888-807-2076

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We may require you to use your email address in order to perform such verification. We will consider all requests and provide our response within the time period required by applicable law. Please note, however, that certain information may be exempt from such requests. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process.

You may only make a consumer request for access or data portability twice within a 12-month period. We will not discriminate against you for exercising any of your rights.

Response Timing and Format

We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We reserve the right to amend this Policy at our discretion and at any time. When we make changes to this Policy, we will post the updated Policy and update the Policy’s effective date.

Effective date: December 29, 2022.