California Employee Privacy Notice

Last Revised: July 1, 2023

This California Employee Privacy Policy (“Policy”) describes the personal information that we collect, the sources from which we collect it, how long we retain it, the purposes for which we use it, the limited circumstances under which we disclose personal information, and to whom we disclose it.

1. Categories of Personal Information Collected and Disclosed for a Business Purpose. The personal information that One Medical collects, or has collected from candidates and employees in the 12 months prior to the effective date of this Policy falls into the following categories established by the California Consumer Privacy Act:

● Identifiers such as a real name, alias, postal address, unique personal identifier, i.e., cookies, online identifier, IP address, email address, social security number, driver’s license number, state identification number, passport number or similar identifiers;

● Account log-in information, financial account, debit card or credit card numbers, security or access codes, passwords, or credentials;

● Information that may reveal characteristics of protected classes, such as age, gender, race, sexual orientation, religious or philosophical beliefs, union membership, or other protected classifications;

● Internet, other electronic network information, including but not limited to information regarding use of One Medical’s equipment, systems and resources (e.g., browsing history), contents of mail, email, and text messages, other information you store on One Medical’s equipment or systems, information collected from security systems or other monitoring, building access records, and device and other asset numbers;

● Geolocation data, which may constitute precise geolocation data;

● Audio, electronic, visual information (e.g., photograph), or similar information;

● Professional or employment-related information;

● Education information; and

● Sex life or sexual orientation.

2. Categories of Third Parties that your Personal Information has been Disclosed for Business Purposes. We may share your personal data with third parties, who may act as controllers in their own right, in other circumstances, including:

● HR services providers;

● Insurance organizations;

● One Medical affiliates;

● Governmental organizations or agencies, including law enforcement;

● External advisors (such as legal advisors, accountants); and

● Employee benefits providers.

3. Purpose for Collecting your Personal Information. We may use or disclose the personal information we collect for one or more of the following purposes:

● Workforce-related purposes:

● Administer compensation and expense reimbursements, including payroll, expense reimbursements, and to administer other compensation related payments, including bonuses and equity compensation.

● Administer employment benefits such as medical, dental, optical, commuter, leave, and retirement benefits, including recording and processing eligibility of dependents, absence and leave administration, and benefit account management.

● Track job performance, including performance reviews, feedback, promotions, relocations, and workforce re-structuring.

● Manage professional licenses credentials relating to work responsibilities, ensuring compliance, education, training, examination and other requirements are met with applicable regulatory and oversight authorities.

● Provide professional development, including training, career planning, and skills development.

● Monitor your eligibility to work in the U.S.

● Conduct healthcare-related activities, including conducting pre-employment and employment-related medical screenings, return to work processes, and medical case management needs, determining medical suitability for particular tasks, operating sickness policies and procedures.

● Ensuring a safe and efficient working environment, including conducting workplace surveys, enforcing workplace policies, business code of conduct investigations, and disciplinary actions.

● Ensuring the privacy and security of One Medical’s information assets, including member information, patient information, and company confidential and proprietary information.

● Maintaining the security of One Medical business and technology assets, including physical and cyber security such as monitoring ingress/egress of our physical locations, monitoring email, Internet, and other systems access, detecting and protecting against security incidents and malicious, deceptive, fraudulent or illegal activity, or violations of One Medical policy or law.

● Comply with applicable laws, regulatory requirements, rules, and ordinances, including legal and regulatory reporting requirements.

● Contact and assist you in case of an emergency or disaster, such as reaching out for wellness checks during wildfires or earthquakes.

● Event planning, including for recurring and unique team and company-wide events such as regional conferences and holiday parties.

● Audit purposes.

4. Your Data Rights. You may have certain rights under the California Privacy Rights Act, including to request information about the collection of your personal information by One Medical, to access your personal information in a portable format, and to correct or delete your personal information.

You may exercise your right to access, correct, or delete your Personal Information by submitting your request here. Alternatively, you can contact us with your request at privacy@onemedical.com. We may ask you for certain information or require email verification to verify your identity and state of residence. If we cannot verify your identity or residence from the initial information you provide, we may request additional information from you, which will only be used for the purposes of verifying your identity or residence and for security or fraud-prevention purposes. In some instances, we may ask you to submit a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request. We will delete any new personal information collected for the purposes of verification as soon as practical after processing your request, subject to legal retention requirements or permissions.

You may designate an authorized agent to make certain requests. We will respond to your authorized agent’s request if they submit proof that they are properly authorized to be able to act on your behalf or submit evidence you have provided them with power of attorney in accordance with the law. We may deny requests from authorized agents who do not submit proof that they have been authorized by you to act on their behalf.

If you are a current One Medical employee, you can also work directly with Human Resources to manage your Personal Information.

5. No Sale of Personal Information. We have not sold any personal information, as this term is defined under the California Privacy Rights Act, about candidates in the 12 months prior to the effective date of this Policy.

6. Share of Personal Information. The personal information we share, or have shared from candidates as defined under the California Privacy Rights Act, in the 12 months prior to the effective date of this Policy falls into the following categories established by the California Consumer Privacy Act:

For more information about cookies, how and the purposes for which we use them, with whom information is shared, and how to manage cookie preferences, please visit the One Medical Privacy Policy.

7. California Privacy Rights Act Sensitive Personal Information Statement. The categories of data that we collect and discloses for a business purpose include “sensitive personal information” as defined under the California Privacy Rights Act. We do not use or disclose sensitive personal information for any purpose not expressly permitted by the California Privacy Rights Act.

8. California Privacy Rights Act Non-Discrimination Statement. We will not discriminate against candidates or employees for exercising their rights under the California Consumer Privacy Act.

9. Careers Website. Please note, the One Medical careers website is hosted and managed by a third party. Such party’s privacy practices can be found here.