Get a demo

Data Product Privacy Policy 

Updated: October 17, 2025 

About PurpleLab

PurpleLab® (“PurpleLab,” “we,” or “us”) is a health-tech company driven by one clear philosophy: outcomes matter most. As a trusted partner for real-world data and analytics, we help healthcare and life sciences organizations and the technology and consulting companies that serve them drive decisive action based on precise insights—with the ultimate goal of giving everyone a fighting chance at the best possible health outcome — because data drives better outcomes.  This Data Product Privacy Policy describes how PurpleLab collects, uses, discloses, and protects information used in our data products and analytics services including our Healthcare Provider Audiences (“HCP Audience”) and Direct-to-Consumer Audiences (“DTC Audience”) products (collectively, the “Data Products”).

Scope of this Policy

This Data Product Privacy Policy describes how PurpleLab collects, uses, and discloses information in connection with our Data Products.  This policy does NOT cover:
  • Information collected through our website or as part of our business practices (covered by our Corporate Privacy Policy)
  • Information we process on behalf of PurpleLab customers as a service provider (covered by separate agreements)
  • Employee or job applicant information

The Information We Collect and How We Use It

We’ve designed our Data Products with data minimization principles in mind. Our Data Products are sourced from data that’s been de-identified under strict HIPAA standards. As further explained below, the information underlying our Data Products and any DTC Audiences generated do not include information that is identifiable to PurpleLab. Certain advertising partners we work with may be able to combine the “modeled” data we disclose to them with other data to re-identify such disclosed data.  (This does not involve re-identification of data subject to HIPAA.)  We offer consumers tools to communicate their preferences to our advertising partners, such as a desire to opt out of advertising, which can be done as outlined on our privacy main page. Below, we explain the types of data in our Data Products.

De-Identified PurpleLab CLEAR Claims Data 

While this Privacy Policy does not apply to de-identified data, the foundation of our Data Products is built from de-Identified data. In the interest of transparency, we provide this information on how we source the de-identified data that we use to generate our Data Products. This data may include de-identified: 
  • Prescription claims data such as National Drug Codes (“NDC”), date filled, day’s supply and quantity, prescriber and pharmacy NPI (as defined below), and information related to payment.
  • Medical claims data such as diagnoses, procedures, provider NPI, and service dates, 
  • Laboratory and clinical data such as vital signs, lab results, and clinical notes, 
  • Demographic information such as gender, geographic region, and other social determinants of health (SDOH)
We harmonize this data using PurpleLab’s proprietary CLEAR (Comprehensive Layout for Exploration, Analysis & Research) methodology which results in a de-identified data set. PurpleLab’s CLEAR Claims Data has been certified by qualified expert statisticians to meet HIPAA’s de-identification standards under the Expert Determination method (45 CFR § 164.514(b)(1)). We commit to maintain and use the CLEAR Claims Data in de-identified form and not to attempt to reidentify the information, except we may attempt to reidentify the information solely for the purpose of determining whether our de-identification processes satisfy applicable law. Because CLEAR Claims Data is de-identified, we may process and disclose such data without restriction, and this Privacy Policy does not apply to CLEAR Claims Data.

Identifiable Healthcare Provider (HCP) Information 

Our Data Products include our HCP Audience product. While CLEAR Claims Data has been de-identified subject to HIPAA standards, such de-identified data may be associated with healthcare provider identifiers.  For example, de-identified medical claims data may contain provider identifiers associated with the medical claim, such as the National Provider Identifier (NPI) Number, which is made publicly available by the U.S. Centers for Medicare & Medicaid Services (CMS).   PurpleLab also may either receive from publicly available resources or license additional information (“Additional HCP Data”) about healthcare providers to support or enhance some of our Data Products. This information may include data such as provider email addresses.   We may collect data about HCPs to link the HCP with data sets, insights, and reports or to reach the HCP with advertising or other messaging (such as information relating to a clinical trial) or to provide reporting about healthcare outcomes.   If you are a healthcare provider and wish to exercise your data subject rights with respect to the Additional HCP Data, please click here

Healthcare Advertising

Our Data Products also include our DTC Audience product. Using insights gathered from our CLEAR Claims Data, PurpleLab creates audiences of tokenized records to support healthcare and life sciences organizations’ outreach and marketing efforts.  DTC Audiences are created by applying proprietary and patent-pending data modeling techniques to CLEAR Claims Data. The tokenized audiences generated from CLEAR Claims Data (“DTC Audiences”) are not individually identifiable to PurpleLab. DTC Audiences are distributed through technology and consulting companies that provide services to healthcare and life sciences organizations (“Partners”).  Partners may maintain information that enables them to associate pseudonymous identifiers in DTC Audiences with identifiable information for advertising purposes.  Our DTC Audiences consist of tokens and do not reveal specific diagnoses or health conditions of any individual, or any information subject to HIPAA.  Instead, our DTC Audiences provide Partners with modeled audiences with potential interests in certain health topics, including conditions and treatments. The DTC Audiences allow healthcare and life sciences organizations to reach individuals who may be interested in relevant healthcare information. As part of our data minimization efforts, PurpleLab’s tokenization process results in DTC Audiences that are not re-identifiable to PurpleLab.  Because of this technical limitation, we cannot process data subject requests, including requests to opt out of the “sale,” “sharing,” or processing of personal information for “targeted advertising” directly.  However, data subjects have the ability to opt-out of our Audience Products through our Partners. If you wish to opt-out of Audience Products through our Partners, please click here In addition to the uses described above, we may also use Healthcare Provider Audience data and DTC Audience Data for the following purposes:
  • Analyze, maintain, and improve our products and services;
  • Secure our products and services;
  • Comply with legal obligations, legal process, and protect the rights, safety, or property of us, our affiliates, or any other party;
  • Prevent fraud and criminal activity; and
  • As otherwise authorized under applicable law.
Aggregated & De-Identified Data: The above uses relate to identifiable data. We may also de-identify (i.e. anonymize) and/or aggregate data such that it can no longer be associated with an individual, including by any of our Partners. We may use and disclose the aggregated information for our legitimate business purposes without any restrictions.

When We Disclose Information We Collect

We may disclose all information subject to this Privacy Policy in the following circumstances:
  • Vendors and Service Providers: We may disclose data to service providers, who provide services or functions on our behalf, such as data hosting providers. 
  • Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, dissolution, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider (collectively a “Transaction”), data may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
  • Legal Requirements: If required or permitted to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements (which may include lawful access by U.S., Canadian or foreign courts, law enforcement or other government authorities), (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of the public, or (v) protect against legal liability.
  • Affiliates: We may disclose data to our affiliates, meaning an entity that controls, is controlled by, or is under common control with PurpleLab. Our affiliates may use the data we disclose in a manner consistent with this Privacy Policy.
  • Your Consent: If you have consented to our disclosure of your information for other purposes not listed above, we will also disclose your information consistent with your consent. 

Security

We use safeguards designed to preserve the integrity and security of the information subject to this Privacy Policy. However, no security measures are perfect, so we cannot ensure or warrant the security of any information you transmit to us or guarantee that information subject to this Privacy Policy may not be accessed, disclosed, altered, or destroyed.

Data Retention

We keep data subject to this Privacy Policy for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a business need to do so, or as required by law (e.g. for tax, legal, accounting, or other purposes), whichever is longer.

Your Privacy Rights and Choices

Depending on your jurisdiction, you may have the right, in accordance with applicable data protection laws, to make requests related to your “personal information” or “personal data” (as such terms are defined under applicable law, and collectively referred to in this section as “personal information”). We are unable to honor requests where we do not maintain information for which we can identify you. Below, we explain the rights that may be available to you as detailed at our main privacy page. Specifically, you may have the right to ask us to:
  • Inform you about the categories of personal information we collect or disclose about you; the categories of sources of such information; the business or commercial purpose for collecting your personal information; and the categories of unaffiliated parties with whom we disclose personal information.
  • Provide you access to and/or a copy of certain personal information we hold about you.
  • Correct or update personal information we hold about you.
  • Delete certain personal information we have about you.
  • Opt you out of the processing of your personal information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects, if applicable.
  • Revoke your consent for the processing of your information.
Please note that certain information may be exempt from such requests under applicable law. We may need to take reasonable steps to verify your identity before responding to a request, which may include, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name and email address. If we are unable to verify your identity, we may be unable to respond to your requests. As provided in applicable law, you also have the right to not be discriminated against for exercising your rights. You may be able to designate an authorized agent to make requests on your behalf. In order for an authorized agent to be verified, you must provide the authorized agent with signed, written permission to make such requests or a power of attorney. We may also follow up with you to verify your identity before processing the authorized agent’s request as permitted by applicable law.  Depending on applicable law, you may have the right to appeal our decision to deny your request, if applicable.  You may do so through the email address privacy @purplelab.com. As explained above, PurpleLab’s data minimization practices result in data that is not identifiable to PurpleLab. CLEAR Claims Data and DTC Audience data are not re-identifiable to PurpleLab. PurpleLab is able to identify Healthcare Providers and personal information associated with Healthcare Providers. If you are a Healthcare Provider, you may exercise your rights here. Laws of your jurisdiction may also allow you to opt out of the “sale,” “sharing,” or processing of your personal data for targeted advertising. We may provide identifiable information about Healthcare Providers (such as a name, email address, and potential interests) to other parties for purposes of advertising. We may also provide DTC Audiences to Partners for advertising purposes. These DTC Audiences may include information about potential interests, including in healthcare information and treatments. As explained above, PurpleLab does not maintain information that allows it to identify any consumer in a DTC Audience. If you are a Healthcare Provider, you may opt out of the “sale,” “sharing,” or processing of your personal data for targeted advertising here.

Supplemental Disclosure for California Residents (Data Products)

Except as explicitly stated, this section applies strictly to residents of California. This section applies to “personal information” (as defined by the CCPA) that we collect or generate through our Data Products. If you are looking for the California notice at collection for our Corporate Privacy Policy, please click here Throughout our Data Product Privacy Policy, we discuss in detail the specific pieces of personal information we collect, the sources of that information, and how we disclose it. Under the California Consumer Privacy Act (“CCPA”), we also have to provide you with (1) the “categories” of personal information and sensitive personal information we collect and disclose for business or commercial purposes (as “categories” are defined by the CCPA); (2) the categories of other parties to whom we (a) disclose such information for a business purpose, (b) “share” information for “cross-context behavioral advertising,” and/or (c) “sell” such information. Under the CCPA, “sharing” is defined as the targeting of advertising to a consumer based on that consumer’s personal information obtained from the consumer’s activity across websites or services, and “selling” is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration. We “share” information to provide more relevant and tailored advertising to you. We do not knowingly “sell” or “share” the personal information of children under 18.
  • Healthcare Provider Data
In connection with our HCP Audience Product, we may collect (1) identifiers and contact information about Healthcare Providers, such as names, email addresses, and healthcare provider identifiers; (2) professional or employment information, such as employers associated with Healthcare Providers; and (3) inferences, such as potential interests of Healthcare Providers. We use and “sell” or “share” this information to provide our HCP Audience product, which may be used for advertising purposes. We disclose HCP Audience data to our vendors, affiliates, as required by law, and with other entities for legal and safety purposes. We collect the categories of personal information identified above from publicly available sources, other parties such as unaffiliated parties, and as inferred from our CLEAR Claims Data. We may “sell” or “share” HCP Audiences with our advertising Partners. 
  • DTC Audience Data
As described in our Data Product Privacy Policy, we generate DTC Audiences using CLEAR Claims Data. We do not maintain information that enables us to identify any consumer within our DTC Audiences. We may disclose DTC Audiences to advertising Partners that may be able to combine DTC Audiences with other information.  DTC Audiences contains inferences about potential interests of consumers within those audiences, such as potential interests in healthcare treatments and therapeutic areas. Because our data minimization practices do not enable us to identify any consumer within a DTC Audience, we cannot directly honor any data subject requests. But However, you may opt-out of the use of your personal information by our Partners for targeted advertising purposes by using their opt-out mechanisms (this list will be updated as PurpleLab utilizes new Partners): o        LiveRamp: https://liveramp.com/privacy/ o        Throtle: https://www.throtle.io/privacy o        Experian: https://www.experian.com/privacy/opting_out  Data Retention: Please see the “Data Retention” section in our Corporate Privacy Policy for information on how long we retain information we collect about you.