California and Colorado Privacy Notice

Effective Date: September 21, 2023

This privacy notice applies only to California and Colorado residents. It describes how Doximity collects, uses,shares, and otherwise processes Personal Information of California and Colorado residents in connection solely with their use of the Doximity Client Portal (the “Portal”) and all data and other information made available through the Portal (collectively, the “Doximity Data” and together with the Portal, the “Service”) and their rights with respect to that Personal Information. This privacy notice excludes all other data collection outside the scope of the Service. For purposes of this notice, “Personal Information” has the meanings specified in the California Consumer Privacy Act of 2018 (“CCPA”) and California Privacy Rights Act of 2023 (“CPRA”), respectively, and exclude information exempted from the scope of the CCPA, CPRA, and Colorado Privacy Act (“CPA”) including protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This notice is intended to supplement, and should be read in conjunction with, our Privacy Policy.

  • Categories of Personal Information we collect and may share for business and commercial purposes. The following is a list of all categories of Personal Information specified in Section 1798.140(o) of the CCPA that Doximity has collected from California and Colorado residents in the twelve (12) months prior to the Effective Date, together with (1) examples of the types of Personal Information we collect within that category, and (2) the categories of sources from which we collect such Personal Information:
    • Identifiers: (1) examples of what we collect: name and email address; (2) sources: you
    • Online Identifiers: (1) examples of what we collect: cookies, device identifiers, IP addresses; (2) sources: you
    • Internet or Network Information: (1) examples of what we collect: browsing history, search history, and information about your interaction with our websites, applications and content (collectively, “Interaction Data”); (2) sources: you
    • Geolocation Data: (1) examples of what we collect: city, state, and zip code; (2) sources: you (directly and indirectly from your IP address)
    • Inferences: (1) examples of what we collect: inferred preferences and interests; (2) sources: automatically generated internally based on other information we collect about your use of the Service as described in this notice
    • Communications: (1) examples of what we collect: contents of messages or emails exchanged about the Service; (2) sources: you You can learn more about our Personal Information sources, the business or commercial purpose for which we collect your Personal Information, and the categories of third parties with whom we share your Personal Information in our Privacy Policy.
  • Data Retention
    • We will retain your Personal Information for at least the period reasonably necessary to fulfill the purposes outlined in our Privacy Policy unless a longer retention period is required or permitted by law. If you ask us to delete specific personal information (see ‘Your California and Colorado privacy rights’ below), we will honor this request unless deleting that information prevents us from carrying out necessary business functions, such as providing you the Service.
  • Your California and Colorado privacy rights. California and Colorado residents have the rights listed below. However, these rights are not absolute and exceptions apply, so in certain cases we may decline your request as permitted by law.
    • Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
      • The categories of Personal Information that we have collected
      • The categories of sources from which we collected Personal Information
      • The business or commercial purpose for collecting and/or selling Personal Information
      • The categories of third parties with whom we share Personal Information.
      • Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient
      • Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient
    • Access. You can request a copy of the Personal Information that we have collected about you through your use of the Service since September 1, 2023.
    • Deletion. You can ask us to delete the Personal Information that we have collected from you.
    • Opt-out of sales or sharing. If we sell or share (as defined in the CPRA) your Personal Information relating to the “Categories of Personal Information we collect and may share for business and commercial purposes” section above, you may opt-out.
    • Nondiscrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
    • Correction. You can correct your own Personal Information displayed on your public profile and your Private Profile Information. You can also ask us to correct Personal Information that we have collected from you.
  • How to exercise your rights
    If you are a California or Colorado resident, you may exercise your California and Colorado privacy rights described above, subject to certain exceptions, as follows:
    • You can request to exercise your information, access and deletion rights by contacting us via your account at privacy@doximity.com. We will verify your request using information associated with your Doximity account. Government or other identification may be required. You may designate an authorized agent to make a request on your behalf, in which event we will require a valid power of attorney and the authorized agent’s government issued identification, and we may verify the authenticity of the request directly with you. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. Also, if we are unable to verify your identity or authority, we may not be able to fulfill your request. We do not keep sufficient information to enable us to readily link an identified individual with information collected from individuals in connection with a prior visit to the Service unless the individual accessed the Service as a logged-in member.
    • Note that we may deny your deletion request if retaining your information is necessary for us or our service providers to:
      • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
      • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
      • Debug products to identify and repair errors that impair existing intended functionality.
      • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
      • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
      • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
      • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
      • Comply with a legal obligation
      • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
    • Response times and format. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
    • We do not sell or share (as defined under the CPRA) Personal Information collected about you in connection with your use of the Service.
  • Changes to this Privacy Notice. Doximity reserves the right to modify this notice at any time in our sole discretion as described in our Privacy Policy.
  • Contact Information. If you have any questions about this notice or Doximity’s privacy practices, or wish to exercise your rights under California or Colorado law, please do not hesitate to contact us at:
    Email: privacy@doximity.com
    Postal Address:
    Doximity, Inc. 500 3rd Street,
    Suite 510 San Francisco,
    CA 94107
    Attn: Legal Department