Privacy Policy
Last Updated: July 12, 2025
1. Who We Are
ER Wait Times ("EWT," "we," "us," or "our") operates an online platform that displays emergency-room wait-time estimates and related hospital information across the United States.
2. Scope & Definitions
This Privacy Policy governs all personal and non-personal data collected via ERWaitTimes.org, our mobile site, embedded widgets, and public API (collectively, the "Services"). Statutory definitions align with the California Consumer Privacy Act as amended by the CPRA, Illinois' BIPA & PIPA, the EU/UK GDPR, and HIPAA.
3. Information We Collect
Category | Examples | Source | Primary Legal Basis* |
|---|---|---|---|
Identifiers | IP address, cookie ID, device fingerprint | automatic | Legitimate interests / consent (GDPR) |
Approx. Location | City-level geolocation inferred from IP | automatic | Legitimate interests; opt-out |
Contact Data | Name, email, phone (feedback forms, mailing list) | user-supplied | Consent / contract |
Technical Data | Browser type, OS, referring URL, time-stamps | automatic | Legitimate interests |
Health-Context Data | Search terms ("ER near Springfield"), filter choices (e.g., pediatrics) | user action | Legitimate interests; safeguarded as "consumer health data" under WA & NV laws |
*GDPR Art 6 bases; analogous grounds apply under U.S. laws.
3.1 Cookies & Similar Tech
We deploy first-party and third-party cookies for analytics, load-balancing, and remembering user settings. In line with 2025 EU granular-consent trends and U.S. "Do Not Sell/Share" signals, our banner lets visitors opt in or granularly manage categories before non-essential cookies fire.
4. How We Use Your Information
Serve real-time wait-time dashboards and geo-nearest hospital suggestions.
Improve accuracy through aggregated analytics; IP addresses are truncated to satisfy data-minimization principles.
Respond to inquiries or send newsletters (with opt-out).
Detect, investigate, and prevent fraud or security incidents.
Comply with laws, subpoenas, or enforce our Terms of Use.
5. Sharing & Disclosure
We never sell Personal Information. We may disclose data only to:
Service Providers
Hosting, DDoS protection, analytics—under contracts prohibiting secondary use.
Healthcare-Facility Partners
Aggregated, de-identified statistics only.
Legal/Safety Purposes
To comply with lawful requests or prevent imminent harm (HIPAA "permitted disclosures").
Corporate Events
Merger or acquisition, with prior notice to users.
6. Your Privacy Rights
A. EU/UK GDPR
You may access, correct, delete, restrict, port, or object to processing, and withdraw consent at any time.
B. California CCPA/CPRA
California residents can know, delete, correct, and opt out of "sharing" for targeted ads. We must respond within 45 days, extendable once by 45 days with notice.
C. Other U.S. State Laws
EWT honors Washington's My Health My Data Act, Nevada SB 370, Connecticut Data Privacy Act, and similar statutes restricting consumer health data and targeted advertising.
D. HIPAA Clarification
EWT is not a "covered entity" or "business associate" because we neither provide healthcare services nor process provider-generated medical records.
E. Illinois-Specific Rights (BIPA & PIPA)
Biometric Information Privacy Act (740 ILCS 14)
• Written, informed consent before collecting any biometric identifier (e.g., facial geometry).
• Public retention schedule; permanent deletion within 3 years of last interaction or sooner if the purpose ends.
Personal Information Protection Act (815 ILCS 530)
• If a breach affects Illinois residents, notice must go out no later than 45 days after discovery unless delayed by law enforcement.
Illinois residents may invoke these rights via marketing@erwaittimes.org
7. Data Retention
Server logs: 30 days.
Anonymized analytics: 24 months.
Contact-form data: 12 months.
8. Data Security & Breach Notification
We use TLS 1.3, AES-256 at rest, web-application firewalls, intrusion detection, NIST SP 800-53 controls, and mandatory MFA for staff. In a qualifying breach, Illinois residents will receive notice within the 45-day PIPA window; California, EU, and other jurisdictions are notified per their timelines.
9. International Transfers
Where EEA/UK data reaches U.S. servers, transfers rely on the 2021 modernized Standard Contractual Clauses plus supplementary technical and organizational safeguards.
10. Children's Privacy
Our Services are not directed to children under 13; we do not knowingly collect their data (COPPA compliance).
11. Governing Law
This Policy is governed by Illinois law, County of DuPage, excluding conflict-of-law principles. Courts generally uphold such clauses when the forum bears a reasonable relationship to the parties—here, our principal place of business.
12. Future Illinois Legislation
We are monitoring the Illinois Data Transparency & Privacy Act (HB 3041, 104th GA). If enacted, we will revise this Policy to reflect new consent and data-minimization duties.
13. Changes to This Policy
We update this Policy whenever our practices change or laws evolve. Material revisions will be announced via a site banner or email, and a version archive will be maintained. Including a "Last Updated" date complies with FTC guidance on deceptive or outdated policies.
14. Contact Us
Email: marketing@erwaittimes.org