Effective Date: January 24, 2024
Revised Effective: October 1, 2025
EasyVax is a vaccine scheduling platform (the "Platform") that allows you to find and schedule vaccine appointments in seconds by checking availability at multiple pharmacy retailers ("Retailer(s)"), finding available times, and allowing you to schedule with your chosen Retailer and added to your calendar all at once (the "Services").
This Privacy Notice sets out how EasyVax collects, uses, transfers, processes, and discloses your data and sets out our security practices. We respect your privacy and are committed to protecting your personal information.
When we say "EasyVax," "we," "us" or our, we are referring to GlaxoSmithKline, LLC the Platform/application owner and our subsidiaries (collectively, "GSK"), which was developed by Lextech Global Services Corporation, the application developer ("Lextech").
EasyVax can be used by end users and licensed healthcare professionals (referred to collectively as "you" or "Users").
Our Terms of Use also forms part of this Privacy Notice and is binding upon Users. The Services are intended for users who are at least 18 years old. Persons under the age of 18 are not permitted to use the Services.
The information provided via the Platform is for informational purposes only and is not meant to replace your pharmacist's or healthcare professional's medical advice or information from your plan about preferred pharmacies or doctors.
Please note, our privacy practices are subject to the applicable laws of the places in which we operate. The Services are only available in the United States. You may not use the Services outside the United States. We may change this Privacy Notice from time to time. We encourage you to review this Privacy Notice periodically. We recommend that you print a copy of this Privacy Policy for your records.
By using the Services, you consent to the terms of this Privacy Notice and our Terms of Use. If you disagree in any way, you must immediately discontinue using the Services.
Our Services can be accessed via QR Code Scan, the EasyVax mobile app, or website located at www.easyvax.com. Once you access the Platform you will be asked to provide information to help identify what vaccine or vaccines you would like to receive and Retailers close to the location you identified that can administer that vaccine or those vaccines to you.
You may search by ZIP code or other location means. You may also narrow your search by provider type or specific provider name. Any information you provide through the Platform at this point is used solely to help you find a Retailer that can administer the vaccine or vaccines that you have indicated you would like to receive. Search results are pulled from a publicly-available nationwide database of pharmacies and the vendor's network of participating healthcare professionals. While it is updated regularly, the list may not have the latest provider information and results shown may not reflect all of the adult vaccine providers in your area.
Inclusion of a pharmacy or doctor in the list of Retailers via the Services is not and does not imply a referral, an endorsement or a recommendation by us or any of our products. Participation by a Retailer in payer networks may vary. You should verify a Retailer's participation/acceptance of your health insurance.
For our purposes, we collect information from you when you make selections on our platform/application and we collect only information that we need to find and connect you with a Retailer who can provide vaccine services to you. For our part of the Services to work, we only need the location you wish to receive the vaccine, such as ZIP code, and type of vaccine you want to receive.
When you choose a Retailer from those identified as available to provide the requested services to you in your selected location, you may be asked to provide additional information to that Retailer in order for that Retailer to schedule you for their vaccination services at a selected location. This may include personal information, as that Retailer may require, which may include sensitive personal information, which may include the following:
| Categories of PI Collected | Description |
|---|---|
| Name, Contact information, and Unique Identifiers | Identifiers, such as a real name, alias, postal address, telephone number, email address, or other similar identifiers as well as demographic information such as date of birth. |
| Medical Information | Any information in possession of or derived from yourself, a healthcare provider, healthcare insurer, healthcare service plan, pharmaceutical company, or contractor regarding an individual's medical history, mental or physical condition, vaccines chosen/received, or treatment. This includes information gleaned from vaccines in which you have expressed interest, an individual's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual's application and claims history (including prescription information). |
| Protected Characteristics | Characteristics of legally protected classifications such as race, gender, age, nationality, physical or mental disability, and religion. |
| Biometric Information | Biometric Information Physiological, biological, or behavioral characteristics that can establish an individual's identity, including DNA, face, iris or retina imagery, fingerprint, voice recordings and sleep, health, or exercise data that contain identifying information. |
| Geolocation Information | Your location based on your provision of a zip code location |
Note: Additional information may be collected by your retailer on their on their website to complete an appointment this information is not provided to or retained by the Platform.
We use the information you provide to us to locate a Retailer close to the location you identified you desired to receive a particular vaccination to locate Retailers that match your criteria in order to provide the Services.
When you request the service, we send service related notifications and time based reminders (e.g., deadlines, appointments) by email, in app, push, and/or SMS. We use service providers (e.g., email, push, and SMS gateways) to deliver notifications. They act on our instructions, implement appropriate security measures, and are prohibited from using your information for their own purposes. We use identifiers, usage data, and your time zone/preferences to schedule delivery. Reminders may be generated automatically from your settings and product events. This does not involve automated decision making producing legal or similarly significant effects. Manage types, timing, and channels—or opt out of SMS by replying STOP—in your settings. Where required, we rely on your consent; otherwise we rely on legitimate interests to provide the Services. We use vendors to deliver messages and keep limited delivery logs and preferences. We do not sell/share data for cross context behavioral advertising in connection with these messages. We may introduce new reminder categories or timing options that are consistent with these purposes. If we make material changes to how your information is used, we will update this policy and provide prominent notice and/or seek new consent where legally required.
We process the PHI as a Business Associate and do not use it outside the BAA.
We do not require biometric identifiers and do not sell or share personal information for cross-context behavioral advertising.
Any information we retain is tokenized, which may remain personal data if it can be reasonably linked to a person.
If you have questions about how your selected Retailer retains your personal information please review their privacy policies.
Lextech retains no information.
Any personal information you provide is information required by your selected Retailer for their purposes, not ours. This information is encrypted in transit in order to transfer it to your selected Retailer. You are solely responsible for communications and interactions with any of the listed Retailers and providers working on behalf of those Retailers when you interact with them, and any information you provide to them is not governed by this Privacy Notice. Please review your chosen Retailer's privacy policy to learn what they do with your personal information and about any rights you may have in regards to that Retailer's use and collection of your information.
We share de-identified user activity data only with our token service provider and sponsor, GSK, to help understand how many users are utilizing the Platform, including what Services are being sought, to improve the Services, and to conduct anonymous-based research. This is done through a token service provider that tokenizes the data prior to sharing it for the purposes set forth above. A token is a piece of data that stands for another, more valuable piece of information. Tokens have no value and are only useful because they represent something valuable. A token is like a poker chip. Instead of filling a table with cash, which can easily be stolen, players use chips as placeholders. However, poker chips cannot be used as money, even if they are stolen. They must be first exchanged for their representative value. This is what happens through the Services when you provide the personal information for the Retailer. It is tokenized and made available to us in tokenized form. We never see, never store, and never use the personal information you provide and that is provided to the Retailer; the only information we see, store and otherwise have access is in tokenized form.
We will share the information we may retain with local or foreign regulators, or government and law enforcement authorities as necessary or appropriate, in particular when we have a legal obligation to do so. These may be in or outside your country of residence. We may also disclose your information for other legal reasons, such as to enforce our terms and conditions; and protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
We may share the information we may retain in connection with a sale or business transaction, such as a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
We retain your information in order to provide you notifications regarding vaccines you have chosen, but we delete your information as soon as it is no longer needed to provide you the services or in order to comply with our legal obligations regarding data retention.
By providing your information in EasyVax you acknowledge that EasyVax collects only the information needed for EasyVax to locate pharmacies close to the location you have provided that administer the vaccine(s) you have selected. The information is used by EasyVax solely to register you for vaccine administration scheduling. EasyVax and its sponsors are provided with de-identified (no information which identifies you) data only to allow the sponsors to understand how many users are utilizing EasyVax and for continuous improvement. If you have questions about how your selected retailer uses any information it may collect, please review their privacy policies.
The Services are only available in the United States and are intended only for individuals within the United States.
We encrypt data in transit using industry-standard TLS and encrypt data at rest where applicable. Transfer to GSK is via the tokenization process. We do not market encryption as irreversible and no security control is perfect. We take appropriate legal, organizational, and technical measures to protect your personal information consistent with applicable privacy and data security laws. As set forth above, transfer of your information to the Retailer is via a tokenization process and use of your information by us as set forth in this Privacy Notice.
Unfortunately, the transmission of information via the Internet or a mobile phone network connection is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of the personal information you transmit to our websites or mobile applications: any transmission is at your own risk. While we cannot guarantee that loss, misuse or alteration to data will not occur, once we have received your information, we will employ appropriate technical security measures to help prevent such unfortunate occurrences.
We do not retain information that personally identifies you. This means that we are unable to respond to any data subject requests because we cannot identify any information that may pertain to you or your use of the Services. To the extent you may have exercisable data subject rights with any of the Retailers, please review their privacy policies to determine how you can exercise your data subject rights with respect to personal data they may have collected about you.
This section provides additional disclosures to California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia residents as they may be or may become applicable to us under their respective state privacy laws, including further information on their rights under such laws.
In this section, when we use the term "information" we mean it (or similar term, such as "personal data") as it is defined under those laws.
You have the right to access a copy of your personal data, which you can do by following the instructions below.
You have the right to request that we correct inaccurate personal data that we have collected about you. You can do so by following the instructions below.
You have the right to request deletion of the personal data that we have collected from you, which you can do by following the instructions below. But if we delete your personal data, we might not be able to provide any or all of our Services.
Under U.S. privacy laws, personal data is "sold" when provided to a third party for monetary or other valuable consideration, which is a fairly broad term. We share your personal data with third parties for a variety of reasons, including with Employers to help Candidates find employment opportunities and to help Employers find appropriate candidates. However, we do not sell or share your personal data as those terms are defined under U.S. privacy laws, including the definition of "share" under the CCPA.
U.S. privacy laws provide the right to opt out of the processing of your personal data for purposes of the sale of your personal data and the sharing of your personal data for purposes of targeted advertising. As explained above, we do not sell or share your personal data with third parties.
We do not undertake any profiling in furtherance of decisions that produce legal or similarly significant effects on our users.
To exercise any of your data subject rights, please Contact Us via the numbers in the "Contact Information and Privacy point of contact" section below with the subject line "Exercise My Data Privacy Rights" and provide us information about how we might be able to locate you in our records/system to process your request and also identify the data subject rights you wish to exercise.
We will respond to your request without undue delay, and, in any event, within 45 days of the request, unless less time is required by law. That period may be extended by 45 days (for a total of 90 days) where necessary, taking into account the complexity and number of the requests we receive. If we take an extension, we shall inform you within one month of our receipt of the original request, together with the reasons for delay. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data disclosure requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal data provided in a verifiable consumer request to verify the requestor's identity or authority to make the request and, to the extent necessary, to identify the browser/device that is the subject of the request.
There may be a number of reasons for denying your request, including that we may not be a covered business under the data privacy law that may apply to you.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
In order to process a data subject request, we will need enough detail to understand and respond to your request. We may need to verify your identity to process your requests and may also need to confirm your state residency. To verify your identity, we may require a combination of government identification, or other information. We may also require you to login from a verified valid device or verify that the device you are logging in from is valid.
You can have an authorized agent make a request on your behalf, but we'll need to verify your agent's identity. We would also need a copy of a valid power of attorney, or a written and signed permission to exercise your privacy rights on your behalf. We may still need to verify your identity and may ask you to directly confirm that you provided your authorized agent permission to submit the request on your behalf.
If you are a Colorado resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a Colorado consumer in the relevant time period and not able to exercise rights under the Colorado Privacy Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Colorado Attorney General.
If you are an Iowa resident, if within 90 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been an Iowa consumer in the relevant time period and not able to exercise rights under the Iowa Consumer Data Protection Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Iowa Attorney General.
If you are a Delaware resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a Delaware consumer in the relevant time period and not able to exercise rights under the Delaware consumer privacy law. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Department of Justice to submit a complaint via following the link here: https://attorneygeneral.delaware.gov/fraud/cmu/complaint/.
If you are a Montana resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a Montana consumer in the relevant time period and not able to exercise rights under the Montana Consumer Data Protection Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Montana Attorney General.
If you are a New Hampshire resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a New Hampshire consumer in the relevant time period and not able to exercise rights under the New Hampshire Consumer Data Protection Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the New Hampshire Attorney General.
If you are a New Jersey resident, if within 45 days of a valid and verifiable data subject request, we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a New Jersey consumer in the relevant time period and not able to exercise rights under the New Jersey Data Protection Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint via following the link here: https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx.
If you are an Oregon resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been an Oregon consumer in the relevant time period and not able to exercise rights under the Oregon Consumer Data Protection Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Oregon Attorney General.
If you are a Texas resident, if within 45 days of a valid and verifiable data subject request we do not take any action on the request, we will let you know why, which is usually because we cannot verify your identity or we have verified your identity but identified that you are not and have not been a Texas consumer in the relevant time period and not able to exercise rights under the Texas Data Privacy and Security Act. We will provide information about how you may appeal this decision / non-action in that communication. If your appeal is denied, you may contact the Texas Attorney General.
Residents of California who use the Website primarily for personal, family or household purposes may request a list of third parties to which certain personal information (as defined by applicable California law) obtained through the Website was disclosed by us during the preceding year for those third parties' direct marketing purposes. If you are a California resident and want such a list, please Contact Us via email at security@lextech.com or US.CPA@gsk.com. For such requests, you must put the statement "Your California Privacy Rights" in the body of your request, as well as your name, street address, city, state, and zip code. In your request, you need to attest to the fact that you are a California resident and provide a current California address for our response. Please note that we will not accept requests via the telephone or by facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.
The security of your Information is important to us. We take commercially reasonable security measures, including administrative, technical, and physical safeguards, to protect your Information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction, including TLS in transit and encryption at rest.
Some web browsers transmit "do-not-track" signals to websites. Because the "do-not track" browser-based standard signal has yet to gain widespread acceptance, we do not currently respond to those signals.
Our Services are not directed to those under 18 and we do not knowingly collect, sell, or share for targeted advertising any personal information from minors under 18 years of age.
From time to time, we will update this Privacy Notice. Any changes become effective when we post the revised Privacy Notice, although we may elect to otherwise notify you in some cases where changes are significant or where required by law. This Privacy Notice was last updated as of the "Last Updated" date shown above.
If you have any questions about this Privacy Notice, need more information or would like to raise a privacy concern, please contact us at US.CPA@gsk.com or Lextech at security@lextech.com.
GSK Pharmaceutical and Vaccine products: 1.888.825.5249
Lextech: 1.630.420.9670