Astoria Company

Privacy Policy

Effective Date: June 23, 2026 · Last Updated: July 7, 2026

This Privacy Policy describes how Astoria Company Marketing LLC, doing business as Astoria Company, together with its owned or operated websites, brands, products, services, and platforms (collectively, "Astoria Company," "Astoria," "Company," "we," "us," or "our"), collects, uses, discloses, sells, shares, retains, and protects personal information.

This Privacy Policy is intended to serve as Astoria Company's centralized privacy policy for AstoriaCompany.com and for any current or future Astoria-owned, Astoria-operated, or Astoria-controlled website, domain, subdomain, landing page, form, application, platform, portal, API, call flow, tracking number, campaign page, SaaS product, or other digital property that links to, displays, incorporates, or references this Privacy Policy. This includes B2B lead generation websites, B2C consumer inquiry websites, pay-per-call properties, SaaS websites, and other websites or digital properties operated by or for Astoria Company, whether or not a specific domain is listed by name.

By using or accessing our websites or services, submitting information to us, communicating with us, or using our platforms, you acknowledge that you have read this Privacy Policy. Your use of any website or service may also be governed by separate Terms of Use, SMS Terms, SaaS Terms, insertion orders, commercial agreements, data processing agreements, or other terms presented to you.

1. Websites and Services Covered by This Privacy Policy

This Privacy Policy is designed to support a centralized master privacy framework for all Astoria-owned, Astoria-operated, and Astoria-controlled websites and digital properties. The examples below are representative only and do not limit the scope of this Privacy Policy:

B2B lead generation and marketing websites

MortgageLeads.com

MedicareLeads.com

AttorneyLeads.com

BestInsuranceLeads.com

HomeRemodelingLeads.com

PayPerCallMarketing.com

B2C consumer inquiry and lead generation websites

Repairmen.com

NewMedicare.com

NewHealthInsurance.com

LegalCaseReview.com

CollegeDegree.Education

ExpressCash.com

MortgageZone.com

All additional current or future Astoria-operated consumer inquiry websites, landing pages, quote pages, campaign pages, forms, phone numbers, and digital properties, whether or not listed by name

SaaS and technology websites

OrganicStack.com

PingPost.Exchange

ConsentCompliance.com

Related dashboards, APIs, portals, account areas, and technology services

All other current or future Astoria-owned, Astoria-operated, or Astoria-controlled domains, subdomains, microsites, landing pages, forms, applications, call flows, call tracking numbers, campaign pages, advertising pages, portals, APIs, software tools, and digital properties that link to, display, incorporate, or reference this Privacy Policy

This Privacy Policy may be linked from multiple Astoria websites and is intended to apply across those websites as a single centralized Astoria Company privacy policy. Some sites, forms, campaigns, products, or services may have additional disclosures, consent language, product-specific terms, or vertical-specific notices. If a site-specific notice conflicts with this Privacy Policy, the site-specific notice controls for that site, form, campaign, product, or service to the extent of the conflict.

2. Important Role-Based Disclosures

Astoria operates in several different roles depending on the website, service, transaction, or commercial relationship. These roles matter because different privacy obligations may apply.

ScenarioAstoria Role
Consumer submits an inquiry on an Astoria-operated site and asks to be matched with providers, advertisers, agents, lenders, legal providers, contractors, education providers, insurance agencies, Medicare providers, or other third parties.Astoria may act as a business/controller, lead generator, marketing platform, matching platform, and, where applicable, data broker.
Astoria buys, sells, transfers, licenses, routes, posts, pings, or otherwise makes available lead or call data between commercial parties.Astoria may act as an independent business/controller, lead buyer, lead seller, call buyer, call seller, marketplace operator, and/or data broker depending on the transaction.
A customer uses PingPost.Exchange or another Astoria SaaS product to manage its own leads, buyers, routing, API connections, suppression, or compliance workflows.Astoria may act as a service provider/processor for customer-controlled data, except where Astoria independently determines the purposes and means of processing.
A business user visits a B2B site or requests information about Astoria services.Astoria generally acts as a business/controller for its own sales, marketing, support, contracting, and account management activities.
  • Astoria Role

3. We Are Not the Underlying Provider of Third-Party Products or Services

Unless expressly stated otherwise in writing, Astoria is not the lender, insurance carrier, Medicare plan, law firm, attorney, contractor, school, financial institution, advertiser, seller, provider, or professional service provider for the third-party products or services that may be advertised, requested, matched, or offered through our websites.

Our websites and services may operate as marketing, routing, matching, lead generation, pay-per-call, software, or advertising platforms that help connect users with third-party partners, advertisers, service providers, lead buyers, call buyers, or other commercial participants (collectively, "Partners"). Any product, service, quote, advice, engagement, enrollment, financing, case review, consultation, appointment, or transaction offered by a Partner is governed by that Partner’s own terms, privacy policy, professional obligations, licensing requirements, and applicable law.

4. Personal Information We Collect

The categories of personal information we collect depend on the website or service used, the type of inquiry submitted, the commercial relationship involved, and the information provided to us. We may collect the following categories of personal information:

Examples

CategoryExamples
IdentifiersName, postal address, email address, telephone number, mobile number, IP address, device identifiers, online identifiers, account identifiers, lead IDs, call IDs, certificate IDs, and similar identifiers.
Contact and inquiry informationInformation you submit through forms, quote requests, lead forms, contact forms, chat, email, phone calls, SMS, account portals, or other communications.
Commercial informationProducts or services requested, purchased, considered, or inquired about; campaign information; lead or call transaction data; account history; billing information; and business relationship details.
Internet, device, and network activityBrowser type, operating system, referring URLs, pages viewed, clicks, form interactions, session information, timestamps, cookie IDs, pixels, web beacons, IP address, approximate location, and analytics data.
Lead generation and consent recordsConsent language, consent timestamp, form URL, landing page, publisher/source ID, campaign ID, sub-ID, IP address, user agent, consent certificate, call recording where permitted, and records used to document or verify permission to be contacted.
Call, SMS, and communication dataTelephone numbers, call logs, call recordings where permitted, voicemail, SMS/MMS content, message metadata, email content, support messages, and business communications.
Financial, mortgage, insurance, legal, education, home services, or other vertical-specific inquiry informationDepending on the website, this may include information about loan interests, insurance interests, Medicare or health insurance inquiries, legal matter type, home project details, education interests, employment information, income range, property information, or other information relevant to your request.
Sensitive personal information where provided or necessaryCertain inquiries may involve sensitive personal information, such as health-related, financial, government ID, account access, precise geolocation, or legal matter details. We collect sensitive personal information only as reasonably necessary for the disclosed purposes, to provide requested services, for compliance, or as otherwise permitted by law.
Business contact and account informationCompany name, job title, business email, business telephone number, billing contact, contracting information, platform login information, API usage, and customer support records.
InferencesPreferences, interests, lead scoring, routing criteria, quality signals, fraud indicators, compliance risk signals, or other internal inferences derived from the information described above.

5. Sources of Personal Information

Directly from you when you submit a form, call us, text us, email us, create an account, use a portal, request information, or otherwise communicate with us.

  • Directly from you when you use a website chat feature, including Tawk.to chat on AstoriaCompany.com and BestInsuranceLeads.com, such as chat messages, name, email address, phone number, business contact information, page context, timestamp, IP address, user agent, device/browser information, and related technical metadata where applicable.

From Astoria-operated websites, landing pages, forms, phone numbers, call tracking systems, APIs, dashboards, and SaaS platforms.

From publishers, marketing partners, lead sellers, call sellers, advertisers, agencies, affiliates, vendors, business partners, and other commercial sources.

From Partners, lead buyers, call buyers, service providers, clients, customers, and counterparties involved in lead generation, call routing, ping/post, host/post, pay-per-call, or SaaS transactions.

From service providers and technology vendors, such as hosting providers, analytics providers, call tracking providers, consent documentation providers, fraud prevention vendors, CRM tools, email providers, payment processors, and communications platforms.

From publicly available sources, business directories, commercial databases, government records, or other lawful sources.

6. How We Use Personal Information

Provide, operate, maintain, improve, and secure our websites, forms, platforms, APIs, services, and business operations.

  • Respond to inquiries, requests, support issues, account questions, and business communications.

Provide, operate, staff, review, and respond to website chat communications, including through third-party chat technology where enabled on a covered website.

Match, route, transfer, sell, share, disclose, license, post, ping, score, validate, suppress, deduplicate, or otherwise process leads, calls, inquiries, and related data.

Connect consumers or business users with Partners that may provide, advertise, quote, review, or offer products or services requested by the user.

Document, verify, preserve, audit, and defend consent, including TCPA, DNC, text message, call, email, and electronic signature consent records.

Operate call tracking, pay-per-call, live transfer, inbound call, lead distribution, ping/post, host/post, marketplace, and related marketing technology systems.

Operate SaaS products, including OrganicStack.com, PingPost.Exchange, account dashboards, API services, routing tools, suppression tools, compliance tools, and reporting functions.

Detect, investigate, prevent, or respond to fraud, invalid traffic, bot activity, abuse, unauthorized access, DDoS attacks, security incidents, suspicious leads, and unlawful conduct.

Maintain suppression lists, opt-out lists, internal do-not-contact lists, and records needed to honor privacy requests and legal obligations.

Send service, transactional, administrative, support, legal, account, security, or business communications.

Send marketing communications where permitted by law or with required consent, subject to available opt-out rights.

Process billing, payments, invoices, collections, disputes, credits, returns, chargebacks, and commercial account administration.

Comply with applicable laws, rules, regulations, subpoenas, court orders, regulatory inquiries, law enforcement requests, and legal process.

Establish, exercise, investigate, prosecute, or defend legal claims, disputes, audits, compliance reviews, and contractual rights.

Evaluate or conduct a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or other business transaction.

7. Disclosure, Sale, and Sharing of Personal Information

Depending on the website, service, consent language, and transaction, Astoria may disclose, sell, share, transfer, license, or otherwise make available personal information to the following categories of third parties:

Partners, advertisers, lead buyers, call buyers, service providers, agencies, networks, publishers, sellers, resellers, and other parties involved in requested Website Services, lead generation, call routing, advertising, or matching.

Mortgage, insurance, Medicare, legal, home services, education, financial services, and other vertical-specific providers relevant to the inquiry submitted.

SaaS customers, API users, platform users, or commercial counterparties where the customer or counterparty controls, receives, routes, posts, pings, or processes data through Astoria systems.

Service providers, processors, contractors, and vendors that help us provide hosting, analytics, CRM, communications, email, SMS, Zoom Phone or related communications, call tracking, payment processing, security, fraud prevention, consent documentation, compliance, data storage, and business operations.

Chat and website messaging providers, including Tawk.to where implemented, that help us provide live chat or chatbot functionality, route chats to Astoria personnel, maintain chat transcripts, and support website visitor communications.

Professional advisors, lawyers, accountants, auditors, insurers, consultants, and financial institutions.

Government authorities, regulators, courts, law enforcement, or other parties when required or permitted by law, legal process, or to protect rights, safety, security, property, or operations.

Successors or potential successors in connection with a merger, sale, financing, acquisition, bankruptcy, restructuring, or transfer of all or part of our business or assets.

Because Astoria operates lead generation and data routing businesses, certain disclosures may constitute a "sale" or "sharing" of personal information under California and other state privacy laws. Where required, you may opt out of sale, sharing, targeted advertising, or similar processing as described in the "Your Privacy Rights" section below.

8. Third-Party Partners and Communications

When you submit an inquiry through one of our websites, you may be asking to be matched with one or more Partners. By submitting your information, and subject to the consent language presented at the point of collection, you authorize Astoria to disclose your information to Partners so they may respond to your request, evaluate your inquiry, provide quotes or information, contact you, or offer products or services.

Partners may contact you by telephone, email, SMS/MMS, direct mail, website redirect, or other lawful methods if they have legally sufficient consent or another lawful basis to do so. Partner communications are governed by the Partner’s own privacy policy, terms, licensing obligations, consent practices, compliance obligations, and applicable law. Astoria is not responsible for a Partner’s independent privacy or marketing practices once your information has been provided to that Partner, except to the extent required by applicable law or an agreement between Astoria and that Partner.

9. Phone, Call, and SMS Communications

Astoria SMS and business communications

If you provide a mobile telephone number to Astoria, contact us by text message, submit an inquiry, request information, or otherwise communicate with us, you authorize Astoria to contact you by SMS or MMS text message for purposes related to your inquiry, request, account, transaction, service relationship, or business relationship with us.

  • Astoria currently uses Zoom Phone and related messaging services to send and receive business communications. Astoria does not use SMS or MMS messaging to conduct outbound cold text messaging campaigns on its own behalf. Our SMS communications are intended to be responsive, transactional, service-related, support-related, account-related, or otherwise connected to an existing or requested communication or business relationship.

Message frequency may vary. Message and data rates may apply. Consent to receive text messages from Astoria is not a condition of purchasing any goods or services from Astoria. You represent that you are the account holder or authorized user of any mobile number you provide to us.

You may opt out of receiving text messages from Astoria by replying STOP to a message from us or by contacting us using the contact information below. You may request help by replying HELP or contacting us directly. We will honor reasonable requests to opt out of SMS communications as required by applicable law. Opting out of SMS communications from Astoria does not automatically opt you out of communications from Partners who may have separately received your information or consent. To stop communications from a Partner, follow that Partner’s opt-out instructions or contact that Partner directly.

Third-party Partner SMS communications

Some Partners that receive leads or calls from Astoria may use TCPA-compliant permission to conduct outbound SMS or MMS communications. Astoria does not send those third-party text messages itself. Where permitted by the consent language presented at the point of collection and applicable law, Partners may contact you by SMS/MMS, telephone, email, or other methods. Those communications are the responsibility of the applicable Partner.

SMS Privacy Policy Statement

Astoria does not sell, rent, or share text messaging originator opt-in data or SMS consent information with third parties or affiliates for their own unrelated marketing or promotional purposes.

Astoria may use mobile numbers, text messaging opt-in data, and SMS consent records to communicate with you, respond to your inquiries, provide requested services, document consent, comply with applicable law, prevent fraud or abuse, and operate our lead routing, call routing, compliance, and business communication systems.

Where you submit an inquiry through one of our websites and consent to be contacted, Astoria may share your information, including your mobile number and related consent records, with Partners as necessary to provide requested Website Services, match you with relevant providers, document consent, or comply with applicable law. Those Partners may use your information to contact you where they have legally sufficient consent or another lawful basis to do so.

Website Chat and Messaging Tools

Some Astoria websites may offer website chat or messaging functionality. As of this update, Astoria uses the free version of Tawk.to chat on AstoriaCompany.com and BestInsuranceLeads.com. The chat feature may be staffed by an Astoria team member during limited business hours, generally about six hours per day, Monday through Friday, and may also provide automated or offline messaging functionality when staff is unavailable.

When you use a chat feature, Astoria and the chat provider may collect and process chat content and related technical metadata, such as timestamp, page URL, referrer, IP address, device/browser information, and other information you choose to provide in the chat. We use this information to respond to inquiries, provide support, document communications, improve website operations, prevent fraud or abuse, and comply with legal obligations.

Tawk.to operates as a third-party technology provider for the chat functionality. Chat communications are not intended for sensitive personal information, medical information, financial account numbers, Social Security numbers, or other highly sensitive information unless expressly requested through an appropriate secure process.

We may use third-party consent documentation and verification technologies, including tools such as ActiveProspect TrustedForm, Jornaya LeadiD, call tracking systems, analytics tools, or similar technologies. These tools may collect information such as page URL, timestamps, IP address, browser and device information, form interactions, page snapshots, session activity, consent language, unique identifiers, and other data needed to document or verify consent, detect fraud, audit lead quality, or comply with law and contractual obligations.

We may combine consent documentation data with other information collected from or about you and may disclose consent records to Partners, service providers, counsel, regulators, courts, or other parties where necessary to document consent, audit compliance, investigate disputes, defend legal claims, or comply with law.

11. Cookies, Pixels, Analytics, Advertising, and Universal Opt-Out Signals

We and our service providers may use cookies, pixels, web beacons, tags, scripts, local storage, software development kits, analytics tools, and similar technologies to operate our websites, remember preferences, analyze traffic, measure performance, secure our sites, document consent, detect fraud, improve user experience, and deliver or measure advertising.

Some cookies and tracking technologies may be placed by third parties. These third parties may collect information about your activity on our websites and other websites over time and across services. Depending on the technology and applicable law, these activities may be considered targeted advertising, cross-context behavioral advertising, sale, sharing, or profiling.

Where required by law, we will provide a way to opt out of sale, sharing, targeted advertising, and certain tracking technologies. We will also honor browser-based universal opt-out mechanisms, including Global Privacy Control or other legally recognized universal opt-out signals, where required by applicable law and technically feasible.

You can also configure your browser to refuse or delete cookies. If you do so, certain website features may not function properly.

12. Artificial Intelligence, Automation, Scoring, and Routing

We may use automated systems, rules, algorithms, routing logic, lead scoring, fraud detection, quality scoring, deduplication, suppression, validation, or other automated tools to operate our websites and services. These tools may help determine whether a lead is valid, which Partner may receive an inquiry, whether a call or lead matches campaign criteria, whether a record appears duplicative or fraudulent, or how a SaaS customer’s configured routing rules are applied.

Where required by applicable law, we will provide required disclosures, rights, or opt-out mechanisms related to automated decision-making, profiling, targeted advertising, or similar processing.

13. Sensitive Personal Information

Some websites or services may collect information that applicable law treats as sensitive, such as health-related inquiries, Medicare or insurance interests, financial information, government identifiers, account information, precise geolocation, racial or ethnic origin if voluntarily provided, or legal matter details. We use sensitive personal information only as reasonably necessary to provide requested services, route or process inquiries, document consent, secure our services, comply with law, prevent fraud, manage accounts, or as otherwise permitted by applicable law.

We do not use sensitive personal information to infer characteristics about you except as permitted by law or where reasonably necessary for the purpose for which the information was provided. Where applicable, you may have the right to limit the use or disclosure of sensitive personal information.

14. Data Broker Disclosures

Astoria may act as a data broker or similar entity under certain state laws when it collects, processes, sells, licenses, discloses, transfers, or otherwise makes available personal information that it did not collect directly from the individual, or when it operates lead generation or data routing activities covered by applicable data broker laws.

  • Astoria will register as a data broker in jurisdictions where it is legally required to do so and will provide required public disclosures, registry information, consumer request methods, and opt-out or deletion mechanisms. State data broker laws may include, without limitation, California, Texas, Oregon, Vermont, and any other state that enacts or applies similar requirements.

California residents may have additional rights through California’s Delete Request and Opt-Out Platform, known as DROP, for registered data brokers. Beginning August 1, 2026, California data brokers are required to process qualifying DROP deletion requests according to California law. Astoria will maintain procedures intended to support applicable DROP obligations where Astoria is required to participate.

Important retention note: Even after a deletion request, we may retain limited information when permitted or required by law, such as suppression records, do-not-contact records, opt-out records, consent records, legal defense records, fraud prevention records, billing records, security records, and records necessary to comply with legal obligations or prevent future processing of deleted data.

15. Your Privacy Rights

Depending on where you live and how we process your personal information, you may have some or all of the following rights under California and other U.S. state privacy laws:

  • Right to know or confirm whether we process your personal information.
  • Right to access personal information we maintain about you.
  • Right to receive a portable copy of certain personal information.
  • Right to correct inaccurate personal information.
  • Right to delete personal information, subject to legal exceptions.
  • Right to opt out of the sale of personal information.
  • Right to opt out of sharing personal information for cross-context behavioral advertising or targeted advertising.
  • Right to opt out of certain profiling or automated decision-making where applicable.
  • Right to limit the use or disclosure of sensitive personal information where applicable.
  • Right to appeal a privacy request decision where applicable.
  • Right not to be discriminated against for exercising privacy rights.

To exercise your privacy rights, including your rights to know, access, delete, correct, receive a copy of, opt out of the sale or sharing of, opt out of targeted advertising, limit certain uses of sensitive personal information, or appeal a privacy decision where applicable, please use our Privacy Rights Center at Privacy Request or email us at privacy@astoriacompany.com. California residents and residents of other applicable states may also use our "Do Not Sell or Share My Personal Information / Your Privacy Choices" link at Your Privacy Choices. Authorized agents may submit requests through Authorized Agent Request. We may need to verify your identity or authority before fulfilling certain requests. We will not require you to create an account solely to submit a privacy request.

Authorized agents may submit requests where permitted by law. We may require proof of authorization and may ask the consumer to verify their identity directly with us unless prohibited by law.

16. California Privacy Notice

This section supplements the rest of this Privacy Policy and applies to California residents. Terms used in this section have the meanings given to them under the California Consumer Privacy Act, as amended by the California Privacy Rights Act and related regulations (collectively, the "CCPA").

In the preceding 12 months, we may have collected, disclosed for a business purpose, sold, or shared the categories of personal information described below. The exact categories depend on your interactions with us.

CCPA CategoryExamplesBusiness/Commercial PurposesCategories of Recipients
IdentifiersName, address, email, phone, IP address, online identifiers, lead IDs, account IDs.Provide services, match inquiries, route leads/calls, support, security, consent documentation, compliance, marketing.Partners, service providers, customers, vendors, advisors, authorities.
Customer records / personal information under Cal. Civ. Code 1798.80Contact information, signature/e-signature records, financial or inquiry information where provided.Process inquiries, transactions, accounts, compliance, legal obligations.Partners, service providers, processors, advisors, authorities.
Protected classification characteristicsInformation such as age or other characteristics if voluntarily provided or relevant to an inquiry.Eligibility, routing, compliance, legal obligations, requested services.Partners and service providers as needed for requested services.
Commercial informationProducts or services requested, considered, or purchased; lead/call transaction data.Operate lead/call services, billing, account management, analytics, compliance.Partners, service providers, customers, vendors.
Internet or network activityCookies, pixels, browsing activity, clicks, pages viewed, device data, analytics.Website operation, analytics, advertising, security, fraud prevention, consent documentation.Analytics providers, advertising partners, service providers.
Geolocation dataApproximate location from IP address; precise location only if provided or permitted.Routing, fraud prevention, localization, campaign eligibility.Service providers, Partners where relevant.
Audio/electronic informationCall recordings where permitted, voicemail, SMS, email, chat, support messages.Support, compliance, consent documentation, dispute resolution, quality assurance.Communications vendors, service providers, Partners, advisors.
Professional or employment-related informationBusiness contact details, employer, title, account role.B2B sales, support, contracting, SaaS account administration.Service providers, customers, vendors, advisors.
Education informationEducation interests or school inquiry details where submitted.Respond to education-related inquiries and match with relevant providers.Education Partners and service providers.
InferencesPreferences, interests, lead quality, fraud signals, routing scores.Routing, personalization, fraud prevention, compliance, analytics.Service providers, Partners, customers where relevant.
Sensitive personal informationHealth/Medicare interests, financial information, government IDs, account information, precise location, legal matter details where submitted.Provide requested services, route inquiries, compliance, fraud prevention, legal defense.Partners and service providers as necessary or permitted by law.

We may sell or share categories of personal information, including identifiers, contact information, commercial information, internet or network activity, inquiry information, consent records, and related information, to Partners in connection with lead generation, call routing, advertising, matching, and similar services. We do not knowingly sell or share personal information of consumers under 16 years of age.

California residents may exercise CCPA rights using the following methods:

California residents may also use recognized opt-out preference signals, such as Global Privacy Control, where required by law and technically feasible. We will not use dark patterns, require account creation solely to opt out, or require more information than reasonably necessary to verify or fulfill a request.

17. Other State Privacy Notices

Residents of states with comprehensive privacy laws may have rights similar to those described above, including rights to access, correct, delete, receive a portable copy, opt out of targeted advertising, opt out of sale, opt out of certain profiling, appeal decisions, and not be discriminated against for exercising rights. These states may include, without limitation, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Delaware, Iowa, Tennessee, New Jersey, Nebraska, New Hampshire, Minnesota, Maryland, Kentucky, Indiana, Rhode Island, and other states as laws become effective or applicable.

We will apply state-specific rights as required by applicable law. Because the scope, thresholds, exemptions, definitions, and rights vary by state, not every right applies in every situation or to every person.

18. Washington Consumer Health Data Notice

This section supplements the rest of this Privacy Policy and applies where Washington's My Health My Data Act applies to consumer health data processed by Astoria. Astoria also maintains a separate Washington Consumer Health Data Privacy Notice and a Washington Consumer Health Data Request Form. Health insurance and Medicare-related websites should include a separate footer link to the Washington Consumer Health Data Privacy Notice where required.

Astoria operates websites, landing pages, forms, call flows, tracking numbers, and marketing services that may collect, route, disclose, sell, share, or otherwise process information submitted by consumers who request information about health insurance, Medicare insurance, Medicare-related products, health coverage, insurance quotes, plan options, or related services. This Washington Consumer Health Data Notice is intended to describe Astoria's practices with respect to consumer health data that may be covered by Washington law and is not intended to describe HIPAA-regulated protected health information unless expressly stated otherwise.

Consumer Health Data We May Collect

Depending on the website, form, call, inquiry, consent language, and transaction, Astoria may collect the following categories of consumer health data:

  • Health insurance inquiry information; Medicare or Medicare-related insurance inquiry information; information about requested health coverage, insurance type, plan interest, eligibility interest, or coverage needs; and information that may be inferred from a request for health insurance, Medicare insurance, health coverage, plan options, or related services.
  • Contact information submitted in connection with a health-related inquiry, including name, email address, telephone number, mobile number, mailing address, ZIP code, state, and related identifiers.
  • Information submitted through quote request forms, lead forms, call flows, chat, email, SMS, telephone calls, account portals, APIs, or other communications.
  • Call recordings where permitted, call logs, SMS records, email records, chat records, support records, and related communication metadata.
  • Consent records and technical documentation, including timestamp, IP address, user agent, form URL, landing page, consent language, TrustedForm certificate, Jornaya LeadiD, call tracking records, lead ID, campaign ID, source ID, sub-ID, and similar documentation.
  • Device, browser, IP address, approximate location, website activity, session information, and analytics data related to interaction with a health insurance, Medicare, or insurance-related Astoria website.
  • Records used for suppression, opt-out, fraud prevention, compliance, legal defense, dispute resolution, billing, security, and auditing.

Sources of Consumer Health Data

Astoria may collect consumer health data directly from you; from Astoria-operated health insurance, Medicare, or insurance-related websites, forms, landing pages, call tracking numbers, APIs, or campaign pages; from advertising, marketing, publisher, lead seller, call seller, affiliate, or commercial sources; from technology vendors and service providers; and from lead buyers, call buyers, insurance agencies, Medicare-related providers, advertisers, or other partners involved in responding to your request.

Purposes for Collecting and Using Consumer Health Data

Astoria may collect and use consumer health data to respond to your request for information; process, validate, route, transfer, disclose, sell, share, post, ping, match, suppress, deduplicate, or otherwise process your inquiry; connect you with insurance agencies, licensed agents, Medicare-related providers, advertisers, lead buyers, call buyers, or other partners; document and verify consent; operate lead generation, pay-per-call, call routing, ping/post, host/post, compliance, fraud prevention, and data routing systems; detect and prevent fraud, invalid traffic, abuse, bot activity, security incidents, or unlawful conduct; maintain suppression, opt-out, do-not-contact, consent, and legal compliance records; comply with laws and legal process; enforce agreements; resolve disputes; process returns; investigate complaints; and defend legal rights.

Sharing of Consumer Health Data

Astoria may share or disclose consumer health data with health insurance agencies, Medicare insurance agencies, licensed insurance agents, advertisers, lead buyers, call buyers, service providers, call centers, call routing providers, pay-per-call platforms, lead routing platforms, consent documentation providers, fraud prevention vendors, analytics providers, hosting providers, email/SMS providers, CRM providers, security vendors, attorneys, auditors, insurers, accountants, consultants, government authorities, regulators, courts, law enforcement, and successors or potential successors in connection with a business transaction, as permitted by law and consistent with the purpose of the consumer's request and the consent language presented at the point of collection.

Sale of Consumer Health Data

Washington law defines "sale" broadly as the exchange of consumer health data for monetary or other valuable consideration. To the extent Astoria's transfer of Washington consumer health data is considered a "sale" under Washington's My Health My Data Act, Astoria will obtain a separate valid authorization where required before selling such consumer health data. A valid authorization may need to identify the specific consumer health data being sold, the seller, the purchaser, the purpose of the sale, how the purchaser will use the data, the consumer's right to revoke, the expiration date, and the consumer's signature and date. Astoria may retain signed sale authorizations and related records as required or permitted by law.

Washington Consumer Health Data Rights

Subject to applicable law, exceptions, and verification, Washington consumers may have the right to:

  • Confirm whether Astoria is collecting, sharing, or selling consumer health data about them.
  • Access consumer health data maintained by Astoria.
  • Receive a list of third parties and affiliates with whom Astoria has shared or sold consumer health data and available contact information.
  • Withdraw consent for future collection or sharing of consumer health data.
  • Request deletion of consumer health data.
  • Appeal Astoria's refusal to act on a consumer health data request.

How to Submit a Washington Consumer Health Data Request

You may submit a Washington consumer health data request by using Astoria's Washington Consumer Health Data Request Form or by emailing privacy@astoriacompany.com. We may need to verify your identity or authority before fulfilling certain requests. We may request additional information reasonably necessary to authenticate the request. You are not required to create a new account solely to exercise your rights.

You may withdraw consent for future collection or sharing of Washington consumer health data by using the Washington Consumer Health Data Request Form or by emailing privacy@astoriacompany.com. Withdrawal of consent may limit Astoria's ability to provide requested services, route your inquiry, match you with providers, or complete pending requests. If you request deletion, Astoria will process the request as required by applicable law and may retain limited records where permitted or required by law, including records needed for fraud prevention, security, consent documentation, do-not-contact or suppression, legal defense, regulatory compliance, accounting, dispute resolution, and enforcement of legal rights.

Data Security and Access Controls

Astoria uses reasonable administrative, technical, and physical safeguards designed to protect consumer health data. Access to consumer health data is restricted to personnel, contractors, processors, and service providers who need access for the purposes described in this Privacy Policy, the Washington Consumer Health Data Privacy Notice, or to provide requested services.

Geofencing

Astoria does not knowingly use geofencing around health care facilities to identify or track consumers seeking health care services, collect consumer health data from consumers, or send advertisements or messages based on consumer health data or health care services.

19. Retention of Personal Information

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, operate our business, comply with law, maintain records, resolve disputes, enforce agreements, document consent, prevent fraud, maintain suppression lists, and defend legal claims.

Retention periods may vary based on the type of data, source, applicable vertical, contractual requirements, legal requirements, statute of limitations, regulatory requirements, and business needs. For example, we may retain consent records, call records, lead transaction records, suppression records, billing records, and compliance records for longer periods when necessary to demonstrate compliance with TCPA, DNC, privacy, data broker, advertising, contractual, or other legal obligations.

20. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. However, no method of transmission, storage, or security is completely secure, and we cannot guarantee absolute security.

If you use a SaaS account, API, dashboard, or customer portal, you are responsible for maintaining the confidentiality of your login credentials, API keys, authorized users, and account configurations.

21. Children and Teens

Our websites and services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. We also do not knowingly sell or share personal information of consumers under 16 years of age. If you believe a child has provided personal information to us, contact us so we can review and take appropriate action.

22. International Users

Our websites and services are operated from the United States. If you access our websites or services from outside the United States, you understand that your information may be collected, processed, transferred, stored, and used in the United States and other jurisdictions that may not provide the same level of data protection as your location.

23. Third-Party Websites and Services

Our websites and communications may contain links to third-party websites, services, ads, offers, forms, or platforms. We do not control and are not responsible for the privacy practices of third parties. Review the privacy policies and terms of any third-party websites or services you visit or use.

Third-party chat widgets or messaging tools may be embedded on certain Astoria websites. Your interaction with a chat tool may involve processing by the chat provider under its own terms and privacy practices, in addition to Astoria’s use of the information as described in this Privacy Policy.

24. Business Transfers

We may disclose or transfer personal information as part of a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, assignment, due diligence process, or other business transaction involving all or part of Astoria’s business or assets.

25. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we update it, we will revise the effective date or last updated date above. The updated version will be posted on the applicable website. Your continued use of our websites or services after an update means you acknowledge the updated Privacy Policy.

26. Contact Us and Submit Privacy Requests

To submit a privacy request, opt-out request, data broker request, Washington consumer health data request, or question about this Privacy Policy, please contact:

Privacy Officer
Astoria Company Marketing LLC d/b/a Astoria Company
Fort Worth, Texas
Dedicated Privacy Email: privacy@astoriacompany.com
General Business Email: bizdev@astoriacompany.com
Privacy Phone Number: 1-510-663-7016

Astoria does not use or disclose sensitive personal information for purposes that require a separate "Limit the Use of My Sensitive Personal Information" request link under California law. If our practices change, we will update this Privacy Policy and provide any required request method.