Privacy and Security Policy:
Effective Date: June 17, 2019
The Provider Portal and App offer two types of functions: (i) Review and analysis of patient data concerning electrical stimulation, range of motion, and other relevant health data (Health Data Features); and (ii) those that are intended to be used for educational, recreational, and non-medical purposes (Wellness Data Features). The Wellness Data Features are not intended for the purpose of diagnosis, treatment, or identification of any particular disease, condition or function of the body.
Health Data Features: The e-vive™ System, which is used in conjunction with the Provider Portal and App, is a prescription medical device cleared by the Food and Drug Administration (“FDA”) in the USA and is intended to be used under the direction of a healthcare provider. Please refer to the User Manual for more information regarding the intended use of e-vive™ System. The electrical stimulation features of the App, which is intended for use as an accessory to the e-vive™ System and other medical devices, is the only feature intended for and approved for medical use.
Wellness Data Features: The App offers features that allow patients and Providers to set personal goals and track progress related to muscle stimulation, range of motion, activity level, and post-operative pain levels. In addition, the App provides Users with simple tools to organize and track post-surgical health information, and is intended to help patient Users store, document, display, show, transfer, or communicate their rehabilitation progress to their Providers who have created accounts on the Provider Portal. These features are informational only and are not intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, nor are they intended to affect the structure or any function of the body.
PLEASE READ THE FOLLOWING CAREFULLY TO UNDERSTAND OUR VIEWS AND PRACTICES REGARDING YOUR PERSONAL INFORMATION AND HOW WE WILL TREAT IT.
For the purposes of Applicable Data Protection Laws including the European Economic Area data protection law (the “Data Protection Law”):
Non-Provider Users: The data controller is: CyMedica Orthopedics, Inc. 19120 N. Pima Rd. Suite #135, Scottsdale, AZ 85255
Provider Users: The data controllers are YOUR healthcare provider and CyMedica Orthopedics, Inc. 19120 N. Pima Rd. Suite #135, Scottsdale, AZ 85255
Data Protection Officer: Kereshmeh Shahriari <firstname.lastname@example.org>
Access to and use of the Services by a Provider who is a CyMedica customer (a “Customer”) and such Customer’s Authorized Users is subject to and governed by the agreement between CyMedica and the applicable Customer executed by authorized representatives of each party (the “Customer Agreement”). CyMedica may collect, use and disclose information from a Customer and such Customer’s authorized users as set forth in the Customer Agreement. If you would like more information about the Services or becoming a Customer, please contact us at email@example.com.
Section 1. Changes to Policy
Section 2. Collection of Personal Information
BECAUSE THE PERSONAL INFORMATION WE COLLECT AND TRANSMIT MAY INCLUDE HEALTHCARE INFORMATION, INCLUDING MEDICAL INFORMATION, OUR PRIVACY PRACTICES ARE INTENDED TO COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (“HIPAA”). WE WILL MAINTAIN THE PRIVACY OF YOUR HEALTH INFORMATION AS REQUIRED BY HIPAA AND THE REGULATIONS PROMULGATED UNDER THAT ACT. FOR ADDITIONAL INFORMATION RELATED TO YOUR HEALTHCARE INFORMATION, PLEASE CONTACT US AT firstname.lastname@example.org.
All transmissions of Personal Information by the App are securely encrypted using TLS v1.2 over HTTPS in-transit, as required by the law. If you are a Patient, you do not need to use all of the features offered in this App.
Section 3. What information do you collect and why?
Personal Data that You Provide Through the Services
We collect Personal Information (e.g. demographic information) from you when you provide such information, such as when you create a profile on the Services, use the Devices in connection with the Services, contact us with inquiries, enter information into our Website contact form, respond to one of our surveys or use certain features of the Services. We use this information to create your account and provide you with the Services.
For Patients: In addition to demographic information, if you are a Patient, we may ask you to provide your contact preferences, certain contact information, such as your email address, mobile telephone number, and physical address, and other Health Data and Wellness Data to us in order to create your account and provide you with the Services. Such Health Data and Wellness Data may include your information about your health conditions, movement, pain, and electrical stimulation. We collect this information to provide you more customized Services and to communicate information to your healthcare provider.
Section 4. How do you use my Personal Information?
When you do provide us with Personal Information, we may use your Personal Information for five (5) general reasons:
- To provide you with the Services
- To send you information about CyMedica.
- We may use your information in aggregate form to help us evaluate and modify our Services or related marketing materials.*
- To customize our marketing communications (depending on the Personal Information we have about you) by sending you information that we believe will be to your benefit.
- To provide technical and sales support.
*Aggregated Personal Data: In an ongoing effort to better understand and serve our Users and communities of patients with certain health conditions, CyMedica conducts research on its user demographics and behavior based on the Personal Information we collect from you and the other information provided to us. This research may be compiled and analyzed, and published on an aggregate basis, and CyMedica may share this research and related information in aggregated, de-identified and/or anonymized format with its affiliates, agents and other healthcare research and services entities, including without limitation insurance and pharmaceutical companies. For the avoidance of doubt, this aggregate information does not identify you personally. CyMedica may also disclose aggregated, de-identified and/or anonymized information in order to describe our business and the Services to current and prospective business partners and Customers, and to other third parties for other lawful purposes.
If you provide an email address, then you may receive announcements or information about CyMedica. You can always choose not to be contacted or to “opt-out” of further contact or solicitations from CyMedica by following the instructions in the email.
You agree that such monitoring or health insurance billing activities, if in compliance with applicable privacy laws, will not entitle you to any cause of action or other right with respect to the manner in which CyMedica or its affiliates or agents monitor your communications and enforces or fails to enforce the terms of this agreement. In no event will CyMedica or any of its affiliates or agents be liable for any costs, damages, expenses, or any other liabilities incurred by you as a result of monitoring or health insurance billing activities by CyMedica or its affiliates or agents.
Section 5. What other information do you collect?
In order to provide you the Services, we will collect certain information about service performance, your devices and your use of the Services. We will automatically upload this information from your Device(s). Any individual identification information transmissions will be secured and encrypted following all applicable privacy laws to maintain privacy whilst providing the Services. Anonymized usage data may be transmitted, which will generally not identify you, and may include information such as the version of the App (if applicable) you have downloaded and installed on your device, IP address, and other information that is not Personal Information.
In order to record and provide feedback from the CyMedica e-viveTM device, we may collect certain information transmitted directly by the device.
Section 6. Where is my Personal Information stored and/or processed?
Information CyMedica collects through the services will be stored on private servers located in the United States. The e-vive Application is native to phone (or tablet), meaning information you (User) enter in the Application is stored directly on the device encrypted. All information transmitted or received between e-vive Application and CyMedica servers are encrypted in-transit using Secure-HTTP (HTTPS TLS v1.2). All Personal Information and Protected Health Information (e-PHI) is stored encrypted using SHA-256 ciphers at rest.
Section 7. Will you share my information with anyone else?
CyMedica takes its responsibility to keep your information private very seriously. We consider your use of the Services to be private. However, we may access or disclose information about you or your account under the following limited circumstances:
With Our Customers: If you are a patient, we will share your Personal Information and Health and Wellness Data with your authorized healthcare provider(s). This will enable your provider(s) to track your Health and Wellness Data and combine such Health and Wellness Data with other information about you that your provider obtains in providing healthcare services to you.
In the Event of a Business Transfer: We might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information may be part of the transferred assets.
Legal Authorities: CyMedica may disclose Personal Information when required by law or legal process; when necessary to protect and defend the rights or property of CyMedica or when necessary to protect the personal safety of CyMedica Users and customers.
Aggregate Information: Aggregate information does not contain any Personal Information about our Users. From time to time, CyMedica may share aggregate, non-personal information App usage with third parties, including government agencies, advertisers and our partners.
Section 8. How long will you retain my information?
We store your Personal Information for as long as you maintain an account and up to five (5) years after the account is closed. At the end of this five-year period, we may remove your Personal Information from our databases and will request that our business partners remove your Personal Information from their databases. However, once we disclose your Personal Information to third parties, we may not be able to access that Personal Information any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Information other than as described should be directed to email@example.com. We retain anonymized data indefinitely.
We use two types of cookies: essential and non-essential cookies. Essential cookies are those necessary for use to provide Services to you. All of our Provide Portal cookies are Essential cookies, and without them we would not be able to provide the Services to you. As such, if you do not have your cookies turned on, you will be unable to use the Services. We have provided, below, a full list of our cookies and we have described the purposes of each.
Provider Portal Cookies
CyMedica Website Cookies
Section 10. Account Termination
If your account is terminated for any reason, either by you or CyMedica, we may permanently delete your data from our servers in accordance with applicable law and regulations. CyMedica is under no obligation to return data to you after your account is canceled. If data is stored with an expiration date, we may also delete the data as of that date. Data that is deleted may be irretrievable.
Section 11. Children’s Online Privacy
We do not knowingly collect or maintain personal information from children under the age of eighteen (18) and Services are not directed to individuals under the age of thirteen (13). If you are under the age of thirteen (13), you should not furnish us with any identifiable information about yourself without a parent’s consent. If we learn that personally identifiable information of persons under eighteen (13) years of age has been collected via the App without parental consent, we will take the appropriate steps to delete this information.
If you are aware of a user under the age of 13, please contact us at firstname.lastname@example.org.
Section 12. Communications from CyMedica
We may use the e-mail addresses you provided when you created your App Account to occasionally deliver information relevant to you, benefits, promotions, surveys and notification of other relevant items. If you send us an e-mail with questions or comments, we may use the Personal Information you provide to respond to your questions or comments, and we may save your questions or comments for future reference. However, we will provide you with the option to change your preferences and opt-out of receiving those communications.
You may request at any time that we not e-mail you in the future by clicking the “unsubscribe” link which is included at the bottom of any e-mail communication that you receive from us and hitting send, or by contacting us at email@example.com. When contacting us by e-mail, please insert “UNSUBSCRIBE” in the subject line and the body of the message. If you unsubscribe, you should assume that your request has been received and is being processed. Please allow ten (10) business days from when the request was received to complete the removal of your e-mail address from our database as some of our promotions may have been in process before submitting such request we will make reasonable efforts to discontinue these e-mail communications as soon as practicable.
Section 13. How do you protect my Personal Information?
CyMedica has taken reasonable security measures to protect against the loss, misuse and alteration of information under our control. We use a combination of reasonable physical, technical, and administrative security controls to maintain the security and integrity of your Personal Information, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm or inconvenience to you. However, it is not possible to guarantee the security or integrity of information disclosed online. Because no physical or electronic security is impenetrable, by using the Services, you agree to assume all risks in connection with the information sent to us or collected by us when using the Services. We recommend that you take any and all appropriate steps to secure any device that you use to access the Services.
NOTWITHSTANDING ANY OF THE STEPS WE TAKE, IT IS NOT POSSIBLE TO GUARANTEE THE SECURITY OR INTEGRITY OF DATA TRANSMITTED OVER THE INTERNET. THERE IS NO GUARANTEE THAT YOUR INFORMATION WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. THEREFORE, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY INFORMATION YOU TRANSMIT TO US AND YOU TRANSMIT SUCH INFORMATION AT YOUR OWN RISK.
Section 14. How can I protect my Personal Information?
We will NEVER send you an e-mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and you should NEVER respond to any e-mail requesting such information. If you receive such an e-mail purportedly from CyMedica, DO NOT RESPOND to the e-mail and DO NOT CLICK on any links and/or open any attachments in the e-mail, and notify CyMedica support at firstname.lastname@example.org.
You are responsible for taking reasonable precautions to protect your user information (PIN/or password), Device ID, etc.) from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You should immediately notify CyMedica at email@example.com if you know of or suspect any unauthorized use or disclosure of your user information, or any other security concern.
EU Data Subject Rights
If you are an EU data subject, you have the following rights under certain circumstances:
- to receive communications related to the processing of your personal data that are concise, transparent, intelligible and easily accessible;
- to be provided with a copy of your personal data held by us;
- to request the rectification or erasure of your personal data held by us without undue delay;
- to request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);
- to object to the further processing of your personal data, including the right to object to marketing;
- to request that your personal data be moved to a third party;
- to receive your personal data in a structured, commonly used and machine-readable format;
- to lodge a complaint with a supervisory authority.
Where our processing of your Personal Information is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us at firstname.lastname@example.org. You can also exercise the rights listed above at any time by contacting us at email@example.com.
Section 15. How can I update, correct, or delete my Personal Information?
You may review, request corrections, ask that we delete, or refuse further collection or use of the Personal Information CyMedica collects from you. You may do this by contacting CyMedica using the contact information provided at the end of this document.
Section 16. Consent to Receive Notices Via the App
Section 17. Limitation of Liability
YOU UNDERSTAND AND AGREE THAT ANY DISPUTE OVER PRIVACY IS SUBJECT TO THE TERMS AND CONDITIONS OF THE APPLICABLE SERVICES (INCLUDING ANY INDEMNIFICATION AND LIMITATIONS ON DAMAGES CONTAINED THEREIN).
Section 18. Contacting CyMedica
If you have any questions about this Policy, please feel free to contact us at firstname.lastname@example.org.
CY-0030-004 Rev. D