Effective as of May 25th, 2018
MedAngel (“MedAngel”, “We”, “Us”, “Our”) values your privacy and is committed to protecting your Personal Information. We understand it is important to you and we want you to know how we collect, use, share, and protect your information.
Med Angel B.V.
6534 AT Nijmegen
+31 (0)24 3010 241
If you have any questions or comments regarding your data protection, please contact us at firstname.lastname@example.org.
In the following, we reference two regulatory frameworks, the European General Data Protection Regulation and the EU-US Privacy Shield. Full text and more information can be found here.
Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) on the protection of natural persons with regards to the processing of personal data and on the free movement of such data. The regulation came into force on 24 May 2016 and applies from 25 May 2018.
The EU-US Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.
We may also release your Personal Information to third parties as required by law, when we believe disclosure is necessary to comply with a legal or regulatory requirement, judicial proceeding, court order or legal process served on us, to protect the safety, rights or property of patients, customers, the public or MedAngel, or defend MedAngel and its officers, directors, employees, attorneys, agents, contractors and partners, in connection with any legal action, claim, or dispute.
When contacting us, (for example via email, telephone, the chat window on our website or social media) Personal Information, such as name or email address will be collected to process the request. Personal information can be stored in a Customer Relationship Management System (“CRM System”) or similar platform.
Information shared with us is given expressively on a voluntary basis and with your consent. When providing us with contact details, like email address or telephone number, you also consent to us contacting you via those communication channels, in order to answer your request.
When communicating with us through email, our website chat, or social media channels, please be aware, that we cannot secure any sensitive Personal Information such as health information sent through these channels, because such information can be accessed by other internet users. If you send us a question, our use and disclosure of that information will be limited to the minimum necessary to respond to your question.
1. Social Media
We maintain an online presence on social networks and platforms in order to communicate with customers, interested individuals and our users and to inform about our services. When using the respective networks and platforms, the terms and conditions and the data policies of the respective operator of these networks and platforms apply.
2. CRM System – Zendesk
We use Zendesk’s CRM system, Zendesk, Inc., 989 Market Street # 300, San Francisco, CA 94102, USA, to process requests from users faster and more efficiently (legitimate interest in accordance with Art. 6 (1) f GDPR).
Zendesk is certified under the EU-US Privacy Shield, thereby agrees to comply with European Data Protection Laws.
Zendesk uses your personal information only for technical processing of inquiries and does not pass them on to third parties. The use of Zendesk requires at minimum the specification of a valid email address. Using a pseudonym is possible. When processing your request, it may be necessary to collect further data (for example name, address, email address used to sign up in the app, mobile device used).
3. Website Chat – Drift
We use a website chat integration, Drift.com, Inc. 3 Copley Place, Suite 7000, Boston, Massachusetts 02116, USA, to faster process requests from our users and provide a direct point of contact to interested website visitors (legitimate interest in accordance with Art. 6 (1) f GDPR).
Drift is certified under the EU-US Privacy Shield, thereby agrees to comply with European Data Protection Laws.
With the following information, we inform you about the contents of our newsletter as well as sign-up, sending and statistical evaluation as well as your right to withdraw consent. Our interest lies in the use of a user-friendly and secure newsletter system, which serves both our business interests and delivers relevant information to our users.
Content of the newsletter: With consent of the recipient, we send newsletters, emails and other electronic notifications with information about us and our services (hereinafter “newsletter”) based on our legitimate interests in the direct marketing according to Art. 6 (1) f GDPR.
Double opt-in and tracking: Registration for our newsletter is a so-called double-opt-in procedure. After signing up, you will receive an email asking you to confirm your registration. Your sign up for the newsletter will be tracked in order to prove your consent. This includes the storage of sign up and confirmation time, as well as the IP address.
Information required: To subscribe to the newsletter, it is sufficient to provide your email address.
Unsubscribe/Revoke Consent: You may unsubscribe from our newsletter at any time. A link to cancel the newsletter can be found at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before we delete them to document prior consent.
5. Newsletter – MailChimp
The Rocket Science Group LLC is certified under the EU-US Privacy Shield, thereby agrees to comply with European Data Protection Laws.
We use this mailing service provider based on our legitimate interests according to Art. 6 (1) f GDPR and a contract data processing agreement according to Art. 28 (3) GDPR. MailChimp may use the data of newsletter recipients after pseudonymisation, meaning that the personal data can no longer be attributed to a specific user without the use of additional information, to optimize or improve their own services. However, MailChimp does not use your Personal Information to contact you directly or to share with third parties.
III. Website Use: Analytics and Advertising
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. The “Help” feature on most browsers provides information on how to accept cookies, disable cookies or to notify you when receiving a new cookie. When visiting our website, we will ask if you choose to accept or not accept cookies. If you do not accept cookies, you may not be able to use some features of our Service. You can learn more about cookies here.
2. Google Analytics
In our legitimate interest in analysis, optimization and improvement of our online services, and in accordance with Art. 6 (1) f GDPR, our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
In case of activation of the IP anonymization, Google will shorten/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases, the full IP address is sent to Google servers in the USA and then shortened.
Google is certified under the EU-US Privacy Shield and thereby agrees to comply with European Data Protection Laws. Further information concerning the terms and conditions of use and data privacy can be found at here.
On behalf of us, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google.
Personal Information of users will be deleted or anonymized after 14 months.
3. Facebook-Pixel, Custom Audiences and Facebook-Conversion
In our legitimate interest in analysis, optimization and improvement of our online services, and in accordance with Art. 6 (1) f GDPR, our website uses “Facebook-Pixel” by the social network Facebook (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or for Members of the European Union, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“Facebook”)).
Facebook is certified under the EU-US Privacy Shield and thereby agrees to comply with European Data Protection Laws. Further information concerning the terms and conditions of use and data privacy can be found at here.
By using Facebook Pixel, it is possible for Facebook to determine our website visitors as a target group for the display of advertisements (“Facebook ads”). We might also use Facebook Pixel to show Facebook ads we might run only to those Facebook users who have shown an interest in our website or who have certain features (eg. interests in certain topics or product, as determined by websites visited by them), which we transmit to Facebook (“Custom Audiences”). Facebook Pixel helps us show Facebook ads to relevant audiences and understand the effectiveness of Facebook ads for statistical and market research purposes, in which we see whether users were redirected to our website after clicking on a Facebook ad (“conversion”).
The processing of the data by Facebook falls under Facebook’s Data Policy. Find more information on how to display Facebook Ads in Facebook’s Data Policy. For specific information and details about Facebook Pixel and how it works, visit the help section of Facebook.
You may object to the capture by the Facebook Pixel and use of your data to display Facebook Ads. To set which types of ads you see within Facebook, you can go to a page set up by Facebook and follow the instructions for usage-based advertising settings. The settings are platform independent, meaning that they are adopted for all devices, such as desktop computers or mobile devices.
Our store is hosted on Shopify Inc. , 150 Elgin St., 8th Fl, Ottawa, ON K2P 1L4, Canada or for Residents of the European Economic Area: Shopify International Limited, c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland. They provide us with the online e-commerce platform that allows us to sell our products and services to you in our legitimate interest to pursue business, and in accordance with Art. 6 (1) f GDPR.
Shopify is certified under the EU-US Privacy Shield and thereby agrees to comply with European Data Protection Laws.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
V. App Use
1. What kind of data is collected?
By creating an account, you voluntarily provide us with your email address. Furthermore, we collect information about the MedAngel sensors added to your app (MAC address and given name), the name of the medication assigned, and time-temperature records. This information is collected and stored in a pseudonymised way. This means that the data can be processed in such a manner that it can no longer be attributed to a specific person without the use of additional information, as defined uner Art. 4 GDPR.
2. Storage of Your Information
The information described above is stored locally on your mobile device as well as on servers hosted in Europe.
In our legitimate interest in analysis, optimization and improvement of our services, and in accordance with Art. 6 (1) f GDPR, we use Mixpanel, Inc. 405 Howard St., Flr 2, San Francisco, CA 94105, USA, to track and analyse user interactions with our mobile apps and to send targeted messages to our app users via email.
Mixpanel is certified under the EU-US Privacy Shield and thereby agrees to comply with European Data Protection Laws.
We use targeted email messaging through Mixpanel to, for example, offer you support following your registration. You can opt out of these emails at any time through a link included in the email. We also use Mixpanel to track actions made in the app, the time they were made, on which app platform, type of mobile device, time zone, country, region, city, and the number of sensors added to the app and operating system.
4. Creation of Anonymous Data
We may create anonymous data records from personal information by excluding information (such as your name) that makes the data personally identifiable to you. We use this anonymous data to analyze request and usage patterns so that we may enhance the content of our Services and improve Applications and Site navigation. We reserve the right to use anonymous data for any purpose and disclose anonymous data to third parties in our sole discretion.
On occasion, we may make arrangements with certain customers or business partners to share certain de-identified aggregate pattern information in order to assist such customers or business partners to improve their service (such as evaluating patterns, utilization, usage and trends). We may also share such information with you or other users of our service. This type of information may be based in part on information related to you, but does not allow for the personal identification of any individual (in other words, it is “de-identified”). This information will not be used by the customer or business partner for marketing and/or any purpose other than as set forth above.
We remove your identity from your Personal Information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information. De-identified individual information is information about a user presented in a form where information about one anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.
Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other users and becomes statistics. We may use aggregate information to understand the needs of our user community and determine what kinds of programs and services we can offer to you. We could use this anonymous information to give potential users or business partners a picture of our community and services. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.
VI. How We Keep Your Information Secure
Your Personal Information is stored on servers hosted in Europe. We seek to safeguard the security of your Personal Information and have implemented reasonable security measures consistent with applicable laws, safe harbors, and accepted practices to protect the confidentiality of your Personal Information. We have put in place a variety of information security measures to protect your Personal Information, including encryption technology, to protect your Personal Information during data transport and at rest. We limit the access to your Personal Information to employees who need it for the execution of their duties.
Despite our efforts, however, we cannot guarantee the absolute security of your Personal Information, nor can we guarantee that information that you provide will not be intercepted while being transmitted to us over the Internet. There is always some risk that an unauthorized third party may find a way around our security systems or that transmissions of your Personal Information over the Internet will be intercepted.
Therefore, we urge you to also take every precaution to protect your Personal Information when you are on the Internet or using the App. In order to protect your privacy, never share your sign-in name or password and always log out of the App when you are finished using the service.
VII. Your Rights
You have the right to withdraw consent to process your personal information at any time, with effect to future processing of that data according to Art. 7 (3) GDPR. We will continue to provide our services if they do not depend on the withdrawn consent.
You have the right to obtain from us confirmation as to whether or not personal information is being processed, to obtain access to a copy of the personal data and more information according to Art. 15 GDPR (Right of access by the data subject).
You have the right to obtain from us the rectification of inaccurate personal data concerning you as described in Art. 16 GDPR. In certain circumstances, you may have a broader right to the erasure of personal information that we hold about you according to Art. 17 GDPR (Right to erasure ‘right to be forgotten’) – for example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions, or to comply with our legal obligations. This is, for example, applicable to invoices.
You may have the right to request that we restrict the processing of your personal information in certain circumstances (for example, if you believe that the personal information we hold about you is inaccurate or unlawfully held) according to Art. 18 GDPR (Right to restriction of processing).
You have the right to request a copy of your personal information in a structured, machine readable and commonly used format and to request that we transfer the personal information to another data controller without hindrance as described in Art. 20 GDPR (Right to data portability).
If you consider that we do not adequately handle your data protection rights or have any questions regarding this matter, please contact us at email@example.com.
If you submit an inquiry or complaint to MedAngel but do not receive acknowledgement from us or think the complaint or concern has not been satisfactorily addressed, you also have the right to lodge a complaint to a data protection supervisory authority about our collection and use of your personal information (Art. 20 GDPR). For more information, please contact your local data protection authority.