“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified by data such as his or her name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Our Solution works by collecting information on the Subscriber’s behalf about users. The Subscriber determines which data is collected and ultimately owns the data of the responses. The Subscriber can customize the Solution’s interface to request any information it chooses.
1. WHAT USER DATA DO WE COLLECT ABOUT YOU
We collect various types of User Data about you (i) from the Subscriber, (ii) from your use of our Solution, and (iii) from your voluntary submission of Personal Data on our Website, including:
– your name and the names of people you may report for or may report for you within the Solution;
– your email address;
– information regarding your device, browser, operating system and IP address;
– usage data (e.g., date and time of access of our Solution and date and time of certain actions performed on the Solution);
– user ID numbers inputted by the Subscriber in the Solution which may constitute employee, student or similar ID numbers.
2. THE WAY WE COLLECT USER DATA ABOUT YOU
If you use our Solution:
We may collect or receive your User Data when your account is created and when you use the Solution. Some information about you comes from the Subscriber. We do not collect information about you from third parties in connection with providing the Solution to you.
If you visit our Website:
You may use the settings within your browser to control cookies or prevent accepting some or all cookies. To find out more useful information on how to block cookies using different browsers, please visit www.allaboutcookies.org. You can block or delete all or some cookies. However, blocking or deleting cookies may limit your use of full advantages of the marketing Website.
3. HOW WE RESPOND TO DO NOT TRACK SIGNALS
We treat users the same regardless of their do not track request. That is, we disregard any do not track requests by your browser, operating system or solution, and we do not respond to any do not track requests.
4. PURPOSES FOR USING USER PERSONAL DATA ABOUT YOU
The User Personal Data collected from you will be used for the purposes of:
– management of our users (e.g. registration, account management, answers to user questions and provision of technical support);
– management and improvement of our Solution;
– research and development purposes (analysis in order to better understand your needs and to better understand our business and develop our Solution);
– improve and personalize your experience;
– improve the quality of our Solution;
– archiving and record keeping; and
– any other purposes imposed by law and authorities.
Management of our users includes the sending of periodic communication via e-mail. Example e-mails may include a welcome e-mail, verification e-mails, or any other e-mails that are required to operate your account.
5. LEGAL BASIS FOR USING USER PERSONAL DATA ABOUT YOU
We will not use your User Personal Data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we may process your User Personal Data if we have at least one of the following:
– consent (where you or your legal guardian have consented to our use of your User Personal Data);
– contract performance (where your information is necessary for the performance of a contract to which you are a party);
– legal obligations (where we need to use your information to comply with our legal obligations);
– legitimate interests (where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights); and
– legal claims (where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party).
If we learn that your Personal Data was wrongly collected by the Solution, we will take steps to delete the information as soon as possible.
6. WHO DO WE SHARE YOUR USER PERSONAL DATA WITH
6.1 General provisions
– the Subscriber;
– our personnel;
– our service providers that provide services to us in the context of the Solution;
– our IT systems providers, cloud service providers, database providers and consultants;
– any third party to whom we assign or novate any of our rights or obligations to in the context of a sale or transfer of any part of our business or assets;
– our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets or if so requested to provide specific advice; and
– any national and/or international regulatory, enforcement, public body or court, where we are required to provide access by applicable law or regulation.
The above third parties are contractually or lawfully obliged to protect the confidentiality and security of your User Personal Data, in compliance with applicable law.
6.2 GDPR provision
If you are a data subject under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), please note that we intend to transfer your User Personal Data outside of the European Economic Area.
Note that the European Commission has not adopted an adequacy decision regarding the United States and that the United States does not provide for the same level of personal data protection as the GDPR. On 16 July 2020 in the case ECJ C-311/18, Facebook Ireland and Schrems, 2020, the European Court of Justice has stated that the policies of the United States of America enable interference, based on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States. In particular, that Court has considered that the law of the United States does not provide for the necessary limitations and safeguards with regard to the interferences authorised by its national legislation and does not ensure effective judicial protection against such interferences, which violates the GDPR.
6.3 FERPA provision
The U.S. Family Education Rights and Privacy Act (“FERPA”) generally applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. As private schools generally do not receive funds from the U.S. Department of Education, FERPA generally does not apply to them.
If the Subscriber is an educational institution or agency subject to FERPA (“Educational Institution”) and you are a student located in the United States (“Student”), the information that we collect about you may be considered part of the Student’s “education records” held by the Educational Institution as defined in 20 U.S.C. § 1232g(a)(4); 34 C.F.R. § 99.3, “Education records.” “Eligible student” means a student who has reached 18 years of age or is attending an Educational Institution of postsecondary education. Unless excepted under FERPA, a parent or eligible student must provide a signed and dated written consent before a school discloses “personally identifiable information” from the student’s education records. 34 CFR § 99.30. This consent may be in electronic form and is the responsibility of the Educational Institution. In some cases, we may ask for your consent on behalf of the Subscriber in order to enroll or keep you in the Solution.
By way of an example, when allowed under FERPA’s “health or safety emergency” exception, the Subscriber may share User Personal Data from Student education records with a public health agency, without your prior written consent. 20 U.S.C. § 1232g(b)(1)(I); 34 C.F.R. §§ 99.31(a)(10) and 99.36. The facts may qualify for other exceptions.
7. DATA SECURITY
We encrypt your Personal Data at rest using AES-256 encryption on AWS and in transit using TLS. We store your data on cloud servers operated by Amazon Web Services (AWS) and located in the United States of America. We back up the data periodically and maintain auditable logs of access to your data. Our personnel retain access to your Personal Data for IT and customer support purposes.
8. THIRD PARTIES
We use various third-party service providers to provide optimal Website and Solution functionality to you and our business operations. These third-party technology service providers have their own privacy policies addressing how they use such information. Not all of these third parties touch your Personal Data in every situation. While we take care in choosing our service providers with our users in mind, we cannot be responsible for the actions of these third parties except to the extent required by law. Below are some examples with links to their privacy policies.
Third parties used in the provision of our Solution to users:
– We use the Expo Platform for our Solution development. You can find out more about their privacy at https://expo.io/privacy-explained and https://expo.io/privacy.
– We use Heroku, a Salesforce company, for our database development. You can find out more about their privacy policies at https://www.heroku.com/policy/security and https://www.salesforce.com/company/privacy/.
– We use MongoDb as a database system. You can find out more about their privacy policies at https://www.mongodb.com/legal/privacy-policy.
Third parties used in the provision of our marketing Website and for customer & marketing management:
We use third party website visitor tracking services such as Google Analytics, that collect, monitor and analyze the demographic information of the users visiting our Website in order to increase our Website’s functionality, appeal to prospective customers and measure the effectiveness of our online advertising.
– We use Google Analytics to track, analyze, monitor and report on the Solution and Website traffic. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page at: http://www.google.com/intl/en/policies/privacy/. Any information regarding opting out of Google Analytics tracking can be consulted at: https://tools.google.com/dlpage/gaoptout.
As noted above, we compile Website usage statistics from data collected through cookies. We may publish those statistics or share them with third-party technology service providers, but they do not include Personal Data.
We are not responsible for the conduct of Google, Amazon, Heroku, MongoDB, LogDNA, Salesforce, Expo, WordPress, Freshworks, Mailchimp or any other third parties we may use. As noted above, their respective terms of service and privacy policies can be found on their Websites.
9. STORAGE PERIOD OF YOUR USER PERSONAL DATA
Your User Personal Data will be stored as long as necessary to fulfil the purposes for which it was collected or to comply with legal or regulatory requirements.
What this means in practice will vary depending on the types of data. When we consider the retention duration, we consider any continued need to process the data, together with our legal, regulatory and contractual obligations. For User Personal Data that is related to an agreement that you or your Subscriber has executed with us, the retention period is the duration of that agreement, plus the period until claims under the agreement become time-barred, unless legal or regulatory requirements require a longer or a shorter retention period.
10. YOUR RIGHTS IN RELATION TO YOUR USER PERSONAL DATA
You may be entitled to information or additional rights under applicable privacy and data protection law. Nothing in this section provides rights to individuals not entitled to such information or additional rights.
If you are entitled to these rights, we may require proof of such applicability, such as proof of European, California or other residence before responding to any request made under this section.
This listing of any data protection laws in this Section is not an admission that such laws apply to MyMedBot.
If you have a question or want to exercise these rights, you may send an e-mail to email@example.com.
If you are a data subject under the GDPR, you have:
– the right to request us to provide you with further details on the use we make of your User Personal Data;
– the right to access or receive your User Personal Data as processed by us;
– the right to request the update of any inaccuracies in your User Personal Data;
– the right to request the deletion of your User Personal Data;
– the right to request the restriction of processing to specific categories of your User Personal Data;
– the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
– the right to object, in whole or in part, to the processing of your User Personal Data;
– the right to request the portability of your User Personal Data (i.e., that the User Personal Data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations); and
– the right to make a complaint to the competent data protection authority.
10.2 US laws
10.2.2 New York
If the Subscriber is an Educational Institution subject to the laws of New York, pursuant to New York Education Law § 2-d, Parents Bill of Rights for Data Privacy and Security shall be included with our contract with the Educational Institution.
If you are a user subject to the laws of California, you have:
– the right to receive equal services and prices as other consumers, even if exercising these rights herein, such as opting out of the sale of your data for marketing purposes (which we don’t do);
– the right to opt out of or into the sale or sharing of your User Personal Data (which we don’t do) other than to the Subscriber;
– the right to object to the processing of your User Personal Data for direct marketing purposes (we only do this if you voluntarily submit your data on our Website);
– the right to request deletion of your User Personal Data, provided the provision of data is compliant by law and by our contract with the Subscriber;
– the right to get data in an easily accessible format, provided the provision of data is compliant by law and by our contract with the Subscriber; and
– the right to be notified in case of a personal data breach regarding your User Personal Data; and
You should contact the Subscriber to exercise these rights, and we will work with the Subscriber to help it comply with its obligations under the law. Additionally, you may contact us at +1 (833) 578-1058 and firstname.lastname@example.org.
Any destruction of User Personal Data will be performed in accordance with the California Data Protection Act of 2004 (“CDPA”) (§§1798.80-84 of the Cal. Civ. Code).
Other than the categories of information listed above in Section 1, we do not collect Sensitive Personal Information (as defined in the CDPA) about you unless the Subscriber requires it. We do not have control of what the Subscriber asks its users.
We will use at least industry standard security to protect the educational records generated through our Solution. Pursuant to Public Act No. 16-189, Connecticut law shall govern the duties between us and the local or regional board of education for the Educational Institution, and we will comply with Public Act No. 16-189.
10.2.4 Maryland and Colorado
10.2.5 Florida and Pennsylvania
If the Subscriber is subject to the laws of Florida or Pennsylvania, pursuant to the Florida Information Protection Act of 2014 and Pennsylvania’s Breach of Personal Information Notification Act, we will provide notice to you of a security breach.
11. THE USER IS A MINOR
Please note that we will not knowingly collect, use or disclose User Personal Data from a minor under the age of 16 (the “Minor”) without consent given by a person with parental authority over such Minor (the “Parent”).
Any consents given by a Parent on behalf of a Minor, are deemed to be the consent of the Minor.
– represents and warrants that he or she has the legal authority to provide consent for and act on behalf of the Minor;
– agrees to indemnify, defend and hold us harmless against any misuse of the Solution by the Minor or the Parent; and
12. JURISDICTION AND APPLICABLE LAW
You agree that the courts of the Grand Duchy of Luxembourg have personal jurisdiction over you (including the parent and the student) for any disputes arising hereunder and hereby waive any claims or assertions to the lack of personal jurisdiction or forum non conveniens in the courts of the Grand Duchy of Luxembourg.