EU-US Privacy Shield Policy
HealthRhythms’ Commitment to Privacy Shield Principles
Health Rhythms Inc. (“HealthRhythms“, “We”, “Our” or “Us“) complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Privacy Shield Personal Data from European Economic Area countries. HealthRhythms has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
This Privacy Shield Policy applies only to Privacy Shield Personal Data. HealthRhythms processes personal data of individuals that use the services offered by us and our customers/partners to facilitate clinical trial data collection and medical record collection. This includes personal data published on our web and mobile digital applications, and delivered via other communication channels. The personal data may includes data demographic information as well as clinical data which may be collected automatically from the sensors on smartphones or entered manually by patients, caregivers, or healthcare providers via questionnaires or collected from healthcare providers records made available to patients.
Privacy Shield Principles
HealthRhythms commits to subject to the Privacy Shield Principles all Privacy Shield Personal Data (i.e., all Personal Data received by HealthRhythms in the U.S. from European Economic Area member countries in reliance on the Privacy Shield).
HealthRhythms receives all Privacy Shield data from customers (e.g., health systems, pharmaceutical companies, research organizations etc.) located in the EU who have purchases licenses for our software. These customers are the entities with which you have entered into agreement with. This policy will explain how this license is used by such customers and how you should contact them if you have further questions about our software.
“Data Subject” means the individual to whom any given Privacy Shield Personal Data refers.
“Personal Data” means any information relating to an individual residing in the European Economic Area that can be used to identify that individual either on its own or in combination with other readily available data.
“Privacy Shield Personal Data” means Personal Data received by HealthRhythms in the U.S. from European Economic Area member countries in reliance on the Privacy Shield.
“Sensitive Personal Data” means Personal Data regarding an individual’s ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, sexual life, or criminal record.
HealthRhythms notifies Data Subjects about its data practices regarding Privacy Shield Personal Data, including:
- the types of Privacy Shield Personal Data it collects about them;
- the purposes for which it collects and uses such Privacy Shield Personal Data;
- the types of third parties to which it discloses such Privacy Shield Personal Data and the purposes for which it does so;
- the rights of Data Subjects to access Privacy Shield Personal Data about them;
- the choices and means that HealthRhythms offers for limiting its use and disclosure of Privacy Shield Personal Data;
- how Data Subjects can contact HealthRhythms with any inquiries or complaints; and
- other information about HealthRhythms' compliance with the Privacy Shield as required by the Notice principle.
Notice is provided in clear and conspicuous language-including through this Privacy Shield Policy-when Data Subjects are first asked to provide Privacy Shield Personal Data to HealthRhythms' customer or as soon thereafter as is practicable, but in any event before HealthRhythms uses such Privacy Shield Personal Data for a purpose other than that for which it was originally collected or processed by the transferring organization located in the European Economic Area or discloses it for the first time to a third party.
The Privacy Shield Personal Data that HealthRhythms collects includes patient data, clinical trial participant data, and health care provider data. HealthRhythms does not collect sensitive personal information such as medication lists and other clinical data specific to the individual’s situation. HealthRhythms does not collected the following data: Name, Email address, Mailing Address, Date of Birth, Medical Condition and Phone number.
HealthRhythms' collects data from your smartphone to track factors related to your wellbeing. When you use our services through a third party customer we collect the following data:
- Location. Our system collects location data from sources such as GPS, Wi-Fi and cell towers once you install the App and consent to the App’s tracking your location. You may choose to stop our collection of location data through the Settings that we provide in the App, or by removing the App from your phone.
- Activity. The App tracks your physical activity using the sensors built into your smartphone. This includes pedometer data reported by the Operating System over a given time interval, as well as motion activities reported by the Operating System, derived via available hardware on the smartphone, e.g. accelerometer, gyroscope. Similar to location data, you may stop our collection of this data at any time. Smartphone Use. With your permission the App collects whether your smartphone screen is or off, locked or unlocked. This can be useful to estimate sleep duration.
- Social Data. Some versions of our mobile app occasionally monitors the device’s microphone in the background in order to detect whether human voice is present or not. No audio files are ever recorded on the device or transmitted to our servers. Brief pieces of audio are stored temporarily in memory and analyzed for the presence of human voice. The resulting data indicates simply whether there was voice present or not. The temporary audio files are immediately destroyed.
- Other sensed data. There are a range of beta streams that Measure collects to explore relations between these streams and wellbeing. These are not personally identifiable
- Information from your device. This includes information about your operating system, carrier, language, battery performance, wi-fi or other network connections, or other data that you permit the App to access on your device including through permissions on your device (e.g. Google Play on Android). We do NOT collect information unique to you like your device identifier
- Information you provide. If you choose to answer self-report questions presented by through our mobile app, you may thereby provide information such as your mood, gender, height, weight, and birth year. None of these details will include personally identifiable information. We do NOT collect your name, email address, date of birth, social security number of any similar personal information that could identify you.
How we use your information
The purposes for which HealthRhythms collects and uses such Privacy Shield Personal Data include:
- to provide our customers with products and services;
- to improve the products and services that we provide;
- to conduct research, including through clinical trials;
- to improve HealthRhythms' algorithms, measure and understand how our Services are used, and to develop new products, services and features;
- to handle complaints;
- to coordinate your care with your health care system;
- for other purposes as required or permitted by law.
In addition, we may use de-identified health information to contribute to public health efforts related to behavioral health issues and for other uses. HealthRhythms may disclose such Privacy Shield Personal Data to the following types of third parties:
- your health care providers and health plans, in connection with coordinating your care, improving your treatment, and/or obtaining payment for our products and services;
- a pharmaceutical company running a trial in which you have agreed to participate;
- third parties designated by you and with whom you elect to share your information through our mobile apps or websites (e.g., friends, family, and health care providers);
- third parties in association with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets;
- third parties as required by law or regulation and when we have a good faith belief that it is necessary to protect the legal rights, safety, and security of us or others; and
- law enforcement or other government entities to comply with or respond to law enforcement or legal process or a request for cooperation, such as complying with legal requirements to disclose Privacy Shield Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If Privacy Shield Personal Data is to be used for a new purpose that is materially different from that for which the Privacy Shield Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, HealthRhythms will provide you with an opportunity to choose whether to have their Privacy Shield Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Privacy Shield Personal Data should be sent to: email@example.com
If Privacy Shield Personal Data that qualifies as personally identifiable information is to be used for a new purpose that is different from that for which the Privacy Shield Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party, HealthRhythms will obtain the Data Subject’s explicit consent prior to such use or disclosure, except if the use or disclosure is:
- In the vital interests of the Data Subject or another person;
- Necessary for the establishment of legal claims or defenses;
- Required to provide medical care or diagnosis;
3. Accountability for Onward Transfer
In the event we transfer Privacy Shield Personal Data to non-agent third parties, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Privacy Shield Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection to that Privacy Shield Personal Data as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Privacy Shield Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination.
With respect to our agents, we will transfer only the Privacy Shield Personal Data needed for an agent to deliver to HealthRhythms the requested service. Furthermore, we will (i) permit the agent to process such Privacy Shield Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection to that Privacy Shield Personal Data as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Privacy Shield Personal Data transferred in a manner consistent with HealthRhythms' obligations under the Privacy Shield Principles; and (iv) require the agent to notify HealthRhythms if it makes a determination that it can no longer meet its obligation to provide the same level of protection to the Privacy Shield Personal Data as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, HealthRhythms will take reasonable and appropriate steps to stop and remediate unauthorized processing.
HealthRhythms remains liable under the Privacy Shield Principles if an agent processes Privacy Shield Personal Data in a manner inconsistent with the Privacy Shield Principles, except where HealthRhythms is not responsible for the event giving rise to the damage.
HealthRhythms uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate. HealthRhythms has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction.
HealthRhythms takes reasonable and appropriate measures to protect Privacy Shield Personal Data from loss, misuse, and unauthorized access, disclosure. alteration. and destruction, taking into due account the risks involved in the processing and the nature of the Privacy Shield Personal Data.
The information you provide to us is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepaper: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
We use commercially reasonable physical and technical safeguards to secure your data. We encrypt the communication channels using SSL. We use state-of-the-art privacy protective algorithms to ensure that we minimize the amount of personal information we collect and maximise the security of this data. However, we cannot guarantee the security of your data, which may be compromised by unauthorized entry or use, hardware or software failure, and other factors.
We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default.
Your data may be transferred to, and stored at, other destinations inside the EEA by or to staff who work for HealthRhythms. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
However, despite these measures ,we cannot guarantee the security of your data. The transmission of information via the internet (especially by email) is never completely secure. Once we have received your information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice and appropriate laws.
5. Data Integrity and Purpose Limitation
HealthRhythms limits the collection of Privacy Shield Personal Data to information that is relevant for the purposes of processing. HealthRhythms does not process such Privacy Shield Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject. HealthRhythms takes reasonable steps to ensure that such Privacy Shield Personal Data is reliable for its intended use, accurate, complete, and current.
HealthRhythms retains Privacy Shield Personal Data in identifiable form only for as long as it serves a purpose of processing, unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such Privacy Shield Personal Data.
Data Subjects have the right to access Privacy Shield Personal Data about them and to correct, amend, or delete such Privacy Shield Personal Data if they can demonstrate that it is inaccurate. However, this right may be restricted in limited circumstances, such as when the burden or expense of providing access. correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated. Requests for access, correction, amendment, or deletion should be sent to: firstname.lastname@example.org.
7. Recourse, Enforcement, and Liability
HealthRhythms' participation in the Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission. HealthRhythms agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. HealthRhythms acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
In compliance with the Privacy Shield Principles, HealthRhythms commits to resolve complaints about your privacy and our collection or use of your Privacy Shield Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact HealthRhythms at:
Mark Matthews, Health Rhythms, Inc., 246 5th Avenue, Suite 617, New York, NY 10001
HealthRhythms has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. The services of BBB EU PRIVACY SHIELD are provided at no cost to you.
Please note that if your complaint is not resolved through these channels, under certain conditions, you may be able to invoke binding arbitration before a Privacy Shield Panel, as described in Annex I of the Privacy Shield (available at https://www.privacyshield.gov/article?id=ANNEX-l-introduction).
Changes to this Privacy Shield Policy
This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Appropriate notice regarding such amendments will be given.
Effective Date: October 10, 2017