Privacy Notice and Data Use Policy
Last Updated: 30 September 2021
OXOS Medical, Inc., together with its affiliates and subsidiaries (“OXOS“, “we“, “us” or “our“) takes the privacy and the security of its users” data very seriously. This Privacy Notice and Data Use Policy (“Notice“) explains who we are, how we collect, use and share personal information about you and how you can exercise your privacy rights.
PROCESSING ACTIVITIES COVERED
This Notice applies (unless a different Notice is displayed) to the processing of personal information collected by us in the usual course of business, including when you:
- Visit our websites (such as oxos.com) that display a link to this Notice (the “Site” or “Sites“), visit our social media pages; visit our offices; receive communications from us, including emails, phone calls and texts; or register for, attend and/or otherwise take part in our events, tutorials, webinars or contests (we collectively refer to all of these activities as our “Marketing Activities” in this Notice).
- Use any OXOS products or service, such as a healthcare provider or as a patient to a healthcare provider that uses our products or services (“Users“), including any services provided by OXOS (the “Services“), the Sites, the OXOS Device(s) as well as any application supplied by us, including the OXOS applications available for mobile users (the “App” or “Apps“), when we act as a data controller of your personal information. The Sites, the Services, and the Apps will be collectively referred to herein as the “Platform.”
“You” may, depending on the context, be: a visitor to one of our Sites, offices or social media pages; a recipient of our communications; a patient whose personal information is being hosted on the Platform; or a healthcare provider who uses the OXOS Device(s) and/or the Platform.
This Notice does not apply to the personal information that we process as data processors on behalf of healthcare providers (“Providers“) in the course of providing our Services.
WHO WE ARE
We are OXOS Medical, Inc., a company headquartered in the United States. In support of our mission to democratize healthcare by making medical imaging accessible to everyone around the world, we have developed and provide the OXOS Devices and related Platform, which we offer to physicians or other licensed health care providers. You can find out more about us and our products and services on the OXOS website.
If you are resident in the European Economic Area (“EEA“), UK or Switzerland, the controller of your personal information that we process for the purposes described in this Notice is OXOS Medical, Inc.
WHAT PERSONAL INFORMATION DO WE COLLECT?
The information we collect depends on the context of your interactions with OXOS and the choices you make (including your privacy settings), the products and features you use, your location and applicable law.
In general, our Platform is intended for use by Users. As a result, for much of the personal information (including protected health information (“PHI“)) we collect and process through the Platform, we act as a data processor. This means, it is primarily our Users that control what personal information we collect through the Platform and how we use it. Therefore, if you are a patient of a Provider who uses our Platform, and have privacy related questions or concerns about the privacy practices of or the choices the relevant Provider has made to share your information with us or any other third party, you should contact the relevant Provider or review their privacy notices.
OXOS is not responsible for the privacy or security practices of the Providers who use the Platform, which may differ from those set out in this Notice.
Information you provide to us:
If you are a Provider you (or your team administrator) may provide certain personal information to us through the Platform, for example, when you sign up for a OXOS account to access and use the Platform, when you consult with customer support or send us an email or communicate with us in any way (for example, to make a support request).
Further, the personal information we collect from any User may include:
- Business contact information (such as your name, job title, organization, phone number, email address and country);
- Marketing information (such as your contact preferences);
- Account log-in credentials (such as your email or username and password when you sign-up for an account with us and the unique User ID assigned to you in our systems);
- Troubleshooting and support data (which is data you provide or we otherwise access in connection with support queries we receive from you. This may include, for example, contact or authentication data, the content of your chats and other communications with OXOS, and the product or service you are using related to your help inquiry); and
- Payment information (including your credit card numbers and associated identifiers, billing address and background information, including your payment for the Services or use of the Platform).
If you ever communicate directly with us, we will maintain a record of those communications and responses.
Information we collect automatically:
When you use or interact with the Services, we automatically collect or receive certain information through our Platform (for example in log files) and through other technologies (such as cookies) about your device and usage of the Services. In some (but not all) countries, including countries in the European Economic Area (“EEA“), UK and Switzerland, this information is considered “personal data” under data protection laws. For further information please review the section “Cookies and Similar Technologies” below.
The information we collect includes:
- Log and usage data, which is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our Platform and which we record in log files. This log data may include the Internet Protocol (IP) address, device information, browser type and settings and information about your activity in the Platform (such as the date/ time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features of you use)), device event information (such as system activity, error reports (sometimes called “crash dumps”) and hardware settings).
- Device data, such information about your computer, phone, tablet or other device you use to access the Services. This device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system (s) information. If you are using our mobile App, we may also collect information about the phone network associated with your mobile device, your mobile device operating system or platform, the type of mobile device you use, your mobile device unique device ID and information about the features of our mobile App you accessed.
- Location data, such as information about your device location, which can be either precise or imprecise. How much of this information we collect depends on the type and settings of the device you use to access the Platform. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your location setting on your device. Note however, if you choose to opt out, you may not be able to use certain aspects of the Platform.
This information is used to:
- maintain the security of the Platform;
- provide necessary functionality;
- improve performance of the Platform;
- assess and improve a User experience of the Platform;
- review compliance with applicable usage terms;
- identify future opportunities for development of the Platform;
- assess capacity requirements;
- identify customer opportunities and for the security of OXOS generally (in addition to the security of our Platform); and
- analyze overall trends, to help us provide and improve our Platform, and to guarantee their security and proper functioning.
Some of the data automatically collected within the Platform, whether alone or in conjunction with other data, could be personally identifying to you. Please note that this data is primarily used for the purposes of identifying the uniqueness of User logging on (as opposed to specific individuals), apart from where it is strictly required to identify an individual for security purposes or as required as part of our provision of the Platform to Providers (where we act as a data processor).
Information we process about Providers’ patients: We process certain personal information about Providers” patients (where we act as a data processor). This personal information includes:
- Identification and contact data (name, title, date of birth, sex, medical record number (MRN), accession number).
- PHI, such as MRN data, study description and related metadata (such as comment data from Users about an x-ray study) and other categories of PHI uploaded by (or on behalf of) the Users in connection with the Services.
As described above, in most cases, we only process PHI on behalf of and as instructed by Providers (the data controllers of the PHI).
However, where permitted by the relevant Provider and applicable law, we may leverage certain patient data collected through the operation of the Platform for our internal research and development purposes to develop and improve our Platform (for which we will be a data controller). For these purposes, we only use PHI in a de-identified form that does not specifically identify any particular patient (for example, by reference to their name or other identification data). For example, we may leverage de-identified patient data to train our models and algorithms to better interpret the medical images captured from OXOS devices, to make more consistent measurements and therefore to improve the functionality of our Platform and diagnostic outcomes. To the extent the de-identified patient data is considered personal information under applicable privacy and data protection law, we will ensure that such data is processed in compliance with such privacy and data protection laws (including seeking patient consent where legally required).
Cookies and Similar Technologies (Services)
Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. The Platform may make use of first or third party cookies (whether session or persistent cookies) and similar technologies, for such things as session management, account access/authentication, to recognize returning Users, for storing and honoring a User preferences and settings, combating fraud, maintaining and monitoring the infrastructure of the Platform, ensuring security protections, analyzing how the Platform performs and other analytics purposes, and fulfilling other legitimate purposes as further described in this Notice (such as fixing issues with and improving our Platform and related User experience). We also use analytics cookies to better understand how the Platform is being used by tracking how you interact with the Platform and where you click.
(B) Marketing Activities
Information you provide to us:
Our Site offers various ways to contact us, such as through form submissions, email or phone, to inquire about our company and Platform. For example, when expressing an interest in obtaining information about us, our products or the Platform, subscribing to marketing or otherwise contacting us, we will collect personal information from you. We may also collect information from you in person at a tradeshow or event or via a phone call with one of our sales representatives or if you visit our offices (where you may be required register as a visitor and provide us with certain information).
The personal information we collect may include:
- Business contact information (such as your name, phone number, email address and country);
- Professional information (such as your job title, institution or company);
- Nature of your communication;
- Marketing information (such as your contact preferences); and
- Any information you choose to provide to us when completing any “free text” boxes in our forms.
Personal information may also be provided to us on your behalf by another User. If you ever communicate directly with us, we will maintain a record of those communications and responses.
Information we collect automatically:
The information we collect may include:
Device data– such as your IP address, your operating system, your browser, device information, unique device identifiers, mobile network information, request information (speed, frequency, the site from which you linked to us (“referring page“), the name of the website you choose to visit immediately after ours (called the “exit page“), information about other websites you have recently visited and the web browser used (software used to browse the internet) including its type and language); and
Usage data – such as information about how you interact with our emails, Sites and other websites (such as the pages and files viewed, searches, operating system and system (s) information and date/time stamps associated with your usage), and Platform.
Information we collect from other sources: In order to enhance our ability to provide relevant marketing, offers and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, social media platforms, as well as from other third parties. This information may include mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), IP addresses, social media profiles, social media URLs and custom profiles, for purposes of targeted advertising, event promotion and optimizing our Platform, Sites, Services and Marketing Activities.
Cookies and Similar Technologies (Marketing Activities)
HOW DO WE USE YOUR INFORMATION?
We use and process the personal information we collect receive (alone or in combination) for the purposes and on the legal bases identified below:
- Communicating with you about the Platform: We may send you service, technical and other administrative or technical email, messages and other types of notifications (such as distribution and product updates and product patches and fixes) in reliance on our legitimate interests in administering the Platform and providing certain features. These communications are considered part of the Platform and in most cases you cannot opt-out of them. If an opt-out is available, you will find that option within the communication itself or in your account settings.
- Promoting the security of the Platform: We process your personal information by tracking use of the Platform, creating aggregated, non-personal data, verifying accounts and activity, investigating suspicious activity and enforcing our terms and policies, to the extent this is necessary for our legitimate interest in promoting the safety and security of the Platform, Services, systems and applications and in protecting our rights and the rights of others;
- Providing necessary functionality: We process your personal information to perform our contract with you for the use of the Platform; where we have not entered into a contract with you, we base our processing of your personal information in reliance on our legitimate interest to provide you with the necessary functionality required during your use of the Platform;
- Handling contact and User support requests: If you fill out a “Contact Us” web form or request User support, or if you contact us by other means including via a phone call, we process your personal information to perform our contract with you and/or (if we have not entered into a contract with you) to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you;
- Managing event registrations and attendance: We process your personal information to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you, to perform of our contract with you;
- Developing and improving our Marketing Activities and Services: We process your personal information to analyze trends and to track your usage of and interactions with our Marketing Activities and Services to the extent it is necessary for our legitimate interest in developing and improving our Marketing Activities, Platform and Services and providing you with more relevant content and service offerings, or where we seek your valid consent;
- Assessing and improving end user experience: We process device and usage data as described above which in some cases may be associated with your personal information, in order to analyze trends in order to assess and improve the overall user experience to the extent it is necessary for our legitimate interest in developing and improving our Marketing Activities, Platform and/or Services, or where we seek your valid consent;
- Reviewing compliance with applicable usage terms: We process your personal information to review compliance with our contract with you or your organization (where applicable) to the extent that it is in our legitimate interest to ensure adherence to the relevant terms;
- Assessing capacity requirements: We process your personal information to assess the capacity requirements of the Platform the extent that it is in our legitimate interest to ensure that we are meeting the necessary capacity requirements of our service offerings;
- Identifying customer opportunities: We process your personal information to assess new potential customer opportunities to the extent that it is in our legitimate interest to ensure that we are meeting the demands of our customers and their Users” experiences;
- Registering office visitors: We process your personal information for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access;
- Displaying personalized advertisements and content: We process your personal information to conduct marketing research, advertise to you, provide personalized information about us on and off the Platform and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in supporting our Marketing Activities or advertising our products, Platform or Services or, where necessary, to the extent you have provided your prior consent (please see the “Your Privacy Rights” section, below, to learn how you can control how the processing of your personal information for personalized advertising purposes);
- Sending marketing communications: We will process your personal information to send you marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS, or push notifications) about us when this is in accordance with your marketing preferences, including information about our products, services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent (please see the “Your Privacy Rights” section, below, to learn how you can control the processing of your personal information by OXOS for marketing purposes);
- For our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products and features, enhancing, improving or modifying our products and services, identifying usage trends and expanding our business activities in reliance on our legitimate interests; and
- Complying with legal obligations: We process your personal information when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of the Platform, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests.
Where we need to collect and process personal information by law, or under a contract we have entered into with you, and you fail to provide the required personal information when requested, we may not be able to perform our contract with you.
SOCIAL MEDIA FEATURES
The Platform may use social media features, such as the Facebook “like” button, the “Tweet” button and other sharing widgets (“Social Media Features“). You may be given the option by such Social Media Features to post information about your activities on a website to a profile page of yours that is provided by a third-party social media network in order to share with others within your network. Social Media Features are either hosted by the respective social media network or hosted directly on our website. To the extent the Social Media Features are hosted by the respective social media networks and you click through to these from our website, the latter may receive information showing that you have visited our website. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our websites with your social media profile. Your interactions with Social Media Features are governed by the privacy policies of the companies providing the relevant Social Media Features.
COLLECTION OF PERSONAL INFORMATION BY THIRD PARTIES
Some links on the Platform, including our Sites and in our Services, may redirect you to third party resources, including websites and services that OXOS does not operate. The privacy practices of these websites and services will be governed by their own policies.
WHO DO WE SHARE YOUR INFORMATION WITH?
We do not sell or share your personal information with third parties except as outlined below. We may disclose your personal information to the following categories of recipients:
- Service providers. In order to provide the Platform to you and undertake our Marketing Activities, it may be necessary for us to disclose your information to contracted third parties and service provider partners who perform certain functions of our Services on our behalf. Examples include payment providers (to authorize, record, settle and clear payment card transactions); cloud hosting providers (to provide data storage and processing services); communications providers (to process new queries and to manage our emails); and analytics company to perform analysis on the Platform. These third party service providers are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.
- Compliance with laws. We may disclose information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or other legal process (including in response to public authorities to meet national security or law enforcement requirements).
- Business transfers. We may share or transfer information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Notice.
- Advertising Partners. We may partner with third party advertising networks, exchanges and social media platforms (like Facebook) to display advertising on our Sites or to manage and service advertising on other sites and we may share personal information with them for this purpose.
- We may share your information with any other person with your consent to the disclosure.
INTERNATIONAL DATA TRANSFERS
The Sites and Services are provided and hosted in the United States. If you are using the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed by OXOS in our facilities and by those third parties with whom we may share your personal information, in the United States or other locations where we have offices. These countries may have data protection laws that are different to the laws of your country. Regardless of where your data is located, we: (a) treat all personal information in accordance with applicable law; and (b) take reasonable steps to ensure the security of personal information.
If you are resident in or a visitor from the EEA, UK or Switzerland, we will protect your personal information when it is transferred outside of the EEA, UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information; or otherwise implementing appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses, complying with the Privacy Shield Framework for transfers of personal information from EEA, UK and Switzerland to US (see below) or another lawful transfer mechanism approved by the European Commission.
If you require further information about our international transfers of personal information, please contact us using the contract details in the “Contact Information” section further below.
YOUR PRIVACY RIGHTS
Where we are acting as a data controller, and depending on your location and subject to applicable law, you may have the following rights with regard to the personal information we control about you.
- You can access, correct, update and delete your personal information by emailing us at firstname.lastname@example.org. If you are a User, you can also do this by signing in to your account and editing your information as desired
- In addition, if you are a resident of or visitor from the EEA UK or Switzerland, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. To exercise these rights, please send an email to email@example.com.
- You can opt out of receiving marketing emails from us by following the unsubscribe link in the emails or by emailing firstname.lastname@example.org. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or other transactional, non-marketing purposes.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
- If you are resident in the EEA and UK, the contact details for data protection authorities are available on the European Union Data Protection Authorities page.
- If you are resident in Switzerland, the contact details for the data protection authorities are available on the Federal Data Protection and Information Commissioner website.
- If you are resident in Australia, you can visit the “Complaints” section of the Information Commissioner website, to obtain the relevant complaint forms, or contact the Information Commissioner office.
- If you are resident in New Zealand, further information is available on the New Zealand Privacy Commissioner page.
- If you are resident in Canada and unable to resolve your privacy issue directly with us, you may find information about reporting your privacy concern to the appropriate privacy authority
HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We retain your personal information where we have an ongoing legitimate business need to do so and for a period of time consistent with the original purpose as described in this Notice. We determine the appropriate retention period for personal information on the basis of the amount, nature and sensitivity of your personal information processed, the potential risk of harm from unauthorized use or disclosure of your personal information and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation).
After expiration of the applicable retention periods, we will either delete or anonymize your personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information.
You must have reached the age of majority to register as a member of or be permitted use of the Platform. Any information we receive from people we believe to be under this age will be purged from our database. We do not knowingly collect personal information from children under the age of 13 or have any reasonable grounds to believe that children under the age of 13 are accessing our Site or using the Platform.
If you believe that a child under 13 may have provided us personal information, please contact us at email@example.com.
SECURITY OF THE PLATFORM
We take the security of your personal information very seriously. We use reasonable and appropriate administrative, physical, and technical safeguards to secure the personal information we process. Despite these safeguards and our additional efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third-parties will not be able to defeat our security, and improperly collect, access, steal, or modify your personal information.
The security of your use of any OXOS App relies on your protection of your mobile device. You may not share your instance of the mobile application with anyone. If you believe that an unauthorized access to your instance of the mobile application has occurred please report it immediately at firstname.lastname@example.org. You must promptly notify us if you become aware that any information provided by or submitted to the mobile application is lost, stolen, or used without permission.
If you are a User, the security of the user profile you create to interact with the Platform relies on your protection of your login credentials. You are responsible for maintaining the security of your login credentials, including your password and for any and all activities that occur under your account. You may not share your password with anyone. We will never ask you to send your password or other sensitive information to us in an email, though we may ask you to enter this type of information on the Platform, including, without limitation a Site or App.
Any email or other communication purporting to be from us requesting your password or asking you to provide sensitive account information via email, should be treated as unauthorized and suspicious and should be reported to us immediately by emailing email@example.com. If you believe someone else has obtained access to your password, please change it immediately and report it immediately by emailing firstname.lastname@example.org.
WILL WE CHANGE THIS PRIVACY NOTICE?
Each time you use our Site or Services, the current version of the Notice will apply. When you use the Platform, you should check the date of this Notice (which appears at the top of this Notice) and review any changes since the last version.
If we make material changes to this Notice, we will notify you either by prominently posting a notice of such changes prior to implementing the changes or by directly sending you a notification. We encourage you to review this Notice frequently to be informed of how OXOS is protecting your information.
This Notice is accessible within our App under My Account Settings -> Privacy Notice and available at https://www.oxos.com/privacy-policy.
To contact us with your questions or comments regarding this Notice or the information collection and dissemination practices of this website, please email us at email@example.com Alternatively, you can contact us in writing at:
OXOS Medical, Inc.
Attention: Data Protection Officer
1230 Peachtree Street NE
Atlanta, GA 30309