Effective Date: 1 April 2022

Introduction

The privacy of children matters to us at Datacubed Health. This Children’s Privacy Policy (Policy) explains how we may collect, use, and share personal information of children. It applies to our website, services, information, tools, functionality, updates, and similar materials (collectively Services). If you have questions about the Policy, please feel free to contact us at legal@datacubed.com.

Incorporated Terms

The following additional terms are incorporated into the Policy as if fully set forth herein:

Who we are

We are Data Cubed, LLC d/b/a Datacubed Health. We can be reached at legal@datacubed.com and at:

Datacubed Health

384 Bridge Street

4^th Floor

Brooklyn, NY 11201

Datacubed Health is a pioneering technology company making better science and healthier communities a reality. We apply individualized solutions for the capture of data, including smartphone apps, wearable, in-home, and environmental sensors, for remote engagement with patients and for virtual clinical studies. In connection with the research, trials, studies, patient-engagement initiatives, or projects that we conduct on behalf of companies and heath care organizations (“Clinical Research Studies”) and educational institutions (“Academic Studies”) (collectively “Studies”), we sometimes collect information from children under the age of 18 or from parents or legal guardians (“Caregivers”) about their children and/or patients who are under the age of 18.

References to “we,” “us” and “our” mean Datacubed Health. References to “third-party” mean someone who is not you or us.

We are a Processor of the personal information Client Participants provide to us. We are a Controller of the personal information Datacubed Health Participants provide to us.

Who you are

In the Policy, “you” means you as a:

Client – an employee or a representative of a business that uses Datacubed Health
Client Participant – an individual solicited by a business who participates in a Study conducted by Datacubed Health on behalf of the business and who may be a child under the age of 18
Datacubed Health Participant – an individual who participates in a Study conducted by Datacubed Health on its own behalf and who may be a child under the age of 18

Legal basis for collecting children’s information

The Client obtains the Caregiver’s consent for the child to participate in the clinical research study.
Personal information from children below the age of 18 is not collected without the consent of a Caregiver except in special, limited circumstances
The processing conducted in connection with the Studies under the legal ground of “Consent” is:
- The collection of personal information from Client Participants and Datacubed Health Participants, and
- The collection and use of personal information to provide the Services.

What information do we collect about children and why?

To provide the Services, we may collect information about children from their Caregivers, or we may collect personal information directly from children. On behalf of our Clients, to conduct the Academic Studies, we may collect a child’s:

Name
Address
Date of birth
Place of birth
Email Address
Username
Information from your activities and devices used on the Services
Location for use with Geofencing features, as applicable
Phone device information
Bluetooth device information
Phone contacts
Cell metadata
SMS message metadata
IP addresses
Social media metadata
Demographic information (ethnicity, gender, height, and weight)
Medical condition
Medical dosage and/or dosage change details
Medical injection site and injection date details
Survey information for Health, Economics and Outcomes Research (HEOR) Study

On behalf of our Clients, to conduct the Clinical Research Studies, we may collect a child’s:

First name
Email address
IP address of child or Caregiver
Medical condition
Medical dosage and/or dosage change details
Medical injection site and injection date details
Survey information for Health, Economics and Outcomes Research (HEOR) data

Caregivers may ask us to stop collecting personal information from their child by emailing us at legal@datacubed.com; however, in such cases, the Client Participant and the Datacubed Health Participant will not be able to continue participating in any Study we are conducting on behalf of a Client or ourselves. If Caregivers direct us to stop collecting and using children’s personal information, we must disable the Client Participant’s and the Datacubed Health Participant’s use of our devices so no information is collected.

We are a Controller of the Datacubed Health Participant personal information, and Client is a Controller of the Client Participant personal information. Identifying information (name, email, username, phone device information, IP addresses) will not be shared with the Client, the sponsor of the Study, and is only processed by us to enable technically the Services.

How we use children’s information

We use personal information collected from children or from Caregivers about children for the following purposes:

To conduct Studies on behalf of our Clients or on our own behalf;
To provide the Services;
To respond to customer service and technical support issues and requests.

For Academic Studies, we may use aggregate or de-identified information about children for research, analysis, and similar purposes to improve the Services. When we do so, we strip out names, email addresses, contact information and other personal identifiers. We may use aggregate or de-identified information for the following purposes for Academic Studies:

To conduct research or analysis including research and analysis by Client;
To better understand how our devices are accessed and used; and
To improve our devices and respond to user preferences.

If you are a Client Participant, our processing of your information is restricted to what is agreed to in a contract with the Client. We only share pseudonymized data with the Client, the sponsor of the Study.

We use the information we collect from Clients to answer your inquiries and to provide the Services to you.

How we share children’s information

We do not sell children’s information, and children may not make their personal information public through the Services. We only share Client Participant personal information with the Client on whose behalf we are collecting the personal information, to otherwise provide the Services, to conduct the Studies, to comply with the law and to protect our and other users of the Services. For example, we may share children’s personal information as follows:

Service Providers. We may share the information we collect from children with our service providers on a confidential basis in order for them to provide services to us, to you and to enable us to provide the Services and to conduct the Studies.
- Amazon Web Services, Inc. (AWS) provides servers in the U.S. and in Germany that store all personal information collected from you
- The Rocket Science Group LLC d/b/a Mailchimp, located in the U.S., helps us manage email communications
- Stefanini Group, located in the U.S., Belgium, Romania, China, Poland and the Philippines, helps us manage support tickets
- Twilio, Inc., located in Germany and the U.S., helps us send and receive text messages and provides video conferencing
- Splunk, Inc., located in Germany and the U.S., and Sisense, Ltd., located in Germany and the U.S., help us analyze and provide performance reports about the personal information
Legal Process. We also may share personal information with government and/or law enforcement agencies to the extent we believe it necessary to comply with the law, such as in response to a subpoena or court order, to defend a legal claim or establish or protect our legal rights or otherwise as permitted by applicable law. We commit to review the legality of any subpoena or court order to disclose data, to challenge the subpoena or court order if, after a careful assessment, we conclude that there are grounds to do so, to seek interim measures to suspend the effects of the subpoena or court order until the court has decided on the merits, to not disclose the personal data requested until required to do so under the applicable procedural rules, and to provide the minimum amount of information permissible when responding to the subpoena or court order, based on a reasonable interpretation of the subpoena or court order. The information shared depends on what is sought by the subpoena or court order.
To Protect Us and Others. We may disclose personal information in our possession in the event we believe it necessary or appropriate to prevent criminal activity, personal injury, property damage or bodily harm. The personal information disclosed depends on the circumstances.
Business Transfers. We may transfer your information to a successor in interest, which may include but may not be limited to a third-party in the event of an acquisition, sale, asset sale, merger, or bankruptcy. The policies applicable to your information thereafter may be determined by the transferee, unless otherwise prohibited by law. The personal information transferred would consist of the personal information collected as described above.
With Caregivers. Caregivers may request information about the information we have collected from their child by contacting us at legal@datacubed.com.
Aggregate and De-identified Information. For Academic Studies, we may also use and share aggregate or de-identified information with third parties. For Academic Studies, Clients may make de-identified information available to the public.

Where we store and process personal data

We store the information we collect from you on servers provided by AWS in the United States (U.S.) and the European Union (EU). For testing purposes, the information we collect from you also may be stored on desktop and laptop computers used by our employees in the U.S. The information we collect from you in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland may be transferred from and kept outside the EEA, the UK, and Switzerland because our operations and some of our servers are located in the U.S. We enter into Standard Contractual Clauses in order to transfer your information outside the EEA, the UK, and Switzerland. We have withdrawn from the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA and Switzerland to the U.S.; we will continue to apply the Privacy Shield Principles to personal information that we received while participating in the Privacy Shield Frameworks. To learn more about the Privacy Shield program, visit https:// www.privacyshield.gov/.

Caregivers’ rights to review, delete and control our use of children’s information

Caregivers have the right to review the information we have collected about their children and to have their children’s personal information deleted and can refuse to permit the further collection or use of their children’s information. To exercise these rights, you may contact us at legal@datacubed.com. You will be required to authenticate yourself as the child’s Caregiver to receive information about that child. Copies of information may remain in cached or archived form in our system after its deletion is requested.

How long we may keep children’s information

We may keep children’s information for as long as we have to by law. If there is no contradictory legal requirement, we will only keep it for as long as we need it to perform the Services. We may also keep your information for a reasonable period of time. For example, where U.S. law applies, and where required by U.S. law, we retain covered protected health information for 7.5 years or as otherwise required or permitted by law, and where the International Conference on Harmonization Guidelines for Industry Structure and Content of Clinical Study Reports apply, clinical research study data are retained for a period of 25 years as of completion of the Services or longer as required by local law.

How we protect children’s privacy

When we intend to collect personal information about children, we take additional steps to protect children’s privacy, including:

Asking for a Caregiver email address in any instance where we ask for age and determine the user is under age 18 before collecting any personal information from the child on any child-targeted device or application;
If we wish to collect personal information from a child, seeking a Caregiver’s consent by email, explaining what information we are collecting, how we plan to use it, how the Caregiver can provide consent, and how the Caregiver can revoke consent;
In connection with the Services or the Studies, collecting a child’s online contact information (e.g. email address) in order to communicate with the child and simultaneously requiring a Caregiver email address in order to notify the Caregiver about the collection and use of the child’s information and to provide the Caregiver an opportunity to prevent further contact with the child;
In connection with push notifications (notifications on mobile and other devices), obtaining a Caregiver email address and providing the Caregiver with notice of our interest in contacting the child and providing the Caregiver with the opportunity to prevent contact before the child can receive push notifications;
If the device collects geo-location information that is specific enough to equate to the collection of a street address or if in using the Services persistent identifiers (e.g., cookies) collect information to make the Services more useful (e.g., type of computer operating system, IP address, mobile device identifier, web browser), notifying Caregivers and obtaining Caregiver consent prior to such collection;
Notifying Caregivers about our practices with regard to children, including the types of information we may collect from children, the uses to which we may put that information, and whether and with whom we may share that information;
Obtaining consent from Caregivers for the collection of personal information from their children or for providing information about the Services and the Studies directly to their children;
Limiting our collection of personal information from children to no more than is reasonably necessary to participate in the Services and the Studies;
Giving Caregivers access or the ability to request access to personal information we have collected from their children and the ability to request that the personal information be changed or deleted.

Additional rights children have regarding their information

You have the right:

To know if we are collecting, using, or sharing your information and to request access to this information
To request that we correct your information if it is inaccurate or incomplete
To ask us to erase your information if
- Your information is no longer necessary for the purposes for which it was collected, used or shared
- You withdraw the consent on which the collection, use or sharing is based
- You object to the collection, use or sharing and there is no overriding legitimate interest for continuing the collection, use or sharing
- You object to the collection, use or sharing of your information for direct marketing purposes
- Your information was unlawfully collected, used or shared
- Your information has to be erased in order to comply with a legal obligation
- Your information was collected in order to offer online services to children
To obtain from us a restriction on the collection, use or sharing of your information if
- You contest the accuracy of your information
- You have objected to the collection, use or sharing based on legitimate interest and we are considering whether our or a third-party’s legitimate interest ground overrides your interest
- The collection, use or sharing is unlawful, and you oppose erasure and request that use be restricted instead
- We no longer need your information, but you require your information to establish, exercise or defend a legal claim
To be able to take with you the information you provided to us and to transmit that information to another organization where our collection, use or sharing of that information is carried out by automated means and is based on your consent or the performance of a contract
To object to collection, use or sharing based on the purposes of legitimate interest or performance of a legal task, direct marketing and scientific/historical research and statistics
Not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you
To lodge a complaint with a supervisory authority

How you exercise your rights

You may access, correct, or delete your account information or cancel your account at any time by emailing us at legal@datacubed.com. Please note that in some cases we may retain certain information about you as required by law.

Where to find us on social media and Cookies
You can find us on Facebook, Twitter, and LinkedIn. When you visit our social media pages, you can control the settings of cookies that are not essential to provide the services you request. A cookie is a small file placed on your device which enables features and functionality of the www.datacubed.com website. The Datacubed Health Cookie Policy explains what cookies are, our use of cookies, and how you can manage cookies. Except for those cookies which are essential for the Service that you have requested, no cookie will remain on your device, and we will not retain any information collected from cookies, longer than is permitted by law.

Governing law

EU laws govern the Policy.

Changes to the Policy

The Policy is current as of the Effective Date set forth above. We may change the Policy from time to time, so be sure to check back periodically. We will post any changes to the Policy on our site at www.datacubed.com.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_122223764_1	1 minute	This cookie is installed by Google Analytics. The cookie is used to analyze visitor browsing habits, flow, source, and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.