Data Cubed, LLC. dba Datacubed Health
Dated: 21 November 2019
Privacy Shield Policy
Data Cubed, LLC., a U.S. limited liability company organized under the laws of the State of Delaware, does business as Datacubed Health. We comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union member countries and the United Kingdom and /or Switzerland to the United States respectively. Datacubed Health has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such personal data. If there is any conflict between the terms in this Privacy Shield Policy (Privacy Shield Policy) and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/
The following additional terms are incorporated into this Policy as if fully set forth herein:
Readers of this Policy
In this Privacy Shield Policy,
- “We,” “us” and “our” means Datacubed Health
- “Third-party” means someone who is not you or us
In this Privacy Shield Policy, “you” means you as a:
- Client – an employee or a representative of a business that uses Datacubed Health
- Client Participant – an individual solicited by a business who participates in a study conducted by Datacubed Health on behalf of the business
- Datacubed Health Participant – an individual who participates in a study conducted by Datacubed Health on its own behalf
Datacubed Health as a Controller
Datacubed Health is a pioneering technology company making better science and healthier communities a reality. We apply individualized solutions for the capture of data, including smartphone apps, wearable, in-home, and environmental sensors, for remote engagement with patients and for virtual clinical studies. We design studies, validate instrumentation, analyze data, integrate third-party data and custom design apps. As a Client, we may collect your name, business email address, business address, business phone number, any messages you send us, billing information and other details necessary to provide our services to you. As a Datacubed Health Participant, we may collect your name, address, email address, username, information from your activities using our services, location, phone device information, Bluetooth device information, phone contacts and call metadata, SMS message metadata, IP addresses, and social media metadata. In this capacity, we determine the purposes and means of the processing of this personal data.
We may disclose this personal data to our business associates, consultants, service providers and affiliates on a confidential basis in order for them to provide services to us, to you and to enable us to host our website and provide services, information, tools, functionality, updates, and similar materials (collectively Services). For example, our host and internet service provider may have access to this personal data.
We may share this personal data with government and/or law enforcement agencies to the extent we believe it necessary to comply with the law, such as in response to a subpoena or a court order, to defend a legal claim or to establish or protect our legal rights or otherwise as permitted by applicable law. We may disclose to the appropriate legal authorities this personal data in the event we believe it necessary or appropriate to prevent criminal activity, personal injury, property damage or bodily harm.
We may transfer this personal data to a successor in interest, which may occur, for example, in the event of an acquisition, sale, asset sale, merger or bankruptcy. The policies applicable to this personal data thereafter may be determined by the transferee, unless otherwise prohibited by law.
Datacubed Health as a Processor
As a Client Participant, we may collect your name, address, email address, username, information from your activities using our services, location, phone device information, Bluetooth device information, phone contacts and call metadata, SMS message metadata, IP addresses, and social media metadata. As a processor, we are required to process this personal data in accordance with the agreement with our client, who is the controller.
The Privacy Shield Principles
Datacubed Health commits to subject to the Privacy Principles the personal data it collects as controller and as processor that is received by Datacubed Health in the U.S. from the EU member countries and Switzerland in reliance on the respective Privacy Shield Frameworks. The practices we employ as a processor and as a controller under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks are the same as set forth below.
We notify individuals covered by this Privacy Shield Policy about our practices regarding personal data received by us in the U.S. from EU member countries and Switzerland in reliance on the respective Privacy Shield Frameworks, including the types of personal data we collect about them, the purposes for which we collect and use such personal data, the types of third-parties to which we disclose personal data and the purposes for which we do so, the right of individuals to access their personal data, the choices and means that we offer for limiting our use and disclosure of personal data, how our obligations under the Privacy Shield are enforced, and how individuals can contact us with any inquiries or complaints. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If personal data covered by this Privacy Shield Policy is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized or is to be disclosed to a third-party, we will provide individuals with an opportunity to choose whether to have their personal data so used or disclosed. Requests to opt out of such uses or disclosures of personal data should be sent to: firstname.lastname@example.org.
- Accountability for Onward Transfer
In the event we transfer personal data covered by this Privacy Shield Policy to a third-party acting as a controller, we will do so consistent with any notice provided to individuals and any consent they have given and only if the third-party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided by the individuals, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so, and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination.
In the event we transfer personal data covered by this Privacy Shield Policy to a third-party acting as an agent, we will (i) transfer such data only for limited and specified purposes, (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles, (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with our obligations under the Privacy Shield Principles, (iv) require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, and (v) upon notice (including that it can no longer provide the same level of protection as is required by the Privacy Shield Principles), take reasonable and appropriate steps to stop and remediate unauthorized processing.
In the event we, acting as a processor with contractual limitations on disclosure or use of information, transfer personal data covered by this Privacy Shield Policy to a third-party, we will (i) provide individuals with an opportunity to choose whether to have their personal data so disclosed or used. Requests to opt out of such disclosures or uses of personal data should be sent to: email@example.com. (ii) pursuant to the controller’s instructions, put individuals in contract with the controller that provides individuals with an opportunity to choose whether to have their personal data so disclosed or used.
We are responsible for the processing of personal data we receive under the Privacy Shield and subsequently transfer to a third-party acting as an agent on our behalf and remain liable under the Privacy Shield Principles if our agent processes such personal data in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.
We take reasonable and appropriate measures to protect personal data covered by this Privacy Shield Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation
We limit the collection of personal data covered by this Privacy Shield Policy to data that is relevant for the purposes of processing, do not process such personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual, and to the extent necessary for those purposes take reasonable steps to ensure that such personal data is reliable for its intended use, accurate, complete and relevant.
We take reasonable and appropriate measures to comply with the requirement under the Privacy Shield Principles to retain personal data in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing (such as those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention), unless a longer retention period is permitted, or required, by applicable law or regulation, under which circumstance, we will continue to adhere to the Privacy Shield Principles for as long as we retain such personal data.
Individuals whose personal data is covered by this Privacy Shield Policy have the right to access personal data about them that we hold and to correct, amend or delete such personal data where it is inaccurate or has been processed in violation of the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated. Requests for access, correction, amendment, or deletion should be sent to: firstname.lastname@example.org.
Where we are acting as a processor, with contractual limitations on disclosure or use of information, we provide access by putting an individual in contract with the controller or by working together with the controller to provide access, as prescribed by the controller.
- Recourse, Enforcement and Liability
Our participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact us at: email@example.com.
We have further committed to refer unresolved Privacy Shield complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to the International Centre for Dispute Resolution (ICDR), an alternative dispute resolution provider located in the U.S. If you do not receive timely acknowledgement of your complaint from us, or your complaint is not satisfactorily resolved, please contact or visit ICDR for more information or to file a complaint. The services of ICDR are provided at no cost to you.
Under certain conditions, an individual has the possibility to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Please see Annex 1 for more information.
The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. and Swiss Privacy Shield Frameworks.