YOUR USE OF OUR SERVICES AND WEB SITES IS SUBJECT TO YOUR AGREEMENT TO THE TERMS OF THIS PRIVACY POLICY.

Overview of Medable, Inc.

Medable, Inc. is the app and analytics platform for healthcare. Medable provides mobile application technologies used for clinical research, health and wellness to its Customers who in turn use the Medable platform and Medable solutions to interact with their End Users. Medable Customers may collect personal information and sensitive personal information from End Users, and in doing so, that personal information and sensitive personal information may be processed, stored or managed on a Medable platform or solution. With the exception of data that has been fully aggregated and deidentified to remove the ability to associate the data with any individual (and where appropriately consented), Medable itself does not directly collect, process, or manage End User data unless specifically on behalf and at the direction of the Customer that initially collected the data from the End User.

Medable Customers have full control over data processed using, transmitted via or stored on Medable systems. Medable Customers also have full control over how data is handled upon termination of a Medable account. As between Medable and its Customer, Medable Customers are required to retrieve and delete any data that was stored on the system. If a customer fails to delete the data, Medable will retain the data for a limited period of time before securely destroying that data. Medable will make all reasonable attempts to notify the Customer prior to the destruction of the data at the end of the retention period.

Privacy Policy:‍‍

This Privacy Policy (the “Policy”) is intended to provide you with notice of the following:

• What personal information we collect from you via our Website or our Platform
• What non-personal information we collect from you
• How we use the information that we collect from you
• Information on “cookies” and related technology
• Our commitment to secure the personal information we have collected
• Notice of changes to the Policy
• Our policies concerning children
• How we may disclose the information that we collect from you
• How long we may retain the information we collect from you
• Your rights regarding the information we collect from you
• Information for persons outside the United States.

If you have any questions, complaints, or comments regarding this Policy, please submit here.

Medable, Inc. (“Medable” or “We” or “Us”) is committed to protecting the privacy of users of the Medable website (“Website”) or the Medable platform (the “Platform”). This Privacy Policy explains the information that we collect via the Website and/or the Platform, how we use it, and how we protect the privacy and security of that information. By accessing the Website or using the Platform to store and transmit information, you are signifying your agreement to this Privacy Policy. If you do not agree to any term of this Privacy Policy, you should not access the Website or use the Platform or provide information to Medable.

1.1 Information Medable Collects and Uses: Medable Platform

The Platform is intended to facilitate your storage and transmission of patients’ medical information concerning your patients to physicians and certain others, and this medical information includes personally identifiable information (“PII”) of those patients, including protected health information (“PHI”). PII includes but is not necessarily limited to information that may be used to identify your patients (such as name or address, patient or medical record number, and so on) and that relates to (a) the patient’s past, present or future physical or mental health or condition, (b) the provision of health care to the patient or (c) the past, present or future payment for the provision of health care to the patient. In providing its service, Medable may receive and create records containing PII of your patients. Medable is required by law to take measures to protect the privacy and security of PII, and to comply with the terms and conditions of your contract with Medable. The Platform also collects account and other information about you, as a user of the Platform. This information includes personal information about you and your use of the Platform.

1.2 Information Medable Collects and Uses: Medable Website

We do occasionally collect personal information via our website.

2.0 How We Use The Information We Collect From You

Personal information which we collect via the Website or the Platform for a particular purpose will only be saved and used for that purpose, unless you have agreed to allow us to use it for some other purpose, as described in this Policy.

Generally, we will use the personal information we collect from you to:

• provide you with technical support, customer service, and account maintenance;
• learn what you like, tailor your experience accordingly, and to improve web sites and our other products / services;
• send e-mails to our members who want to receive e-mail from us;
• ensure the security of your account and our business;
• prevent or detect fraud or abuses of our website; and
• comply with applicable law, for example, in response to a request from a court or regulatory body, where such request is made in accordance with the law.
  

The legal bases for us processing personal information for the purposes described above will typically be because you have provided your consent. However, we may also rely on other legal grounds, for example, where the processing is necessary for our legitimate business interests and for compliance with a legal obligation to which Company is subject.

3.0 Use of Technologies by the Website or Platform.

The Platform may use various user-tracking mechanisms that describe your use of the Website or Platform, and your responses to communications from Medable and others through the Website or Platform.

4.0 Information on Cookies and Related Technology

The Medable Website, and some services and advertisements on such sites, may contain “cookies.” A cookie is a piece of data that is sent to your browser, which will store the cookie on your computer if your browser is enabled to accept cookies.

Most internet browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. You should refer to your browser instructions or “Help” screen to learn more about how to manage cookies. Please note, however, that if you block cookies, some portions of the Site and services may not function properly.

Medable does not control cookies in third-party ads, and visitors are encouraged to check the privacy policies of advertisers and/or ad services to learn about their use of cookies and other technology. The ads appearing on our Sites may be delivered to you by third-party advertising companies. These companies may use information about your visits to this and other web sites in order to provide advertisements on this site and other sites about goods and services that may be of interest to you.

We do collect general, aggregated, demographic, and non-personal information. We will not seek to identify you through cookies or other means, without your consent. This type of anonymous, aggregated profiling and session data may include information that you have provided to us through surveys, polls, etc., but will not be tied to any personal information, without your consent. It may also include aggregated anonymous information about site usage, browser type, device type, and the customer base.

In many cases, Medable will automatically collect certain information about your use of its sites and services. Medable might collect, among other things, information concerning the type of Internet browser or computer operating system you are using, the domain name of your Internet service provider, your “click path” through the Sites, and the web site or advertisement that was linked to or from the Sites when you visited. To do this, Medable may use cookies and other technology.

5.0 Our Commitment to Secure the Personal Information We Have Collected.

While Medable takes precautions against possible breaches in its Website and customer databases, no web site or Internet transmission is completely secure. Consequently, Medable cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. USE OF THE COMPANY SITES AND SERVICES IS AT YOUR OWN RISK.

Company urges you to take steps to keep your personal information safe by using a strong password, changing passwords regularly, using different passwords for each account or relationship that you have, logging out of user account after discontinuing use, and closing your web browser.

6.0 Security of PHI on Medable Platform.

When Medable collects information via the Platform, including PII, it follows generally-accepted, industry standards to protect the submitted PII and meets HIPAA privacy standards. Medable uses encryption techniques and authentication procedures, among others, to maintain the security of your information and to protect user accounts, devices and systems from unauthorized access. We also protect information by placing it on a secure portion of our servers that is accessible only by certain qualified employees and other designees of Medable.

You should also remember that regardless of security used, no data transmission over the Internet, and no data storage facility, is 100% secure. While we strive to protect your information, we cannot ensure or warrant the security of such information.

If you have any questions about security, you can contact Medable at security@medable.com.

7.0 Compliance with and Changes to Privacy Policy.

Medable will comply by the terms of this Privacy Policy while it is in effect. This current Privacy Policy takes effect on the date specified above, and will remain in effect until Medable replaces it.

Medable reserves the right to change the terms of this Privacy Policy at any time, as long as the changes are in compliance with applicable law. If Medable changes this Privacy Policy, the new terms will apply to all information, including PII, that it maintains, including PII and other information that was created or received before such changes were made. If Medable changes this Privacy Policy, it will post the new Privacy Policy on its website at https://www.medable.com/en/privacy-policy-statement.

By visiting the Website or using the Platform, you agree to accept electronic communications and/or postings of revised versions of this Privacy Policy on Medable’s website and agree that such electronic communications or postings constitute notice to you of the revised version of this Privacy Policy.

8.0 Applicable Laws.

The laws and regulations in different countries impose different (and even conflicting) requirements on the Internet and data protection. The servers that make the Platform and Medable’s service available worldwide are located in the United States. All matters relating to the Platform and Medable’s service are governed by the laws of the State of California, without reference to its conflicts of law rules that would result in the Platform being subjected to laws of another jurisdiction. Please note that any information you provide may be transferred to the United States, and by using the Platform and/or Medable’s service or providing Medable with information, including PII, you authorize this transfer.

9.0 Our Policies Concerning Children.

We comply with the Children’s Online Privacy Protection Act and all other applicable laws and regulations concerning children and the Internet. Medable’s website and Medable’s services are not directed toward children under the age of 18.

9.1 Children under the age of 18

If you are under the age of 13, you may not use the Medable website and you may not sign up for any subscription service or buy anything through the Website. Except as may be required by law, Medable will not knowingly collect, maintain, or disclose any personal information from children under the age of 13, without the written consent of their legal guardian.

9.2 Information for Parents/Guardians

Medable encourages parents and guardians to spend time online with their children to become familiar with the types of content available on the Internet, including our website. Parents and guardians should regularly oversee their children’s use of e-mail and other online communications and transactional features. Control tools are available from online services and software manufacturers that can help provide a safe online environment for kids.

If you are a parent or guardian who has discovered that your child has submitted his or her personal information without your permission or consent, we will take reasonable steps to remove that information from the Company database at your request. To request removal of your child’s information, please send us an e-mail to support@medable.com and be sure to include in your message your contact information.

10.0 How We Disclose Personal Information That We Collect From you.

When you have provided personal information to us for a particular purpose, we may disclose your information to other companies that we have engaged to assist us in fulfilling your request. This may include, but is not limited to fulfillment houses, billing services, transaction managers, credit verification services, and other third-party service providers. We may also disclose any of your personal information to law enforcement or other appropriate third parties in connection with criminal investigations, investigation of fraud, infringement of intellectual property rights, or other suspected illegal activities, or as otherwise may be required by applicable law, or, as we deem necessary in our sole discretion, in order to protect the legitimate legal and business interests of Company.

We sometimes share general, demographic, or aggregated (not personal) information with third parties about our user base, but that information does not include any personal information.

Your personal information may also be disclosed if Company assigns all of its rights and obligations regarding the use of your personal information at the time of a bankruptcy, merger, acquisition, sale of all or substantially all of Company’s assets to a subsequent owner or operator, or similar event.

To the extent we collect any aggregated anonymous information, we may share that information and information derived from the aggregated anonymous information with our business partners.

Medable does NOT sell or rent the PII or any other information you provide, and does not provide that information to third parties for commercial or any other purposes.

Medable does not disclose your PHI, to any third party other than as permitted or required under an applicable Business Associate Agreement, or as you direct through your use of the Platform.

11.0 Retention of personal information

Personal information will be retained until as long as is reasonably necessary for the purposes listed above or as required by applicable law. Please contact us for further details of applicable retention periods.

12.0 Your rights

If you don’t want to receive e-mail from us, you can “opt out” of receiving it at the time you register as a member on our web sites or each time we request information from you. If you change your mind and wish to stop receiving e-mails from us, you may also choose to opt out by following the steps described in each such e-mail.

Please follow the directions on the Websites to remove or edit any of your personal information. If you have any questions about your personal information or would like to confirm removal or an opt-out associated with your information please submit here. Please provide your contact information including account credentials, and email address so that we may potentially contact you with the assistance of this process if necessary.

In addition, EEA data protection law provides individuals in those jurisdictions with numerous rights, including the right to access and object to the processing of their personal information. Please submit here for more information on how to exercise these rights. Individuals in the EEA also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal information is not being processed in accordance with applicable data protection law. We suggest that you contact us if you have any questions or complaints in relation to how we process your personal information. However, you do have the right to contact the relevant supervisory authority directly whose contact details can be located http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

13.0 Information for Persons Outside of the United States

Please note that your personal information may be transferred to our outsourced service providers located outside of the EEA. In these circumstances we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate technical, organizational, contractual or other lawful means. Please submit here for details on the safeguards which we have put in place to protect your personal information and privacy rights in these circumstances.

14.0 Notice

Medable relies upon the assurances of its Customer, on whose behalf it processes personal information, that they have obtained consents from such End Users. In obtaining such consent, the Customer is responsible for fully informing End Users about the purposes for which their personal information is collected and used, including the types of non-agent third parties to which that information is disclosed, if any, and the choices and means offered individuals for limiting the use and disclosure of their personal information.

If instructed to do so by its Customer, Medable will inform individuals about the purposes for which a Customer collects and uses personal information. Medable will also disclose the types of non-agent third parties, if any, to which Medable discloses any personal information and the choices and means offered individuals for limiting the use and disclosure of their personal information.

Medable requires that any such notice be provided in clear language in a conspicuous manner at the same time individuals are first asked to provide personal information, or as soon as possible thereafter, and in any event before Medable uses or discloses information for a purpose other than that for which it was originally collected.

15.0 Choice

Medable will work with its Customers to provide End Users with the opportunity to choose (opt out) whether personal information is disclosed to a third-party company that is used by Medable. Medable also works with its Customers in the event that any personal information is to be used for a purpose other than the purpose originally authorized.

For sensitive personal information (e.g., personal information that pertains to racial or ethnic origin, political or religious beliefs, health condition or sexual orientation) or use of personal information for a purpose other than the purpose originally authorized, at the direction of Medable’s customer, Medable will work with the Customer to ensure that information is disclosed to a third party agent only after the End User explicitly consents (opts in) to the disclosure.

16.0 Transfers to Third Parties

Medable will only transfer personal information received from the EU to a third party consistent with Customer instructions.

Medable will enter into written agreements or contracts with any agents, third-party providers, and independent entities to which Medable transfers personal information to ensure that those organizations adhere to the same level of privacy protection as Medable.

When Medable has knowledge that a third party is using or sharing this personal information in a way contrary to this policy, Medable will take reasonable steps to prevent or stop such processing or use.

Medable is responsible for and assumes all potential liability in cases of onward transfers of personal information to third parties.

17.0 Access and Security

Upon request and in accordance with Customer instructions, Medable will assist End Users in accessing their personal information that is on the Medable platform.

Medable will coordinate with its Customer and End Users to allow individuals End Users to correct, amend, or delete information that is inaccurate; except in certain cases where providing this access would be disproportionate to the risks to the individual’s privacy or where rights of other individuals would be violated.

Access will not be provided to personal information relating to medical or pharmaceutical clinical trials to the extent that access, disclosure, deletion or alteration of the personal information would jeopardize the integrity of the trial or if contrary to regulatory requirements.

Medable takes precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. These precautions include data redundancy and the implementation of physical and logical security and access controls.

18.0 Data Integrity

Medable relies upon assurances from its Customer that the personal information Medable possesses is relevant for the purposes for which it is to be used. Medable uses the data in accordance with Customer instruction.

Medable will take reasonable steps to ensure that personal information entered onto its platforms retains its original relevance, accuracy completeness and currency.

Medable’s team responsible for Privacy and Data Protection will periodically review and conduct compliance audits of the relevant privacy practices to verify adherence.

Medable’s management will remedy issues arising out of any failure to comply with this policy.

19.0 Dispute Resolution

Medable commits to cooperate with EU data protection authorities (DPAs). If an End User does not receive timely acknowledgment of your complaint from Medable or its Customer, or if, as the End User, Medable has not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint.

20.0 Additional Notices:

Individuals may make requests for access to their personal information, or requests to limit the use and disclosure of their personal information, to Medable Customers who are data controllers of their personal information. In accordance with Customer instructions and applicable law, Medable will assist its clients in responding to such requests.

Please also note that Medable may be required to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

21.0 Enforcement

Medable will cooperate with the Data Protection Authorities (“DPAs”) of EU Member States where it has operations in the investigation and resolution of complaints and comply with advice given by the DPAs.

Any employee of Medable that Medable determines is in violation of this policy will be subject to disciplinary action, up to and including termination.