Privacy Policy - PROACTIVE-HF 2 Clinical Trial | Remote HF Management from Home

ENDOTRONIX, INC.
PRIVACY POLICY

Last Updated: May 31, 2019

Endotronix, Inc., including our affiliate company, Endotronix Ireland Limited, (collectively referred to as “we”, or “us” or “company”) provides this Privacy Policy to explain how we collect, use, share and protect the information you provide and that we collect on endotronix.com (our “Site”) and through the Cordella Heart Failure System patient and clinician applications (each an “App” or together the “Apps”). The Site and Apps may be collectively referred to herein as the “Service.” BY USING THE SERVICE, OR OTHERWISE GIVING US YOUR INFORMATION, YOU AGREE TO THE TERMS OF THIS PRIVACY POLICY. Please review this Privacy Policy carefully to ensure your understanding of our privacy practices. If you do not agree to this Privacy Policy, do not use our Service or give us any of your information. This Privacy Policy is incorporated by reference into our Terms of Use. All capitalized but undefined terms in this Privacy Policy shall have the meaning ascribed to such terms in the Terms of Use.

1. If you are located in the European Economic Area or Switzerland, please also see Section 11, “Notice to Individuals Located in the European Economic Area or Switzerland” and Section 12,“Data Subject Rights of Individuals Located in the Designated Countries” below.

2. Information We Collect

2.1 Information You Provide
a) Personally Identifiable Information. To use the Service, you, and in the case of the patient App, your treating physician, may be required to provide us with certain Personally Identifiable Information as described below. In order for you to use certain features of the App, you will be required to sign an authorization permitting your health care provider(s) to disclose this information and other Personally Identifiable Information necessary for you to use those features of the App. We may collect Personally Identifiable Information through various forms and in various places through the Service, including account registration forms, contact us forms, user complaint submissions, or when you otherwise interact with us. The data fields necessary to create a user profile on our patient App (or an “Account”) include, but may not be limited to:

Name
Date of birth
Gender
Time zone

Additional data fields that may be entered include, but may not be limited to:

Address
Phone
Email address
Weight
Physiological information and clinical history
Names of physicians.

2.2 Information We Collect As You Access and Use Our Service
a) Generally. In addition to any Personally Identifiable Information or other information that you or your clinician choose to submit to us, we and our third-party service providers may use a variety of technologies that automatically (or passively) collect certain information whenever you visit the Site or access or use the Apps (“Non-Personally Identifiable Information”). Non-Personally Identifiable Information may include the browser that you are using, the URL that referred you to our Site, and how and when you use the Service. We may use Non-Personally Identifiable Information for various reasons, such as providing and enhancing the Service for you and other users. In addition, we may collect your IP address or other unique identifier that identifies the device from which you access the Site or Apps. This identifier is a number that is automatically assigned to your device and which our computers use to identify you and your device. This information may be non-identifying or may be associated with you. If we associate any Non-Personally Identifiable Information or information that identifies your device with your Personally Identifiable Information, we will treat it as Personally Identifiable Information.

b) Cookies. A cookie is a data file placed on a computer or other device when it is used to access our Site. We use Cookies to personalize your preferences and track your visits to our web pages. Cookies work by assigning a number to the user that has no meaning outside of the assigning website.

Cookies on our Site that are supplied by us are called “first-party cookies,” while cookies on our Services that are provided by third parties are called the “third-party cookies.” Third-party cookies are operated by third parties that can recognize your device across the Internet, such as when you visit other websites or mobile apps. Endotronix does not control how third-party cookies, or the resulting information, are used, and use of third-party cookies is not covered by this Privacy Policy. We encourage you to check the websites of any third-party cookie providers for more information about how they use cookie information.

Endotronix uses cookies for a variety of purposes. For example, cookies can save your website preferences, tell us which pages are most popular or alert us when certain pages are receiving error messages. Such information helps us improve and optimize our Services. Endotronix uses the following different types of cookies:

Strictly necessary cookies: Some of the cookies we use are necessary to provide our Services to you. Without such cookies, some of our Services cannot be provided to you. These cookies may be persistent cookies or session cookies.
Functional cookies: Functional cookies collect information about how you use our Services, provide you with certain functions on our Services, and they remember your preferences. Without these cookies, parts of our Services cannot be provided to you. These cookies are generally persistent cookies.
Analytics cookies: These cookies provide us information about your interactions on our Services to help us improve and maintain our Services. These cookies are typically session cookies.

Our cookie data retention periods vary based on the type of cookie. A “session cookie” collects and stores information about your interactions with our Services and is deleted after you close your browser. A “persistent cookie” saves information about you for longer periods of time, such as your registration ID and login password for future logins to our Services. The retention periods for persistent cookies vary and are dependent on the purpose of the cookie collection. If you are concerned about your cookies, you can delete cookie data as described below.

If you do not want information to be collected through the use of cookies, your browser allows you to deny or accept the use of cookies. Cookies can be disabled or controlled by setting a preference within your web browser or on your device, and you can delete cookies already set on your device at any time. If you choose to disable cookies on your device, some features of our Service may not function properly or may not be able to customize the delivery of information to you. Our servers automatically record information created by your use of our websites and we use visitor logs to compile anonymous statistics. The aggregate information is collected sitewide and contains anonymous website statistics and is not considered personal information.Our Site also uses Google Analytics to provide us information about the use of our Site. Google uses this information on behalf of Endotronix for the purpose of evaluating the use of our Site and providing us other services relating to Site activity and internet usage. Your IP address conveyed within the scope of Google Analytics is not associated with any other data held by Google. Google does offer a browser add-on to provide you an opt-out feature to prevent being tracked by Google Analytics, which you can access here: https://tools.google.com/dlpage/gaoptout?hl=en.

c) Web Beacons. Small graphic images or other web programming code called web beacons (also known as “1×1 GIFs” or “clear GIFs”) may be included in our Services. The web beacons are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of web users. In contrast to cookies, which are stored in a user’s computer hard drive, web beacons are embedded invisibly on web pages and are about the size of the period at the end of this sentence. Web beacons or similar technologies help us better manage content on our Site by informing us what content is effective, count users of the Site, monitor how users navigate the Site, count how many e-mails we sent that were actually opened or to count how many particular articles or links were actually viewed. We do not tie the information gathered by web beacons to our customers’ Personally Identifiable Information.

d) Embedded Scripts. An embedded script is programming code that is designed to collect information about your interactions with the Site, such as the links you click on. We may use embedded scripts in providing the Services. If we do, the code is temporarily downloaded onto your device from our web server or a third party service provider, is active only while you are connected to the Site, and is deactivated or deleted thereafter.

2.3 Information Third Parties Provide About You. We may, from time to time, supplement the information we collect about you through our Site or Apps with outside records from third parties in order to provide the Service to you, enhance our ability to serve you and to tailor our content to you. Any such third party communications must comply with applicable law.

2.4 Information Collected by our Apps. We may collect and use technical data, including but not limited to, technical information about the devices, software and peripherals associated with the Services which we may gather periodically to facilitate the provision of software updates, product support and other services to you related to our Apps. We may use information automatically collected by the Apps in the following ways:

To operate and improve our Apps and Service
To investigate technical problems, security incidents, complaint investigations and responses, or other potential usage issues
To create aggregated and anonymized information to determine which App features are most popular and useful to users, and for other statistical analyses
To prevent, discover and investigate violations of this Privacy Policy or any applicable terms of service or terms of use for the Apps, and to investigate fraud
To customize the content or Services on the Apps for you, or the communications sent to you through the Apps.

2.5 Job Applicants. If you have applied for a position with Endotronix through the Site, we will collect your resume, contact information, employment and education history, and other related information. We may also receive information from references you identify and other third parties (for instance, background checks where permitted by applicable law). This personal information will be used only for recruitment and other customary human resources purposes including any required government reporting and recordkeeping obligations.

2.6 User Information. Unless otherwise noted elsewhere in this Policy, Personally Identifiable Information and Non-Personally Identifiable Information shall be collectively referred to as “User Information”.

3. How We Use The Information Described in This Policy

3.1 To Provide the Service. We use the Personally Identifiable Information you or your health care provider provide us when registering for an Account to provide the Service to you. We will also use such information to communicate with you in response to your inquiries and to manage your account. We may communicate with you by email, telephone, or SMS or text message (with your consent), in accordance with your requests.

3.2 IP Address. We may use your Internet Protocol (IP) address to administer our Site. Your IP address is used to help identify you, but contains no Personally Identifiable Information about you.

3.3 Messages. We will send you strictly Service-related announcements when it is necessary to do so. Generally, you may not opt-out of these communications, which are not promotional in nature. If you do not wish to receive them, you have the option to deactivate your account.

3.4 Miscellaneous. In addition, we may use User Information: (1) to provide users with requested information or the Service; (2) to process user registration with the Service, including verifying information is active and valid; (3) to improve the Service, to customize user experience with the Service, or to serve specific content that is most relevant to a user; (4) to contact users with regard to use of the Service and, in our discretion, to make changes to the Service or our policies; (5) for internal business purposes; (6) for inclusion in our data analytics; (7) for research, consistent with applicable law and the terms of any required consent form; (8) for complaint monitoring, and safety and reporting obligations, including product safety purposes; and (9) for purposes disclosed at the time users provide us with their information, or as otherwise set forth in this Privacy Policy.

4. How and When We Disclose User Information to Third Parties

4.1 Generally. We do not sell, share, rent or trade the information we have collected about you, including Personally Identifiable Information, other than as disclosed within this Privacy Policy or at the time you provide your information. We do not use your Personally Identifiable Information for direct marketing purposes or share your Personally Identifiable Information with third parties for those third parties’ direct marketing purposes unless you consent to such use or sharing. We may share Non-Personally Identifiable Information, such as aggregated user statistics and log data, with third parties for industry analysis, research, or for other business purposes.

4.2 Third Parties Providing Services on Our Behalf. We use third party companies and individuals to facilitate our Services, provide or perform certain aspects of the Services on our behalf to host the Services, design and/or operate the Services’ features, track the Services’ analytics, process payments, engage in anti-fraud and security measures, provide customer support, perform technical services, or perform other administrative services. We may provide these vendorswith access to User Information, including Personally Identifiable Information as permitted by, and in accordance with, applicable law. We will enter into special contracts with such vendors strictly limiting the vendors’ ability to use and disclose Personally Identifiable Information and requiring the use of certain security measures by the vendors.

4.3 Administrative and Legal Reasons. If we receive requests for information from, or are obligated to supply information to government and law enforcement officials and private parties in regards to enforcing and complying with the law and in connection with private law suits, we will disclose User Information to these parties as we reasonably determine is necessary to comply with applicable law. For example, we may disclose User Information: (i) to satisfy any applicable law or regulation, subpoenas, governmental requests, regulatory compliance obligations, or legal process; (ii) to protect and/or defend our policies; (iii) to protect the safety, rights, property or security of the Company, our Service or any third party; (iv) to protect the safety of the public for any reason; (v) to detect, prevent or otherwise address fraud, security or technical issues; and/or (vi) to prevent or stop activity we may consider to be, or to pose a risk of being, an illegal, unethical, or legally actionable activity.

4.4 Business Transfer. We may, to the extent permitted by law, share all User Information with our subsidiaries and affiliates for internal, business related (non-marketing) purposes. We also reserve the right to disclose and transfer all User Information: (i) to a subsequent owner, co-owner or operator of the Service; or (ii) in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, including, during the course of any due diligence process, all to the extent permitted by law.

5. Account Changes and Cancelation

5.1 Accuracy; Changes. You are responsible for maintaining the accuracy of your Personally Identifiable Information. If you are a patient user and your Personally Identifiable Information changes, or if you no longer desire to use the Service, you may request your healthcare provider to correct, delete inaccuracies, or amend your Account information. Changes will be made as soon as practicable. If you wish to cancel your Account or request that we no longer use your information to provide you Services, contact the healthcare provider who enrolled you. Your return of the tablet associated with the App dis-enrolls you from the Service.

5.2 Retention of Information. We will store User Information for as long as we need it to provide you our Service, to serve the purpose(s) for which your personal information was processed, as necessary to comply with our legal and regulatory obligations, resolve disputes, conclude any activities related to cancellation of an account (such as addressing chargebacks), investigate or prevent fraud and other inappropriate activity, to enforce our agreements, to conduct research as permitted by applicable law and for other business reasons consistent with applicable law.

6. Children’s Information

Our Service is not directed to nor intended for minors. No one under 18 is allowed to register with or use the Service. As such, we do not knowingly collect Personally Identifiable Information from anyone under the age of 18. If we discover that we have collected Personally Identifiable Information from a person under 18, we will promptly remove such information from our databases. If you are a parent or guardian of a minor under the age of eighteen (18) and believe he or she has disclosed Personally Identifiable Information to us, please contact us.

7. How We Protect Your Information

User Identifiable Information is stored within our databases using standard, industry-wide, commercially reasonable security practices and procedures such as encryption, firewalls and SSL (Secure Socket Layers). User Identifiable Information contained within paper-based records is safeguarded by Endotronix’s adherence to standard, industry-wide, commercially reasonable physical security practices and procedures including restricted workforce access to records, required training for access to records, locked storage of records, and quarterly reviews of facilities and records security. We also implement security measures required by law. However, as effective as such technology and efforts may be, no security system is infallible and impervious from attack or hacking. Therefore, we cannot guarantee the security of our databases, nor can we guarantee that User Information won’t be intercepted while being transmitted to us over the Internet or wireless communication, or accessed when stored on our or our service providers’ servers and any information you transmit to us, you do at your own risk. To help us protect your information, we strongly encourage you to not share your App access or any username or password with anyone.

8. Changes to this Policy

From time to time, we may update this Privacy Policy to reflect changes to our information practices. Any changes will be effective immediately upon the posting of the revised Privacy Policy. We encourage you to periodically review this policy on our Site for the latest information on our privacy practices.

9. Your California Privacy Rights

California’s “Shine the Light” law, California Civil Code § 1798.83, requires that certain businesses respond to requests from their California customers (those with whom we have an established business relationship) asking about the business’ practices related to disclosing Personally Identifiable Information to third parties for the third parties’ direct marketing purposes. At this time, we do not provide Personally Identifiable Information to third parties for their direct marketing purposes without your express consent (opt-in).

10. International Transfers of Personal Information

We may store, process and transmit personal information in locations around the world, including locations outside of the country or jurisdiction where you are located. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.

We transfer your personal information subject to appropriate safeguards as permitted under the applicable data protection laws. Specifically, when your personal information is transferred out of the Designated Countries, as defined in Article 11, we have the required contractual provisions for transferring personal information in place with the third parties to which your information is transferred. For such transfers, we rely on legal transfer mechanisms such as Standard Contractual Clauses, or we work with US-based third parties that are certified under the EU-US and Swiss-US Privacy Shield Framework.

If you have any questions regarding this Policy or our privacy practices, you may contact us at privacy@endotronix.com, or by postal mail at:

Endotronix Ireland Limited
Attn: Privacy
DCU Alpha Innovation Center,
Old Finglas Road,
Glasnevin, Dublin 11,
D11 KXN4,
Ireland

Endotronix, Inc.
Attn: Privacy
815 Ogden Ave.
Lisle, IL 60532

11. Notice to Individuals Located in the European Economic Area or Switzerland

SECTION 11 AND SECTION 12 ONLY APPLY TO USERS OF OUR SERVICES THAT ARE LOCATED IN THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM OR SWITZERLAND (COLLECTIVELY, THE “DESIGNATED COUNTRIES”) AT THE TIME OF DATA COLLECTION. WE MAY ASK YOU TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN WHEN YOU USE SOME OF OUR SERVICES, OR WE MAY RELY ON YOUR IP ADDRESS TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN.

Where we rely only on your IP address, we cannot apply the terms of this Section to any User or Customer that masks or otherwise obfuscates their location information so as not to appear located in the Designated Countries. If any terms in this Section conflict with other terms contained in this Policy, the terms in this Section shall apply to users in the Designated Countries.

11.1 Endotronix’s relationship to you. A “data controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. A “data processor” refers to any entity that processes personal data under the data controller’s instructions. Depending on the context of the processing, Endotronix may act as a data controller to provide the Services, but may also act as a data processor on behalf of third party data controllers, such as commercial clinicians who use our Service. When Endotronix acts as the processor, personal data is processed in line with applicable data protection laws and data processing agreement(s) entered into with the data controller, where applicable. Any third parties that act as our service providers are data processors that handle your personal information in accordance with our instructions.

11.2 Lawful basis for processing your personal information. We will process your personal information where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Any potential impact on you and your rights will be considered before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you, unless we have obtained your consent or are otherwise required or permitted to by law.

We will process your personal information, including data related to health, where you have provided your explicit consent for such processing. The purposes of such processing include allowing you to share personal information for research purposes, allowing you to use the full benefit of the Apps, and for quality control and validation. You have the right to withdraw this consent at any time.

Finally, we will process your information when it is necessary for compliance with our legal obligations, the public interest, or in your vital interests.

12. Data Subject Rights of Individuals Located in the Designated Countries

When Endotronix is a data controller, we provide you with the rights described below when you use our Services. When Endotronix processes your personal information as a data processor, we will refer you to the relevant data controller for assistance with these requests. When we receive an individual rights request from you, we will ask you to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other’s privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, or if you would like to exercise your rights under the applicable law please contact privacy@endotronix.com, or by postal mail at:

Endotronix Ireland Limited
Attn: Privacy
DCU Alpha Innovation Center,
Old Finglas Road,
Glasnevin, Dublin 11,
D11 KXN4,
Ireland

Endotronix, Inc.
Attn: Privacy
815 Ogden Ave.
Lisle, IL 60532

12.1 Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw that consent at any time. Such withdrawal will be respected and acted upon as soon as possible. Where such consent is obtained through the Endotronix MyCordella User Authorization form or Research Participant Informed Consent Form, if you decide to withdraw your consent, information that has already been gathered may still be used and given to others, but no new information will be gathered and further processing of the personal data collected under the consent will cease.

12.2 Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee for responding. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.

12.3 Right to erasure (the right to be forgotten). You may request to erase any of your personal information held by us that is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.

12.4 Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract or legitimate interests. However, Endotronix can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.

12.5 Right to restriction. You have the right to restrict our processing your personal information where one of the following applies:

You contest the accuracy of your personal information that we have processed. We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.

The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.

We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.

You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights. We will only process your restricted personal information with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.

12.6 Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.

12.7 Notification to third-parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure or restriction of your personal information, unless this proves impossible or involves disproportionate effort.

12.8 Right to lodge a complaint. If you believe we have infringed or violated your privacy rights, please contact the Endotronix Data Protection Officer so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. A listing of data protection authorities can be found at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm