Version Date: May 30, 2019
GATHERING, USE AND DISCLOSURE OF NON-PERSONALLY-IDENTIFYING INFORMATION
Subscribers of the Subscription Service Generally
“Non-Personally-Identifying Information” is information that, without the aid of additional information, cannot be directly associated with a specific person. “Personally-Identifying Information,” by contrast, is information such as a name or email address that, without more, can be directly associated with a specific person. Like most online operators, Epsagon gathers from subscribers of the Subscription Service Non-Personally-Identifying Information of the sort that web browsers, depending on their settings, may make available. That information includes the subscriber’s Internet Protocol (IP) address, operating system and browser type, and the locations of the web pages the subscriber views right before arriving at, while navigating and immediately after leaving the Subscription Service. Although such information is not personally identifiable, it may be possible for Epsagon to determine from an IP address a subscriber’s Internet service provider and the geographic location of the visitor’s point of connectivity as well as other statistical usage data. Epsagon analyzes Non-Personally-Identifying Information gathered from subscribers of the Subscription Service to help Epsagon better understand how the Subscription Service is being used. By identifying patterns and trends in usage, Epsagon is able to better design the Subscription Service to improve subscribers’ experiences, both in terms of content and ease of use. From time to time, Epsagon may also release the Non-Personally-Identifying Information gathered from Subscription Service subscribers in the aggregate, such as by publishing a report on trends in the usage of the Subscription Service.
A “Web Beacon” is an object that is embedded in a web page or email that is usually invisible to the subscriber and allows website operators to check whether a subscriber has viewed a particular web page or an email. Epsagon may use Web Beacons on the Subscription Service and in emails to count subscribers who have visited particular pages, and viewed emails. Web Beacons are not used to access subscribers’ Personally-Identifying Information; they are a technique Epsagon may use to compile aggregated statistics about Subscription Service usage. Web Beacons collect only a limited set of information including a Web Cookie number, time and date of a page or email view, and a description of the page or email on which the Web Beacon resides. You may not decline Web Beacons, however, they can be rendered ineffective by declining all Web Cookies or modifying your browser setting to notify you each time a Web Cookie is tendered and permit you to accept or decline Web Cookies on an individual basis.
We may use third-party vendors, including Google, who use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to provide analytics services, inform, optimize, and serve ads based on your past activity on our websites and applications, including Google Analytics for Display Advertising. These vendors may use Web Cookies, Web Beacons and other technologies to collect information about your use of the Subscription Service, our service and other websites, including your IP address, web browser, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our service and other websites and better understand your online activity. If you do not want any information to be collected and used by Google Analytics, you can install an opt-out in your web browser (https://tools.google.com/dlpage/gaoptout/) and/or opt out from Google Analytics for Display Advertising or the Google Display Network. You can do so by using Google’s Ads Settings (www.google.com/settings/ads). For more information about interest-based ads, or to opt out in general of having your web browsing information used for behavioral advertising purposes, please visit www.aboutads.info/choices.
Aggregated and Non-Personally-Identifying Information
We may share aggregated and Non-Personally Identifying Information we collect under any of the above circumstances. We may also share it with third parties and our affiliate companies to develop and deliver targeted advertising on our Subscription Service and on websites of third parties. We may combine Non-Personally Identifying Information we collect with additional Non-Personally Identifying Information collected from other sources. We also may share aggregated information with third parties, including advisors, advertisers and investors, for the purpose of conducting general business analysis. For example, we may tell our advertisers the number of visitors to our Subscription Service and the most popular features or services accessed. This information does not contain any Personally-Identifying Information and may be used to develop content and services that we hope you and other subscribers will find of interest.
COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION
As defined above, Personally-Identifying Information is information that can be directly associated with a specific person. Epsagon may collect a range of Personally-Identifying Information from and about subscribers. Much of the Personally-Identifying Information collected by Epsagon about subscribers is information provided by subscribers themselves when (1) registering for our service, (2) participating in polls, surveys or other features of our service, or responding to offers, (3) communicating with us, or (4) signing up to receive newsletters. That information may include each subscriber’s name, address, email address, and telephone number, and, if you transact business with us, financial information such as your payment method (valid credit card number, type, expiration date or other financial information). We also may request information about your interests and activities, your gender, age, date of birth, username, hometown and other demographic information, and other relevant information as determined by Epsagon from time to time. Subscribers of the Subscription Service are under no obligation to provide Epsagon with Personally-Identifying Information of any kind, with the caveat that a subscriber’s refusal to do so may prevent the subscriber from using certain Subscription Service features.
BY REGISTERING WITH OR USING THE SUBSCRIPTION SERVICE, YOU CONSENT TO THE USE AND DISCLOSURE OF YOUR PERSONALLY IDENTIFYING INFORMATION AS DESCRIBED IN THIS “COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION” SECTION.
We may occasionally use your name and email address to send you notifications regarding new services offered by the Subscription Service that we think you may find valuable. We may also send you service-related announcements from time to time through the general operation of the service. Generally, you may opt out of such emails at the time of registration or through your account settings, though we reserve the right to send you notices about your account, such as service announcements, and administrative messages, even if you opt out of all voluntary email notifications.
BY SIGNING UP FOR AN ACCOUNT AND PROVIDING YOUR PHONE NUMBER, YOU AGREE TO RECEIVE INFORMATIONAL TEXT MESSAGES FROM US RELATING TO USE OF THE SUBSCRIPTION SERVICE.
If you do not want to receive such messages, you may opt out or change your preferences in your account. Opting out may prevent you from receiving messages regarding updates, improvements, or offers.
Epsagon will disclose Personally-Identifying Information under the following circumstances:
- By Law or to Protect Rights. When we believe disclosure is appropriate in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of Epsagon, our subscribers, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our Subscription Service Agreement or other agreements or policies, in response to a subpoena or similar investigative demand, a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases, we may raise or waive any legal objection or right available to us.
- Marketing Communications. Unless subscribers opt-out from receiving Epsagon marketing materials upon registration, Epsagon may email subscribers about products and services that Epsagon believes may be of interest to them. If a subscriber wishes to opt-out of receiving marketing materials from Epsagon, subscriber may do so by following the unsubscribe link in email communications, by going to your account settings (if applicable) or contacting us using the contact information below.
- Third Party Service Providers. We may share your Personally-Identifying Information, which may include your name and contact information (including email address) with our authorized service providers that perform certain services on our behalf. These services may include fulfilling orders, providing customer service and marketing assistance, performing business and sales analysis, supporting our website functionality, and supporting surveys and other features offered through our Subscription Service. We may also share your name, contact information and credit card information with our authorized service providers who process credit card payments. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purpose.
Changing Personally-Identifying Information; Account Termination
You may at any time review or change your Personally-Identifying Information by going to your account settings (if applicable) or contacting us using the contact information below. Upon your request, we will deactivate or delete your account and contact information from our active databases. Such information will be deactivated or deleted as soon as practicable based on your account activity and accordance with our deactivation policy and applicable law. To make this request, either go to your account settings (if applicable) or contact us as provided below. We will retain in our files some personal information to prevent fraud, to troubleshoot problems, to assist with any investigations, to enforce our Subscription Service Agreement and to comply with legal requirements as is permitted by law. Therefore, you should not expect that all your personal information will be completely removed from our databases in response to your requests. Additionally, we keep a history of changed information to investigate suspected fraud with your account.
We use the Personally-Identifying Information in the file we maintain about you, and other information we obtain from your current and past activities on the Subscription Service to: deliver the products and services that you have requested, manage your account and provide you with customer support, communicate with you by email, postal mail, telephone and/or mobile devices about products or services that may be of interest to you either from us, our affiliate companies or other third parties, develop and display content and advertising tailored to your interests on our Subscription Service and other sites, resolve disputes, troubleshoot problems, measure consumer interest in our services, inform you of updates, customize your experience, detect and protect us against error, fraud and other criminal activity, enforce our Subscription Service Agreement, and as otherwise described to you at the time of collection. At times, we may look across multiple subscribers to identify problems. In particular, we may examine your Personally-Identifying Information to identify subscribers using multiple subscriber IDs or aliases. We may compare and review your Personally-Identifying Information for accuracy and to detect errors and omissions. We may use financial information or payment method to process payment for any purchases made on our Subscription Service, enroll you in the discount, rebate, and other programs in which you elect to participate, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business.
COLLECTION AND USE OF CUSTOMER DATA HOSTED BY EPSAGON
In limited circumstances, Epsagon or its employees, agents and contractors may have access to, use or disclose Subscriber Data in order to provide the Subscription Service. The following are some of the more common (but not exhaustive) circumstances under which Epsagon, and its employees, agents and contractors may have access to, use or disclose Subscriber Data in order to provide the Subscription Service:
- To host, process, conduct data backups and maintenance, upgrades, debugging, troubleshooting, programming and other related administrative or technical activities required to provide the Subscription Service;
- To conduct security activities related to preventing, detecting, investigating and responding to security incidents, threats or vulnerabilities, implementing security safeguards and controls and other activities related to security;
- To respond to or provide support and related activities which you have requested in connection with your account and the Subscription Service, or which you have otherwise consented to;
- In response to court orders, legal process, or as otherwise required by applicable law;
- In connection with suspension, termination or expiration of the Subscription Service Agreement as set forth in the Subscription Service Agreement, or as necessary to resolve any dispute related to the Subscription Service Agreement; or
- When we act under exigent circumstances, to the extent permitted by applicable law, to protect the safety of customers or the public.
Notwithstanding the foregoing, Epsagon may use and disclose information that includes, is based upon or is derived from the Subscriber Data for marketing, business and other related purposes, provided that such information is in a form that is aggregated and de-identified so that the data is not associable to any individual subscriber.
Retention and deletion by Epsagon of Subscriber Data is governed by the terms of the Subscription Service Agreement.
The Children’s Online Privacy Protection Act (“COPPA”) protects the online privacy of children under 13 years of age. We do not knowingly collect or maintain personal information from anyone under the age of 13, unless or except as permitted by law. Any person who provides personal information through the Subscription Service represents to us that he or she is 13 years of age or older.
COLLECTION AND USE OF INFORMATION BY THIRD PARTIES GENERALLY
We take security of your Personally-Identifying Information seriously and use reasonable electronic, personnel, and physical measures to protect it from loss, theft, alteration, or misuse. However, please be advised that even the best security measures cannot fully eliminate all risks. We cannot guarantee that only authorized persons will view your information. We are not responsible for third party circumvention of any privacy settings or security measures.
We are dedicated to protect all information on our Subscription Service as is necessary. However, you are responsible for maintaining the confidentiality of your Personally-Identifying Information by keeping your password confidential. You should change your password immediately if you believe someone has gained unauthorized access to it or your account. If you lose control of your account, you should notify us immediately.
CALIFORNIA PRIVACY RIGHTS
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our subscribers who are California residents to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to our privacy officer as listed below.
DO NOT TRACK POLICY
Our Subscription Service does not respond to “Do Not Track” signals or mechanisms.
At Epsagon, nothing to us is more important than the success of our customers and the protection of their Personally Identifiable Information (PII) or Protected Health Information (PHI). With customers in nearly every country in the world, we adhere to The Health Insurance Portability and Accountability Act compliance (HIPAA). sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have a physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates that holds this data must also be in compliance.
What steps were taken by Epsagon following the HIPAA requirements?
We worked with our engineering, product, security and legal teams to make both our product and our legal terms in line with the HIPAA and will continue to ensure they keep in line continuously. As part of Epsagon HIPAA readiness project we’ve taken the following steps:
- Reviewed and strength our security infrastructure and practices, data encryption in transit and at rest, backup, logs, and security alerts.
- A risk assessment and data mapping process was made to make sure any data that may be stored or processed is processed and managed according to the HIPAA instructions.
- Had an external audit made by E&Y to receive a SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA)
- Received an internationally recognized security certification for ISO 27001 ISMS (information security management system)
- We’ve put on place all the internal procedures, processes and controls and recurring training sessions for the team, to ensure our on-going compliance with the HIPAA
- Performed security and privacy assessment to our sub-processors to ensure they are all complying with the HIPAA requirements.
- We’ve appointed a Data Protection Office (DPO).
- We’ll continue to monitor the guidance around HIPAA compliance and will ensure that our product and processes are complying with that guidance when they become effective.