Version Date: Jun 3, 2020
GATHERING, USE AND DISCLOSURE OF NON-PERSONALLY-IDENTIFYING INFORMATION
Subscribers of the Subscription Service Generally
“Non-Personally-Identifying Information” is information that, without the aid of additional information, cannot be directly associated with a specific person. “Personally-Identifying Information,” by contrast, is information such as a name or email address that, without more, can be directly associated with a specific person. Like most online operators, Epsagon gathers from subscribers of the Subscription Service Non-Personally-Identifying Information of the sort that web browsers, depending on their settings, may make available. That information includes the subscriber’s Internet Protocol (IP) address, operating system and browser type, and the locations of the web pages the subscriber views right before arriving at, while navigating and immediately after leaving the Subscription Service. Although such information is not personally identifiable, it may be possible for Epsagon to determine from an IP address a subscriber’s Internet service provider and the geographic location of the visitor’s point of connectivity as well as other statistical usage data. Epsagon analyzes Non-Personally-Identifying Information gathered from subscribers of the Subscription Service to help Epsagon better understand how the Subscription Service is being used. By identifying patterns and trends in usage, Epsagon is able to better design the Subscription Service to improve subscribers’ experiences, both in terms of content and ease of use. From time to time, Epsagon may also release the Non-Personally-Identifying Information gathered from Subscription Service subscribers in the aggregate, such as by publishing a report on trends in the usage of the Subscription Service.
A “Web Beacon” is an object that is embedded in a web page or email that is usually invisible to the subscriber and allows website operators to check whether a subscriber has viewed a particular web page or an email. Epsagon may use Web Beacons on the Subscription Service and in emails to count subscribers who have visited particular pages, and viewed emails. Web Beacons are not used to access subscribers’ Personally-Identifying Information; they are a technique Epsagon may use to compile aggregated statistics about Subscription Service usage. Web Beacons collect only a limited set of information including a Web Cookie number, time and date of a page or email view, and a description of the page or email on which the Web Beacon resides. You may not decline Web Beacons, however, they can be rendered ineffective by declining all Web Cookies or modifying your browser setting to notify you each time a Web Cookie is tendered and permit you to accept or decline Web Cookies on an individual basis.
We may use third-party vendors, including Google, who use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to provide analytics services, inform, optimize, and serve ads based on your past activity on our websites and applications, including Google Analytics for Display Advertising. These vendors may use Web Cookies, Web Beacons and other technologies to collect information about your use of the Subscription Service, our service and other websites, including your IP address, web browser, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our service and other websites and better understand your online activity. If you do not want any information to be collected and used by Google Analytics, you can install an opt-out in your web browser (https://tools.google.com/dlpage/gaoptout/) and/or opt out from Google Analytics for Display Advertising or the Google Display Network. You can do so by using Google’s Ads Settings (www.google.com/settings/ads). For more information about interest-based ads, or to opt out in general of having your web browsing information used for behavioral advertising purposes, please visit www.aboutads.info/choices.
Aggregated and Non-Personally-Identifying Information
We may share aggregated and Non-Personally Identifying Information we collect under any of the above circumstances. We may also share it with third parties and our affiliate companies to develop and deliver targeted advertising on our Subscription Service and on websites of third parties. We may combine Non-Personally Identifying Information we collect with additional Non-Personally Identifying Information collected from other sources. We also may share aggregated information with third parties, including advisors, advertisers and investors, for the purpose of conducting general business analysis. For example, we may tell our advertisers the number of visitors to our Subscription Service and the most popular features or services accessed. This information does not contain any Personally-Identifying Information and may be used to develop content and services that we hope you and other subscribers will find of interest.
COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION
As defined above, Personally-Identifying Information is information that can be directly associated with a specific person. Epsagon may collect a range of Personally-Identifying Information from and about subscribers. Much of the Personally-Identifying Information collected by Epsagon about subscribers is information provided by subscribers themselves when (1) registering for our service, (2) participating in polls, surveys or other features of our service, or responding to offers, (3) communicating with us, or (4) signing up to receive newsletters. That information may include each subscriber’s name, address, email address, and telephone number, and, if you transact business with us, financial information such as your payment method (valid credit card number, type, expiration date or other financial information). We also may request information about your interests and activities, your gender, age, date of birth, username, hometown and other demographic information, and other relevant information as determined by Epsagon from time to time. Subscribers of the Subscription Service are under no obligation to provide Epsagon with Personally-Identifying Information of any kind, with the caveat that a subscriber’s refusal to do so may prevent the subscriber from using certain Subscription Service features.
BY REGISTERING WITH OR USING THE SUBSCRIPTION SERVICE, YOU AGREE TO THE USE AND DISCLOSURE OF YOUR PERSONALLY IDENTIFYING INFORMATION AS DESCRIBED IN THIS “COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION” SECTION.
We may occasionally use your name and email address to send you notifications regarding new services offered by the Subscription Service that we think you may find valuable. We may also send you service-related announcements from time to time through the general operation of the service. Generally, you may opt out of such emails at the time of registration or through your account settings, though we reserve the right to send you notices about your account, such as service announcements, and administrative messages, even if you opt out of all voluntary email notifications.
BY SIGNING UP FOR AN ACCOUNT AND PROVIDING YOUR PHONE NUMBER, YOU AGREE TO RECEIVE INFORMATIONAL TEXT MESSAGES FROM US RELATING TO USE OF THE SUBSCRIPTION SERVICE.
If you do not want to receive such messages, you may opt out or change your preferences in your account. Opting out may prevent you from receiving messages regarding updates, improvements, or offers.
Epsagon will disclose Personally-Identifying Information under the following circumstances:
- By Law or to Protect Rights. When we believe disclosure is appropriate in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of Epsagon, our subscribers, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our Subscription Service Agreement or other agreements or policies, in response to a subpoena or similar investigative demand, a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases, we may raise or waive any legal objection or right available to us.
- Third Party Service Providers. We may share your Personally-Identifying Information, which may include your name and contact information (including email address) with our authorized service providers that perform certain services on our behalf. These services may include fulfilling orders, providing customer service and marketing assistance, performing business and sales analysis, supporting our website functionality, and supporting surveys and other features offered through our Subscription Service. We may also share your name, contact information and credit card information with our authorized service providers who process credit card payments. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purpose.
Changing Personally-Identifying Information; Account Termination
You may at any time review or change your Personally-Identifying Information by going to your account settings (if applicable) or contacting us using the contact information below. Upon your request, we will deactivate or delete your account and contact information from our active databases. Such information will be deactivated or deleted as soon as practicable based on your account activity and accordance with our deactivation policy and applicable law. To make this request, either go to your account settings (if applicable) or contact us as provided below. We will retain in our files some personal information to prevent fraud, to troubleshoot problems, to assist with any investigations, to enforce our Subscription Service Agreement and to comply with legal requirements as is permitted by law. Therefore, you should not expect that all your personal information will be completely removed from our databases in response to your requests. Additionally, we keep a history of changed information to investigate suspected fraud with your account.
We use the Personally-Identifying Information in the file we maintain about you, and other information we obtain from your current and past activities on the Subscription Service to: deliver the products and services that you have requested, manage your account and provide you with customer support, communicate with you by email, postal mail, telephone and/or mobile devices about products or services that may be of interest to you either from us, our affiliate companies or other third parties, develop and display content and advertising tailored to your interests on our Subscription Service and other sites, resolve disputes, troubleshoot problems, measure consumer interest in our services, inform you of updates, customize your experience, detect and protect us against error, fraud and other criminal activity, enforce our Subscription Service Agreement, and as otherwise described to you at the time of collection. At times, we may look across multiple subscribers to identify problems. In particular, we may examine your Personally-Identifying Information to identify subscribers using multiple subscriber IDs or aliases. We may compare and review your Personally-Identifying Information for accuracy and to detect errors and omissions. We may use financial information or payment method to process payment for any purchases made on our Subscription Service, enroll you in the discount, rebate, and other programs in which you elect to participate, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business.
COLLECTION AND USE OF CUSTOMER DATA HOSTED BY EPSAGON
In limited circumstances, Epsagon or its employees, agents and contractors may have access to, use or disclose Subscriber Data in order to provide the Subscription Service. The following are some of the more common (but not exhaustive) circumstances under which Epsagon, and its employees, agents and contractors may have access to, use or disclose Subscriber Data in order to provide the Subscription Service:
- To host, process, conduct data backups and maintenance, upgrades, debugging, troubleshooting, programming and other related administrative or technical activities required to provide the Subscription Service;
- To conduct security activities related to preventing, detecting, investigating and responding to security incidents, threats or vulnerabilities, implementing security safeguards and controls and other activities related to security;
- To respond to or provide support and related activities which you have requested in connection with your account and the Subscription Service, or which you have otherwise consented to;
- In response to court orders, legal process, or as otherwise required by applicable law;
- In connection with suspension, termination or expiration of the Subscription Service Agreement as set forth in the Subscription Service Agreement, or as necessary to resolve any dispute related to the Subscription Service Agreement; or
- When we act under exigent circumstances, to the extent permitted by applicable law, to protect the safety of customers or the public.
Notwithstanding the foregoing, Epsagon may use and disclose information that includes, is based upon or is derived from the Subscriber Data for marketing, business and other related purposes, provided that such information is in a form that is aggregated and de-identified so that the data is not associable to any individual subscriber.
Retention and deletion by Epsagon of Subscriber Data is governed by the terms of the Subscription Service Agreement.
The Children’s Online Privacy Protection Act (“COPPA”) protects the online privacy of children under 13 years of age. We do not knowingly collect or maintain personal information from anyone under the age of 13, unless or except as permitted by law. Any person who provides personal information through the Subscription Service represents to us that he or she is 13 years of age or older.
COLLECTION AND USE OF INFORMATION BY THIRD PARTIES GENERALLY
We take security of your Personally-Identifying Information seriously and use reasonable electronic, personnel, and physical measures to protect it from loss, theft, alteration, or misuse. However, please be advised that even the best security measures cannot fully eliminate all risks. We cannot guarantee that only authorized persons will view your information. We are not responsible for third party circumvention of any privacy settings or security measures.
We are dedicated to protect all information on our Subscription Service as is necessary. However, you are responsible for maintaining the confidentiality of your Personally-Identifying Information by keeping your password confidential. You should change your password immediately if you believe someone has gained unauthorized access to it or your account. If you lose control of your account, you should notify us immediately.
EU-US Privacy Shield
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Epsagon, Inc. is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
Pursuant to the Privacy Shield Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to firstname.lastname@example.org. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to email@example.com.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Epsagon, Inc.’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Epsagon, Inc. remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Epsagon, Inc. proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Epsagon, Inc. commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Epsagon, Inc at: firstname.lastname@example.org.
Epsagon, Inc has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
CALIFORNIA PRIVACY RIGHTS
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our subscribers who are California residents to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to our privacy officer as listed below.
DO NOT TRACK POLICY
Our Subscription Service does not respond to “Do Not Track” signals or mechanisms.
HIPAA and GDPR COMPLIANCE
At Epsagon, nothing to us is more important than the success of our customers and the protection of their Personally Identifiable Information (PII) or Protected Health Information (PHI). With customers in nearly every country in the world, we adhere to The Health Insurance Portability and Accountability Act compliance (HIPAA) and the General Data Protection Regulation (GDPR). sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have a physical, network, and process security measures in place and follow them to ensure HIPAA and GDPR Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA and GDPR Compliance. Other entities, such as subcontractors and any other related business associates that holds this data must also be in compliance.
What steps were taken by Epsagon following the HIPAA and GDPR requirements?
We worked with our engineering, product, security and legal teams to make both our product and our legal terms in line with the HIPAA and GDPR and will continue to ensure they keep in line continuously. As part of Epsagon readiness project we’ve taken the following steps:
- Reviewed and strength our security infrastructure and practices, data encryption in transit and at rest, backup, logs, and security alerts.
- A risk assessment and data mapping process was made to make sure any data that may be stored or processed is processed and managed according to the HIPAA and GDPR instructions.
- Had an external audit made by E&Y to receive a SOC 2 Type II security attestation from the American Institute of Certified Public Accountants (AICPA)
- Received an internationally recognized security certification for ISO 27001 ISMS (information security management system)
- We’ve put on place all the internal procedures, processes and controls and recurring training sessions for the team, to ensure our on-going compliance with the HIPAA and GDPR
- Performed security and privacy assessment to our sub-processors to ensure they are all complying with the HIPAA and GDPR requirements.
- We’ve appointed a Data Protection Officer (DPO).
- We’ll continue to monitor the guidance around HIPAA and GDPR compliance and will ensure that our product and processes are complying with that guidance when they become effective.
- You have the right under certain circumstances:
- to be provided with a copy of your personal data held by us;
- to request the rectification or erasure of your personal data held by us;
- to request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);
- You may opt-out at any time from allowing further access by us to your location data.
We would appreciate the opportunity to directly address any HIPAA or GDPR issues you may have. Please contact us at email@example.com.