Last Updated: November 16, 2021
TABLE OF CONTENTS:
- General Privacy Statement
- What Personal Data We Collect
- Purposes for Collection of Personal Data and Legal Basis for Processing
- How We Share Your Personal Data
- Who is Responsible for Processing Your Personal Data
- International Data Transfers
- Your GDPR Rights
- Retention Periods
- Cookies and other Data Collection Technologies
- Your Choices; Interest Based Ads
- Children’s Information
- Do Not Track
- Links to Other Sites
- Changes to this Notice
- Securing Your Information
- Contacting Us
General Privacy Statement
At Flatiron Health, Inc. and Flatiron Health UK Limited (collectively “Flatiron,” “we” or “us”), we are committed to protecting your Personal Data (as defined below), including when you interact with the Flatiron websites (“Sites”). This Privacy Notice (this “Notice”) outlines the type of Personal Data Flatiron may collect; the means by which Flatiron may collect, use, or share your Personal Data; steps Flatiron takes to protect your Personal Data; and choices you are provided with respect to the use of your Personal Data. Please read this Notice carefully.
For the purposes of this Notice, “Personal Data” (also known as “personally identifiable information” (PII) or “personal information” in some jurisdiction) is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household that we collect for the purposes outlined in this Notice.
This Notice does not apply to patient information, which will be treated and handled in accordance with separate policies, outlined in our Patient Data Privacy Notice.
What Personal Data We Collect
When you interact with us, we may collect the following Personal Data:
- Direct identifiers, such as your name, address, email address, telephone number (when you provide them to us directly, for example via the “Find Out More” form), or an IP address or other online identifier. We typically collect this information directly from you in order to communicate with you, and provide you with access to certain information on our Sites or about our services.
The provision of certain types of Personal Data may be necessary or optional, depending on the circumstances. Mandatory Personal Data will be marked as such at the moment of collection of your information. If you refuse to provide mandatory Personal Data, Flatiron may not be able to process your request (such as your contact request).
We may also collect non-identifiable information, such as the type of browser or operating system you are using. We may also anonymise your Personal Data in accordance with applicable law or create aggregate, anonymised information that relates to a group of individuals. We may use such information for any lawful purpose.
Purposes for Collection of Personal Data and Legal Basis for Processing
Your Personal Data will be processed on the basis of the following legal basis:
|Purpose and Categories of Personal Data||Legal Basis
(Article 6 GDPR)
(Article 9 GDPR)
|Responding to Requests or Inquiries: We may use information that you provide to us to take the steps necessary to respond to your requests. For example, you may inquire about a product or subscribe to one of our mailing lists. Depending on your request, we may collect your contact information (such as your name, mailing address, telephone number), your interests and preferences (such as products or areas of interest), and any other information you provide to us.||Consent (6(1)(a));
Legitimate interest (6(1)(f))
|Explicit Consent (9(2)(a))|
|Personalising Your Experience. We may collect certain information about you, your preferences, and how you have interacted with us in the past in order to understand your interest in our products and services so that we can best serve you. This may include information about your contact and product preferences, languages, marketing preferences, and demographic data.||Consent (6(1)(a))||N/A|
|To run and maintain our Sites. We use this information to secure our Sites, network systems, and other assets. This may include information concerning your IP address, geographic location, resources you have accessed, and similar information.||Legitimate interest (6)(1)(f))||N/A|
|To send important notices regarding Flatiron services, including changes to our terms, conditions, and policies. If we need to contact you regarding important notices, we will use information you have provided to us such as your name and email address.||Legitimate interest (6(1)(f))||N/A|
|To comply with legal obligations to which Flatiron is subject. We may use all information we have collected from or about you as necessary to comply with a legal obligation to which we are subject.||Legal obligation (6(1)(c))||Legal obligation (9(2)(j))|
|In the event of a corporate transaction such as a sale, merger, consolidation, change in control, transfer of substantial assets, reorganisation, or liquidation, to transfer, or assign to third parties information concerning your relationship with us, including, without limitation, personal data that you provide to us and other information concerning your relationship with us.||Legal Obligation (6(1)(c)); Legitimate interest (6(1)(f))||Legal Obligation (6(1)(c))|
How We Share Your Personal Data
We may share your Personal Data for the reason(s) disclosed to you at the time we collect it, with your consent, at your direction, or in the following ways:
- Within Flatiron: We may share your Personal Data internally among our business units, brands, and our affiliates in order to provide you our services and generally improve our product and service offerings.
- With vendors and other service providers: We may share your Personal Data with service providers who perform services for us and act on our direction. These services may include activities such as direct mailing, fulfillment services, email-campaigns, digital advertising, hosting, and other IT services. Our policy is to prohibit these service providers from using your Personal Data for purposes other than providing services directly to us.
- With business partners: We may share your Personal Data with our business partners in order to provide you our services and generally to improve our product and service offerings.
- In the event of a corporate transaction: In the event we go through a business transition, such as a merger, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy, or sale of all or a portion of our assets, we may disclose your Personal Data to the party or parties of such transaction.
- To comply with our legal obligations and to protect our rights: We will disclose your Personal Data when we think it is necessary to investigate or prevent actual or expected fraud, criminal activity, injury or damage to us or others or when otherwise required by statute, regulation, subpoena, court order, or other law, or if necessary to protect the rights, property, or safety of us, our employees, or others.
Who is Responsible for the Processing of Your Personal Data
With respect to Personal Data that is collected through your use of the Sites, Flatiron Health, Inc. and Flatiron Health UK Limited will act as joint controllers.
For interactions that do not go through one of our Sites, please refer to the information provided at the point of contact, such as the relevant email signatures, to find out which Flatiron entity is the controller.
The contact information of the joint controllers is set out below:
Flatiron Health, Inc.
233 Spring Street
New York, NY 10012
Flatiron Health UK Limited
Ivy House, 107 St. Peter’s Street,
St. Albans, Hertfordshire
Data Protection Officer
Joe Stock (firstname.lastname@example.org)
East Side, Kings Cross
London N1C 4AX
International Data Transfers
The information that Flatiron collects about you through the Sites or your interactions with us will be stored and processed in the United States and the United Kingdom.
When we transfer your personal data to recipients in countries outside of the United Kingdom that do not provide adequate legal protection for the processing of personal data, we will ensure that appropriate safeguards are implemented to secure such data transfers in compliance with applicable data protection laws and after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient is established. We have implemented international data transfer agreements based on the EU and UK Standard Contractual Clauses to cover our international data transfers. In order to receive a copy of these clauses and/or other safeguards, you can contact us at email@example.com.
Your GDPR Rights
You have certain rights in relation to Personal Data collected about you:
- Access: You have the right to obtain confirmation as to whether we process your Personal Data, access to such Personal Data as well as to information regarding the purposes of such processing, the categories of personal data concerned, the recipients, the period for which the information will be stored, your rights, and possibly the source of the information.
- Portability: You have the right to receive a copy of the information we hold about you in case you have given us consent and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
- Correction: You have the right to request correction of any personal information about you we hold that is inaccurate.
- Erasure: In certain circumstances, you have the right to delete the information we hold about you.
- Restriction of processing to storage only: You have the right to require us to stop processing the information we hold about you, other than for storage purposes, in certain circumstances.
- Objection: You have the right to object to our processing of Personal Data about you on grounds of your particular situation in case we process such information for our legitimate interests.
- Objection to marketing: You can object to marketing at any time, including by opting-out using the unsubscribe/opt-out function displayed in our communications to you.
- Withdrawal of consent: You have the right to withdraw your consent at any time.
Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain personal information about you.
To exercise any of these rights, please contact us at firstname.lastname@example.org. We will respond to requests to exercise these rights without undue delay and at least within one month (though this may be extended by a further two months in certain circumstances).
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. We will also retain and use your Personal Data to the extent necessary to resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies.
To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the data, the potential risk of harm for unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.
Upon expiration of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.
Cookies and Other Data Collection Technologies
Your Choices; Interest-Based Ads
We encourage you to communicate your preferences to us about how we use your Personal Data.
- Unsubscribe from marketing: You may opt-out of receiving marketing communications from us by following the instructions included in each communication or by emailing us at email@example.com. If you receive marketing communications from any of our business partners or other parties, you must opt-out with each of those parties. Note that if you unsubscribe from our marketing communications, you still may receive transaction and other administrative communications from us based on the nature of your relationship with us.
- Modify your Personal Data: You may request changes to any incorrect Personal Data that we maintain about you. Contact us at the email, address, or phone number included in the Contacting Us section, below, to make a request. We will endeavor to comply with your request, but please understand that we may not be able to modify information about you that we have relied upon to provide services to you or that we are legally required to maintain.
- Turn off location services: If you do not want us to collect information from your device, please disable the location setting(s) on your device or, when applicable, delete any Flatiron applications. Please note that disabling the location setting may affect certain features of our Sites and any Flatiron applications.
We may use third-party vendors to serve advertisements on our behalf across the internet. These advertising vendors may collect (by using Data Collection Technologies) information about your visits to and interactions with our Sites. In addition to the information about your visits to our Site, these vendors may also use the information about your visits to other websites to target advertisements for products and services available from us. If you would like more information about this practice and your choices relating to this data collection, please visit network advertising.org. You may manage your third-party advertising preferences.
Our Sites are not intended for use by or directed to children under 18 years of age. If you are under 18 years old or otherwise have not attained the age of majority in your state of residence, you must have your parent or other legal representative’s permission to use the Sites. If we learn that we have received any Personal Data directly from a child under age 18 without first receiving his or her parent’s verified consent, we will use that Personal Data only to respond directly to that child (or his or her parent or legal guardian) to inform the child that he or she cannot use the Sites. We will then subsequently delete that child’s Personal Data.
Do Not Track
Some web browsers incorporate a “Do Not Track” (“DNT”) feature that signals to the websites that you visit that you do not want to have your online activity tracked. Many websites and applications, including our Sites, do not currently respond to web browser DNT signals because such signals are not yet uniform. For more information about DNT signals, please visit www.allaboutdnt.com.
Links to Other Sites
Our Sites may contain links to other sites that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices or content of such other sites. We encourage you to be aware when you leave our Sites and review the privacy policies of such sites as their privacy policies may differ from ours.
Changes to this Privacy Notice
We reserve the right to change or replace this Notice at any time. Please check back from time to time to ensure that you are aware of any changes or updates to the Privacy notice. We will indicate the date that the Notice was last updated at the top of this page. If we make material changes that would impact your use of the Sites or your privacy rights, we will endeavor to notify you of the changes, such as by posting a notice directly on the Sites or by sending an email notification if you have provided your email address to us.
Securing Your Information
We use reasonable safeguards aimed to protect against unauthorised use, disclosure, alteration or destruction of the Personal Data we collect and maintain. You should keep in mind, however, that no data transmitted over the internet is 100% secure. As a result, while we strive to protect your Personal Data, we cannot guarantee or warrant the security of any information you transmit to or from our Sites.
If you have any questions or comments about this Privacy Notice, please contact us at firstname.lastname@example.org or by mail at:
Flatiron Health UK Limited
Ivy House, 107 St. Peter’s Street,
St. Albans, Hertfordshire