IDBS / QUANTRIX California Consumer Rights Notice
Effective Date: September 2022 (last updated September 2022)
ABOUT THIS POLICY
This California Consumer Rights Notice (“Notice”) supplements our Privacy Policy (“Policy”) by providing additional information about how IDBS and its affiliates and subsidiaries, a full list of which can be located here (collectively, “IDBS,” “we,” “our,” and “us”) process Personal Data relating to California residents that is subject to the California Consumer Privacy Act as amended from time to time (“CCPA”). We strongly encourage you to read in full our Policy in addition to this Notice. In the event of a conflict between the Policy and this Notice, the Notice shall control with respect to our processing of Personal Data relating to California residents that is subject to the CCPA, otherwise the Policy shall control.
PERSONAL DATA DEFINED BY CALIFORNIA CONSUMER PRIVACY ACT
Under the CCPA and for the purpose of this Notice “Personal Data” is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in the Privacy Policy. Personal Data includes, but is not limited to information if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household (California Consumer Privacy Act Section 1798.140):
Personal Data does not include information that is deidentified or aggregate information. Nor does it include Publicly Available information. Publicly Available information is information lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. Publicly available does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
PERSONAL DATA COLLECTION
See the section of the Privacy Policy entitled “General Categories of Personal Data We Collect” for more information about the types of Personal Data we collect and about the sources from which we obtain Personal Data. This includes types of Personal Data that may be considered “sensitive” under the CCPA.
PURPOSES OF PROCESSING PERSONAL DATA
See the section of the Privacy Policy entitled “General Categories of Personal Data We Collect” for more information about the business and commercial purposes for which we collect, use, and disclose Personal Data, including Personal Data that may be considered “sensitive” under the CCPA. See the section of the Policy entitled “Data Retention” for more information about retention practices.
PERSONAL DATA NOTICE
See the section of the Privacy Policy entitled “General Categories of Personal Data We Collect” for more information about the circumstances in which we disclose Personal Data and the parties to whom we disclose such Personal Data. As described in the Policy, we disclose Personal Data relating to California residents for various business purposes to Company entities and Third Party Service Providers that process such Personal Data on our behalf, including the following:
Categories of Personal Data that we Disclosed for Business Purpose |
---|
Identity and Contact Information |
Demographic Information |
Commercial and Financial Information |
Health Information |
Professional and Education Information |
Technical Information |
YOUR RIGHTS AND EXERCISING YOUR RIGHTS
Your Rights under the California Consumer Privacy Act
You may have the right under applicable law to:
- Request to know the categories of Personal Data we collect
- Request to know the categories of Service Providers and 3rd Parties we share your Personal Data with
- Request access to your Personal Data (a copy of the data will be provided to you in a reasonable format)
- Request we delete your Personal Data
- Request we correct your Personal Data
- Request we transfer your Personal Data to another person or organization
- Request that we do not sell your data with third parties
- Request that we opt you out of sharing your Personal Data for cross-context behavioral advertising or automated decision making
- Request that we limit use or disclosure of Sensitive Personal Data
Our Verification Process
Before we can begin to process your request, we must first verify your identity. We will use the following points of information for our verification process.
- Email Address
- Full Name
- Phone Number
- Mailing Address
- Employer, Service Provider, 3rd Party Vendor or Organization’s Name you are associated with
- A unique ID assigned to you by Company (if applicable)
Requests made for categories of information about you requires that we verify your identity using at least two points of information listed above.
Requests made for specific information requires that we use at least three points of information listed above. Additionally, you will be required to provide a document signed under penalty of perjury affirming that you are the consumer who you are making the information request about.
For requests made for the deletion of information we will require two or three of the points of information above, depending on the sensitivity of the information requested to be deleted.
How To Make A Request
To exercise your rights under the CCPA, you can contact us by:
- Calling our toll-free number 1-888-914-9661 PIN: 046783 (when prompted to do so, please leave your name, email address, and the fact that your request relates to IDBS) or
- Submitting a request through this webform.
We will not unlawfully deny you goods or services or discriminate against you for exercising your privacy rights.
Proxy Requests
Requests made by a California resident’s proxy will follow the same Verification Process as above. If you are submitting a request through a proxy, the proxy must provide documentation proving they have your permission.
Sales and Sharing of Information of California Residents
We do not sell or share your Personal Data, including Personal Data of minors under the age of 16, with third parties for any purpose other than to provision services to you, and which are in line with our Privacy Policy. To exercise your right to opt-out click here.
PERSONAL DATA EXEMPT FROM CALIFORNIA CONSUMER PRIVACY ACT
Certain types of Personal Data are exempt from the CCPA. If you submit a request regarding your Personal Data, and in our sole opinion we believe that your Personal Data is either in part or in whole exempt from the CCPA we will inform you as such. Examples include Personal Data that is processed under the following laws or obligations:
- Our compliance with federal, state, or local laws, compliance with a court order or subpoena to provide information, or cooperating with law enforcement and regulatory agencies in conducting investigations
- Health Insurance Portability and Accountability Act (HIPAA)
- Confidentiality of Medical Information Act
- Gramm-Leach-Bliley Act
- California Financial Information Privacy Act
For a full list of the exemptions please visit California Consumer Privacy Act Section 1798.145.
QUESTIONS AND COMPLAINTS
For more information about your privacy rights, or if you are not able to resolve a problem directly with us and wish to make a compliant, you can contact the California Attorney General.
CONTACT US
If you have any questions about this Notice or our data practices, you can write to us at:
ID Business Solutions Limited
Attn: Data Privacy Office
IDBS
SPACE,
68 Chertsey Rd,
Woking
GU21 5BJ
United Kingdom
Alternatively, you can email us directly at privacy@idbs.com.
WE MAY UPDATE THIS NOTICE
From time to time we may change this Notice. The most updated copy will be found on our website. Please check our site periodically for updates.
Identity and Contact Information | |||
---|---|---|---|
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
First and last name, email address, postal address, phone number, job title, professional license numbers, account username and password, IP address, and national provider identifier or state license number | Directly from you; from your devices; from our business partners; from publicly available sources; from your HCP; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to offer or provide our products and services; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting medical treatment and/or diagnosis; promoting quality and safety of medical products/ services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Demographic Information | |||
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
Age, gender, marital status, disability, and date of birth | Directly from you; from your devices; from our business partners; from publicly available sources; from your Healthcare Practitioner; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Commercial and Financial | |||
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
Transaction records, products and services (purchased, obtained, or considered), requested documentation, customer service records, financial transaction history, transfers of value, and financial account number | Directly from you; from your devices; from our business partners; from publicly available sources; from your Healthcare Practitioner; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Professional and Educational Information | |||
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
Job title or position, employer, National Provider Identifier number, work skills, employment history, graduate degree, certification, specialized training, responses to surveys and questionnaires, and enrollment history for our education and training events, LinkedIn profile | Directly from you; from your devices; from our business partners; from publicly available sources; from your Healthcare Practitioner; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Technical Information | |||
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
IP addresses, browser type, browser language, device type, advertising IDs associated with your device (such as Apple’s Identifier for Advertising (IDFA) or Android’s Advertising ID (AAID)), the date and time you use our products and services, Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving our products and services, activity on our products and services and referring websites or applications, data collected from cookies or other similar technologies, and geolocation information | Directly from you; from your devices; from our business partners; from publicly available sources; from your Healthcare Practitioner; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our products and services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our products and services; to improve our products and services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of assisting in medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
Health Information | |||
Examples of Personal Data Processed | Sources of Personal Data | Purpose of Processing the Personal Data | Legal Basis for Processing the Personal Data |
Information regarding your treatment, including your date of birth, sex/gender, treatment dates, medical history, and treatment information, patient-reported outcome measures (e.g., responses to questionnaires and surveys), X-rays, magnetic resonance imaging, medical scans, user activity, pictures and videos of treatment activities, therapy completion and use details, and communications with your Healthcare Provider and/or patient, including audio and/or video from telehealth sessions, allergy information; Medical Insurance Information and details pertaining thereto. | Directly from you; from your devices; from our business partners; from publicly available sources; from your Healthcare Practitioner; from your patients; from other subsidiaries, affiliates or related companies of IDBS as detailed here; | To provide you with our Products and Services; to communicate with you; to identify and authenticate you; to customize content for you; to detect security incidents; to protect against malicious or illegal activity; to ensure the appropriate use of our Products and Services; to improve our Products and Services; for short-term, transient use; for administrative purposes; for marketing, internal research, and development; and/or for quality assurance | For the purposes of our legitimate interests; in the public interest; to comply with a legal obligation; to perform a contract; to protect vital interests; for the purposes of medical treatment and/or diagnosis; ensuring quality and safety of medical products/services/devices; in circumstances where we have requested and received consent; and for other purposes that may be required or allowed by law dependent upon the type of Personal Data |
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
If you are a patient based in the US, please note that this Policy is distinct from your Healthcare Practitioner’s HIPAA Notice of Privacy Practices, which describes how your HCP uses and discloses individually identifiable information about your health that it collects, as well as any other privacy practices it applies. Personal Data we receive on behalf of your Healthcare Practitioner is not subject to this Policy
AGGREGATED, ANONYMIZED AND DE-IDENTIFIED DATA
IDBS may process anonymized/de-identified data. This is data for which the characteristics that can identify you, directly or indirectly, have been removed such that you are no longer identifiable, and this information is no longer considered Personal Data under data protection laws. This includes in the United States the removal of identifiers from protected health information required under HIPAA, 45 CFR § 164.514(b)(2), for such data to be considered deidentified. We rely on our legitimate business interest, scientific or historical research and/or statistical purposes, consent or other purposes that may be required or allowed by law as the legal basis to anonymize Personal Data.
We may also obtain and use certain types of combined data sets such as demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate certain information technology-related data of yours with others’ data to calculate the percentage of users accessing a specific feature on our website. We may use Aggregated Data for any purpose without restriction. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.
COMBINING INFORMATION
We combine information we collect on the website with information we receive from you in person, by email, or by other forms of communication. We also combine information you provide with information we obtain from third parties, service providers, publicly available sources and our subsidiaries, affiliates or related companies.
INFORMATION COLLECTED FROM CHILDREN
Our sites and apps are meant for adults. We do not knowingly collect Personal Data from children 17 years old or younger without permission from a parent or legal guardian. If you are a parent or legal guardian and think your child has given us information, you can email or write to us using the details in the ‘Contact Us’ section below.
INFORMATION STORAGE
We may transfer, process, and store your information to the US, Canada, India, European Union member states, the United Kingdom, or other countries. Our affiliates or other third-party service providers may also transfer, process, or store your information in the US or other countries. Our sites and businesses may be subject to US laws, which may not afford the same level of protection as those in your country.
CROSS BORDER DATA TRANSFERS
We may transfer your Personal Data to recipients in countries other than the country in which your Personal Data was originally collected. When we transfer your Personal Data in such a manner, we take steps for your data to be protected consistent with the laws and requirements in your country, including the requirements that apply to cross-border data transfers. We implement appropriate technical and organizational measures to provide a level of security appropriate to the risk of protecting your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. As is the case with all websites, applications, products, and services, we unfortunately cannot guarantee security of the data collected at all times.
SALE OR TRANSFER OF DATA
If we are involved in a sale or transfer of all or some of our business assets or operations via a share or asset transaction, your personal data may be transferred to the acquiring organization who will be required to take at least the same or higher standards of care in the treatment of your Personal Data. Should such a sale or transfer occur, if required by law, you will be informed about this and may withdraw your consent to or, as applicable, instigate any other legally available rights as detailed in the “Rights and Choices” section of this Policy with regards to the processing and use of your Personal Data by the transferee.
COOKIES, WEB BEACONS AND OTHER TRACKING TOOLS
As outlined in the table above your interaction with our websites is an additional source for collecting your information. We may use “cookies”, web beacons, and other technologies to help us evaluate and improve the content or functions of the products or services we provide. We collect your information through several methods:
- Web beacons
- Pixels
- Tags
- Tracking Cookies
- Marketing Cookies
- Analytic Cookies
- Social Media Cookies
Our Cookie Policy provides more detailed information about this topic and how we use cookies to enhance your experience and better serve you.
THIRD PARTY LINKS AND TOOLS
We may link to other sites or apps on our platforms that we do not control. If you click on a third-party link, you will be taken to a platform we do not control. This policy does not apply to the privacy practices of that website or platform. Read other companies’ privacy policies carefully. We are not responsible for these third parties. Our site may also serve third party content that contains their own cookies or tracking technologies. We do not control the use of those technologies.
DATA RETENTION
We will retain Personal Data for as long as is necessary to carry out the purposes the Personal Data was collected for or for the period prescribed by applicable laws, whichever is longer. In considering how long to retain your Personal Data the following are considered:
- The potential risk of harm if the data was subject to unauthorized use or disclosure;
- The volume and sensitivity of the Personal Data;
- Applicable legal requirements; and
- If circumstances have changed such that the purposes for which the Personal Data was collected can be achieved by other means.
When the retention of your Personal Data is no longer required we will delete or anonymize the data as per the details provided above.
YOUR RIGHTS AND CHOICES
Some jurisdictions such have provided individuals with rights in relation to the processing of their Personal Data. These rights are not available to everyone, and they do not necessarily apply in all contexts. Depending on the applicable law or the legal basis, you may have the right to:
- Object to the processing of your Personal Data;
- Request access to your Personal Data;
- Request correction of your Personal Data should your Personal Data be inaccurate, incomplete, or obsolete;
- Request erasure/deletion of your Personal Data;
- Withdraw your consent to future processing where we processed Personal Data on the basis of your consent;
- Request restrictions on the processing of your Personal Data, including restricting the sale of or sharing of your Personal Data;
- Request the transfer of your Personal Data to yourself or a third party;
- Opt-out of certain transfers to third parties.
To exercise a right that you believe you may be entitled to under applicable law you can contact us directly by email at privacy@idbs.com or in writing at:
ID Business Solutions Limited
Attn: Privacy
IDBS
SPACE,
68 Chertsey Rd,
Woking
GU21 5BJ
United Kingdom
We may need to verify your identity before we fulfil your request or, under applicable law, we may refuse to action your submission. We shall notify you in a timely manner of such decisions or requirements as necessary.
California Residents. Our California Consumer Rights Notice provides an overview of how consumers in California receive certain privacy rights and protections.
Filing a Complaint. If you are not able to resolve a problem directly with us and wish to make a formal compliant, you can contact your local data protection authority or other enforcement authority.
CONTACT US
If you have any questions about this Policy or our data practices, you can write to us at:
ID Business Solutions Limited
Attn: Privacy
IDBS
SPACE,
68 Chertsey Rd,
Woking
GU21 5BJ
United Kingdom
Alternatively, you can email us directly at privacy@idbs.com.
POLICY UPDATES
From time to time we may change our privacy policies. The most updated copy will be found on our website. Please check our site periodically for updates.
APPENDIX 1
Click here for a table of applicable controllers and responsible entities.