EU-US & Swiss-US Privacy Shield
Privacy Shield Policy 1. EU-U.S. & Swiss-US PRIVACY SHIELD POLICY
DoctorSmartAI respects the privacy of its customers, employees, business partners, individuals whose personal information with which we are entrusted, and others. DoctorSmartAI collects and uses any collected personal health information in accordance with the laws and regulations of the countries in which the information is collected, and in which it does business.
In the course of our business, it is necessary for us to access, collect, process, use, transmit, disclose, store and otherwise handle personal data (defined below) about individuals. This Policy provides the basis for protecting such data while ensuring compliance with legal requirements. The United States Department of Commerce, and the European Commission, have agreed on a set of data protection principles and frequently asked questions (the "EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield") to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection be given to personal information transferred from the EU to the United States. The EEA also has recognized the Privacy Shield as providing adequate data protection. 3. SCOPE
This Policy applies to all personal data accessed, collected, processed, used, transmitted, disclosed, or stored (hereinafter collectively referred to as "processed") in any format including electronic, paper or verbal by DoctorSmart AI. All employees, whether permanent, temporary or on contract or third parties working on behalf of us shall adhere to this Policy. 4. POLICY
We are committed to using reasonable commercial measures to ensure the safeguarding of personal data of individuals and that such data is used only as intended and that precautions preventing misuse are both effective and appropriate. Personal data must therefore be:
(a) Accessed, used and disclosed fairly and lawfully;
(b) Obtained for specified business and/or legal purposes and not used or disclosed in a way which is incompatible with the purpose(s) for which it was collected;
(c) Adequate, relevant and not excessive for the purpose(s) for which it is collected or maintained;
(d) Accurate and, where necessary, kept up to date;
(e) Not kept for longer than is necessary to fulfill the purpose(s) it is used for, subject to the Company's document retention policy;
(f) Used and disclosed in accordance with relevant legal requirements;
(g) Appropriately protected against unauthorized, inadvertent or illegal access, use and/or disclosure through administrative, technical and physical safeguards; and
(h) Restricted to designated countries unless the rights and freedom of individuals are protected therein.
We may collect the following examples of personal data: full name, address, telephone or mobile number, business and home contact details including e-mail addresses and telephone numbers, health information, medication adherence information, video information including images of a user's face, audio information, and demographic information. Personal data may further include any information that identifies an individual, but does not include information that has been encoded, encrypted, or otherwise anonymized.Data that may be collected will be used for the purpose of supporting clinical research or programs supporting population health management, and for maintaining and improving Company internal systems and offerings. 6. HOW WE COLLECT PERSONAL DATA AND HOW IT IS USED
Personal data may be made available for the purposes mentioned above to responsible management, human resources, accounting, audit, compliance, legal, information technology and other corporate staff who need to know these details for their functions within the Company, including maintenance and improvement of Company offerings, some of which may not be based in the US. The identity of personnel within the Company having access to personal data shall be controlled on the basis of business and security requirements, shall be consistent with the job requirements of such person having access, and shall be modified to the extent their job requirements change. Employees with access to personal data shall be made aware of their responsibilities for maintaining the privacy of that information, particularly regarding the protection of both hard-copy, soft-copy and electronic information. Personal data may also be made available to third parties providing relevant services under contract to us (see the protection of personal data section of this Policy below for further details), such as auditors and compliance managers, background verification, legal and IT hosting and maintenance providers. We must have appropriate security and privacy measures in place with such third parties covering how they hold and maintain any personal data that we provide to them.
Certain personal data will also be reported to government and regulatory authorities where required by law and for tax or other purposes. Personal data may also be released to external parties as required or permitted by employment or other statutes and regulations, or by legal process, as well as to parties to whom an individual authorizes us to release their personal data. Personal data may also be used internally to improve Company solutions, or otherwise improve Company's overall service offerings, the privacy of such data being maintained according to the terms of this Policy. We will not sell any personal data to any third party other than as part of any restructuring of the Company or sale of a relevant Company business. If we do provide any data to a third party, we will enter into a written agreement with the third party that requires the third party provide at least the same level of privacy and security protections as is implemented by Company.
DoctorSmart AI may be forced to disclose an individual's personal information when compelled by a lawful request made by a recognized public authority or where required to meet national security and or law enforcement requirements. DoctorSmart AI is subject to the investigatory and enforcement powers of the Federal Trade Commission ("FTC") and or the Food and Drug Administration ("FDA").
Personal Information may be shared with third party business entities. The entities to whom DoctorSmart AI may disclose personal information includes, but it is not limited to clinical trial sponsors and or their contracted agents as well as public health entities including but not limited to local, state or national health organizations.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, DoctorSmart AI is potentially liable. 8. PROTECTION OF PERSONAL DATA
We are committed to ensuring that personal data is secure. In order to prevent unauthorized loss, alternation, destruction, access, use or disclosure, we have put in place and will maintain suitable physical, administrative and technical safeguards to secure the data we process. Where appropriate and consistent with the risk, personal data shall be kept securely. Access to information systems containing personal data shall be controlled, at a minimum, by an individual user identification and password with appropriate requirements for re-logging after passage of an inactive time and/or use of password-protected screensavers. Firewall protection and operating system patches shall be installed on all computers containing personal data. Up-to-date versions of security agency software, including malware, patches and antivirus and pest patrol shall be installed on all computers containing personal data. All items of equipment containing storage media shall be checked to ensure that any personal data has been removed or securely overwritten prior to disposal. Personal data that is transmitted across public networks or wirelessly or stored on portable devices shall be encrypted.
Appropriate contractual arrangements shall be implemented for the responsibility and physical protection of personal data when such information is made available to third parties. Personal data, other than that normally required by mobile users, shall only be taken off site as necessary. Any member of staff using personal data when working from home or during off-site meetings should take necessary precautions to ensure its security, including not leaving such information unattended. Any member of staff dealing with telephone inquiries should be careful about disclosing any personal information held by us.
Individuals whose personal information has been collected by DoctorSmart AI shall have the right to access that data for review, modification or deletion. Access to review, modify and or delete personal information or otherwise manage the use and disclosure of your personal data may be initiated by contacting Company: email@example.com
DoctorSmart AI will follow their corporate approved policies and procedures when handling any personal data requests. A formal request from an individual for information that we hold about them must be made in writing. A fee is payable by the data subject for provision of this information. Any member of staff who receives a written request should forward it to the Privacy Officer immediately. Individuals may opt out of providing personal data, upon request. To the extent that personal data has been collected, individuals have the right to review personal data held about them and have certain inaccurate information corrected, unless the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. If you wish to do so, or to notify us of a change in your details, please contact the Privacy Officer. 10. NOTICE
This policy may be amended from time to time, consistent with the requirements of the Privacy Shield Framework. A notice will be posted on our web page for 60 days whenever this policy is changed in a material way. 12. INDEPENDENT RECOURSE FOR PRIVACY COMPLAINTS
Please note the name of the website or other online resource to which you provided the information, as well as the nature of the information that you provided. Company will use reasonable efforts to respond promptly to requests, questions or concerns you may have regarding our use of personal information about you. Except where required by law, the Company cannot ensure a response to questions or comments regarding topics unrelated to this Policy or our privacy practices.
DoctorSmart AI has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/
for more information and to file a complaint.
Under certain limited conditions it is possible to seek recourse through last resort binding arbitration. 14. SWISS-US PRIVACY SHIELD
In compliance with the Swiss-US Privacy Shield Principles, DoctorSmart AI commits to resolve complaints about your privacy and our collection or use of your personal information.
DoctorSmart AI further commits to refer unresolved privacy complaints under the Swiss-US Privacy Shield Framework to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/eu-privacy-shield/for-eu-consumers
for more information and to file a complaint.