Medocity is not responsible in any way for Third-Party Devices as it is not a reseller or manufacturer of Third-Party Devices. The information, software, data, or other contents (including opinions, claims, comments) connected to Third-Party Devices belong solely to the companies or individuals responsible for same and are not and cannot be attributed to Medocity in any way. Medocity does not warrant the accuracy of Third-Party Devices, nor is Medocity in any way responsible for or endorse the: information, software, data, and/or privacy policies, etc., related to or pertaining to Third-Party Devices.
Personal Information We Collect
Information You Choose for Us to Collect
We collect information you choose to submit through your use of our Services that personally identifies you, such as your name, telephone number, email address, date of birth and other data which can be reasonably linked to such information (“Personal Information”) only if you choose to share such information with us. For example, you will be required to provide us with certain Personal Information to register with the Services, sign up for certain features available through the Services (such as push notifications, text messages and other communications services which may offer you the ability to share information with third parties, such as health care professionals), and at other times. The decision to provide this information is optional; however, if you decide not to register or provide such information, you may not be able to use some or all of the features of the Services. Further, Medocity may offer location-enabled services, for example to locate a nearby doctor or pharmacy. If you use those services, Medocity may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID). You will have the option to disable collection and use of location information. However, doing so may prevent you from using some features of the Services, or limit the function of some features.
Medocity offers you the ability to share your Health Information through use its Services. “Health Information” includes both Protected Health Information (PHI) and Additional Health Information. “Protected Health Information” is personally identifiable information which relates to your health or payment for your health that is created or received by an entity covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), such as a third-party health care professional providing services to you through the Services. Protected Health Information includes the combination of your Personal Information and personal health information, such as medical records, medical history and/or information regarding a condition or treatment (e.g. information about symptoms, prescriptions, allergies, diagnoses and outcomes or side effects of treatment). “Additional Health Information” is all other personal health information that is not Protected Health Information, generally because such information was not created or received by a HIPAA-covered entity.
When you use the Services, you expressly authorize the sharing of your Health Information with anyone whom is part of your Services team and is also a user of the Services, which may include one other or multiple other user(s) of the Services, e.g., your caregiver(s) and your healthcare professional(s) – all of whom, along with you, may update your Health Information at any time.
If you allow someone to access your account, you do so at your sole risk and may risk exposing your Health Information. Medocity does not know and cannot control how anyone else to whom you give access to your account and/or with whom you share your Health Information may use your Health Information or account. Health Information you provide to others may not be protected, kept private, or be secure. You are solely responsible for all use of your account, by yourself or anyone whom you permit to use it. Medocity will not be liable for any disclosure or use of Health Information or other information by you or anyone using your account with your permission.
You should not upload any Health Information regarding any person other than yourself without that person’s prior express consent. You must obtain the consent of your family member or any other person before you submit or share Health Information about that person. By submitting or sharing Health Information about a family member or anyone else, you represent and warrant that you have obtained that person’s express consent to do so or that you otherwise have the legal authority to do so (e.g., because that person is a minor and you are the parent or legal guardian).
Information We Automatically Collect
We automatically collect information that does not reflect or reference an individually identifiable user (“Non-Personal Information”) to help us understand how our users use the Services. Like most websites, we automatically collect and use the data contained in log files. The information in the log files may include the IP address of the computer or server that you are using to access the Services, the IP address and/or the URL from the website you visited just before you visited our Services, the URL of the page you visit upon leaving the Services, if any, and the type of browser and operating system you are using. This anonymous usage information may be associated with your username and profile, but Medocity does not disclose the associated information to third parties.
Cookies and Web Beacons
How We Use Your Information
We may use Personal Information, Health Information and Non-Personal Information for the purposes intended by the Services, including: to communicate with you and your health care professionals, to notify you of new products or services, to send service notifications, to customize the content you see, to fulfill your requests for products and services, to improve the Services, to conduct research, to solicit your feedback and input about the Services and/or to provide more relevant products and services on or through the Services. Such information may be combined with data collected from other sources so that we may further improve the relevance of products and services offered on or through the Services.
We may use Personal Information and Health Information to facilitate health care services offered on or through the Services, and we may disclose such information to third-party health care professionals with whom you choose to communicate.
Communicating with You
By becoming a user of Medocity Services and providing your mobile number and/or email address, certain features of the Services will be provided to you via your mobile phone or other mobile device which may include: the ability to upload content to Medocity Services, download applications, and receive email, short message service (SMS), text message communications and mobile push notifications, each of which are not encrypted (“Mobile Features”). Standard messaging, data and/or other fees may be charged by your carrier. You can opt out of receiving email, SMS/text messages, and mobile push notifications. Although unlikely, it is possible for these communications to be intercepted or accessed without your authorization, and by using the Services, you release Medocity from any liability arising from or related to any such interception or unauthorized access. You can opt out by changing your profile settings within the Services or by notifying your healthcare provider. You agree to notify Medocity of any changes to your mobile number and email by updating your Medocity Services account to reflect any changes.
Communicating with Your Health Care Professionals
Services concerning you may be accessed by the third-party health care professionals and caregivers who are linked to your account, and by Medocity service providers, affiliates, representatives and assigns, all of whom may: send and receive reminders, alerts or other service-related information via email and/or push notifications or the like, i.e., utilize Mobile Features to notify and be notified of information about you. The use of Mobile Features may include the sharing of your Personal Information and Health Information. Although unlikely, it is possible for these communications to be intercepted or accessed without your authorization, and by using the Services, you release Medocity from any liability arising from or related to any such interception or unauthorized access.
In addition, from time to time, we may establish a business relationship with other persons or entities whom we believe trustworthy and whom we have asked to confirm that their privacy practices are consistent with ours (“Service Providers”). For example, we may contract with Service Providers to provide certain services, such as hosting and maintenance, data storage and management services and marketing and promotions. We provide our Service Providers with the information reasonably necessary for them to perform these services. Each Service Provider must agree to implement and maintain reasonable security procedures and practices appropriate to the nature of the information involved in order to protect your information from unauthorized access, destruction, use, modification or disclosure.
We may use, and disclose to third parties, certain Non-Personal Information regarding the Services (e.g., the total number of persons using particular medications, the aggregate number of inquiries from a particular geographic location, etc.). However, such information does not identify you individually.
Please be advised that, whenever you voluntarily post information to any public forum such as a bulletin board, blog, community or related interactive area of the Services, collectively “Public Posts”, such information can and may be accessed by the public. This means that any person or entity with access to such information can potentially use it for any purpose, including to send unsolicited communications.
Information that we collect is stored on servers that Medocity manages, using standard security procedures and practices appropriate to the nature of the information in an effort to protect information from unauthorized access, destruction, use, modification or disclosure. However, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through the Services, we cannot and do not guarantee or warrant the security of any information you transmit on or through the Services, and you do so at your own risk.
You are not to provide to Medocity (and Medocity does not knowingly collect) Personal Information or Health Information from children under the age of 13. If Medocity becomes aware that we have inadvertently received Personal Information or Health Information from or about children under the age of 13, Medocity will delete such information from its records.
“Data Controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” is an identified or identifiable natural living person.
“GDPR” is the European Union’s General Data Protection Regulation
“Personal Data” is any information that relates to a living individual who can be identified from that information. Under GDPR this data is known as “Personally Identifiable Information”.
“Processing” is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
“Data Processor” is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the data controller.
“Special Categories of Personal Data” means information about an individual’s racial or ethnic origin, Criminal Records Data, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data, and is a form of Personal Data.
“Criminal Records Data” means information about an individual’s criminal convictions and offenses, and information relating to criminal allegations and proceedings.
Medocity processes Personal Data in accordance with the following data protection principles:
- Processes Personal Data fairly, lawfully, and in a transparent manner.
- Collect Personal Data only for specified, explicit and legitimate purposes.
- Process Personal Data only where it is adequate, relevant and limited to what is necessary for the purposes of Processing.
- Keep accurate Personal Data and takes all reasonable steps to ensure that inaccurate Personal Data is rectified or deleted without delay.
- Keep Personal Data only for the period necessary for Processing.
- Adopt appropriate measures to make sure that Personal Data is secure, and protected against unauthorized or unlawful Processing, and accidental loss, destruction or damage.
Medocity takes responsibility for how it acquires, processes, and disposes of Personal Data, and for ensuring compliance with the above principles.
Where considered the Data Controller, Medocity tells individuals the reasons for Processing their Personal Data, how it uses such data and the legal basis for Processing in its privacy notices, not processing Personal Data of individuals for other reasons. Where Medocity relies on its legitimate interests as the basis for Processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals. Medocity will update Personal Data promptly if an individual advises that his/her information has changed or is inaccurate.
Where considered the Data Processor or sub-processor, Medocity will only process the Personal Data in accordance with the applicable laws, rules, regulations, and as specifically directed by the data controller.
Personal Data gathered during employee and contractor relationships is held in the individual’s personnel file, in hard copy or electronic format and on Medocity HR systems. The periods for which Medocity holds such HR-related Personal Data are contained in its privacy notices issued to individuals.
Medocity operations and maintenance contractors sometimes have limited access to Personal Data in the course of providing products or services to Medocity. Access to Personal Data by these contractors is limited to that which is reasonably necessary for the contractor to perform its limited function for Medocity. Medocity requires its operations and maintenance contractors to: (1) protect the privacy of any Personal Data consistent with this notice, and (2) not use or disclose Personal Data for any purpose other than providing Medocity with products and services, as required by law.
Medocity keeps a record of its Personal Data Processing activities in accordance with the requirements of the privacy (such as GDPR, CCPA).
As a data subject, individuals have a number of rights in relation to their Personal Data.
Individuals have the right to know what Personal Data about them is being controlled and processed by Medocity and to ensure that such Personal Data is accurate and relevant for the purposes for which Medocity collected it. If an individual makes a reasonable request, Medocity will tell him/her:
- whether or not his/her data is processed and if so why, the categories of Personal Data concerned and the source of the data if it is not collected from the individual;
- to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long his/her Personal Data is stored (or how that period is decided);
- his/her rights to rectification or erasure of data, or to restrict or object to Processing;
- his/her right to complain to the relevant data privacy supervisory authority if he/she thinks Medocity has failed to comply with his/her data protection rights; and
- whether or not Medocity carries out automated decision-making and the logic involved in any such decision-making.
Medocity will also provide the individual with a copy of the Personal Data that has been collected during Processing. This will normally be in electronic form if the individual has made a request electronically, unless the individual requests otherwise.
If the individual requires additional copies, Medocity may charge a reasonable fee, which will be based on the administrative costs of providing the additional copies.
To make a subject access request, the individual should directly email to firstname.lastname@example.org and email@example.com. Medocity is legally required to ask for proof of identification before the request can be processed. Also, in some cases, Medocity may need to contact the data controller if Medocity is the Data Processor (or sub-processor), if applicable.
Medocity will normally respond to a request within a period of one month from the date it is received. In some cases, such as where Medocity processes large amounts of the individual’s data, it may respond within three months of the date the request is received. Medocity will write to the individual within one month of receiving the original request to tell him/her if this is the case.
If a subject access request is manifestly unfounded or excessive, Medocity is not obliged to comply with it. Alternatively, Medocity can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. An example of when a subject access request is likely to be considered manifestly unfounded or excessive is where a request is repeated for which Medocity has already responded. If an individual submits a request that is unfounded or excessive, Medocity will notify him/her that this is the case and whether or not it will respond to it.
Individuals have several other rights in relation to their Personal Data. Individuals can require Medocity to:
- inform them about the collection and use of their Personal Data;
- rectify inaccurate Personal Data;
- stop Processing or erase Personal Data that is no longer necessary for the purposes of Processing;
- continue to store their Personal Data but not use it;
- respect an individual’s right to object to the Processing of their Personal Data in certain circumstances such as for direct marketing;
- provide them with their Personal Data in a portable form, so that it can be easily transferred to another IT environment. We would usually fulfil this request by providing the data in the form of a “comma-separated-values” (csv) file;
- respect an individual’s rights related to automated decision making based on their Personal Data;
- stop Processing or erase Personal Data if the individual’s interests override Medocity’s legitimate grounds for Processing Personal Data (where Medocity relies on its legitimate interests as a reason for Processing Personal Data);
- stop Processing or erase Personal Data if Processing is unlawful; and
- stop Processing Personal Data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override Medocity’s legitimate grounds for Processing Personal Data.
To ask Medocity to take any of these steps, the individual should directly email to firstname.lastname@example.org and email@example.com, or contact a Medocity HR representative, or the data privacy officer, as the case may be.
EU Persons (EU Data Subjects) may complain to their home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms.
If you have a comment or concern that cannot be resolved with us directly, you may also contact the competent local data protection authority.
Medocity takes the security of Personal Data seriously. Medocity has internal policies and controls in place to protect Personal Data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where Medocity engages third parties to process Personal Data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
Medocity recognizes potential liability in cases where Personal Data may be transferred to third parties. Medocity will not transfer any Personal Data to a third party without first ensuring that the third-party adheres to principles or similar laws providing an adequate and equivalent level of protection. Medocity does not transfer Personal Data to unrelated third parties, unless lawfully directed by a client or another data controller. For example, such circumstances would include disclosures of a client’s Personal Data required by law or legal process, or disclosures made in the vital interest of an identifiable person such as those involving life, health or safety. In the event that Medocity is requested to transfer Personal Data to an unrelated third party, Medocity will ensure that such party provides an adequate and equivalent level of protection. Should Medocity learn that an unrelated third party which received Personal Data from Medocity is using or disclosing Personal Data in a manner contrary to this notice, Medocity will take reasonable steps to prevent or stop the use or disclosure.
If you have a comment or concern related to data security, please write to the Chief Security Officer (Security@medocity.com)
Some of the Processing that Medocity carries out may result in risks to privacy. Where Processing would result in a high risk to individual’s rights and freedoms, Medocity will carry out data integrity & data privacy assessments to determine the necessity and proportionality of Processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
If Medocity discovers that there has been a breach of Personal Data that poses a risk to the rights and freedoms of individuals, it will notify to the GDPR supervisory authority and the data subject(s) without undue delay (within 72 hours to the EU DPA / supervisory authority and within 60 days to data subjects).
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Personal Data controlled or processed by Medocity may be transferred to countries outside the EEA.
Medocity assures compliance with this notice by utilizing Standard Contractual Clauses, applicable, and fully investigating and attempting to resolve any complaint or dispute regarding the use and disclosure of Personal Data in violation of this notice.
Data Protection & Privacy Officer
1 Upper Pond Road
Building D, Floor 3
Parsippany, NJ 07054
Medocity employees may have access to the Personal Data of other individuals and of our customers and clients in the course of their employment. Where this is the case, Medocity relies on individuals to help meet its data protection obligations to staff and to customers and clients.
Employees who have access to Personal Data are required:
- to access only data that they have authority to access and only for authorized purposes;
- not to disclose data except to individuals whether inside or outside Medocity who have appropriate authorization;
- to keep data secure for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction;
- not to remove Personal Data, or devices containing or that can be used to access Personal Data, from Medocity premises without adopting appropriate security measures such as encryption or password protection to secure the data and the device;
- not to store Personal Data on local drives or on personal devices that are used for work purposes; and
- to report data breaches of which they become aware to the data protection officer (at firstname.lastname@example.org) immediately.
Failing to observe these requirements may amount to a disciplinary offense / sanction, which will be dealt with under Medocity’s Incident Management procedure.
Medocity will provide training to all employees about their data protection responsibilities and Security Awareness Trainings as part of the induction process and at regular intervals thereafter.
Employees whose roles require regular access to Personal Data, or who are responsible for implementing this notice or responding to subject access requests under this notice, will receive additional training to help them understand their duties and how to comply with them.
We do not sell personal data about California residents.
Subject to certain exceptions, California residents have the right to make the following requests, at no charge:
Copy: You may request, up to twice every 12 months, a copy of the specific pieces of personal data that we have collected, used or disclosed about you in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows you to transmit this information to another entity without hindrance.
Deletion: You may request deletion of your personal data that we have collected about you.
Know: You may request, up to twice every 12 months, that we provide you certain information about how we have handled your personal data in the prior 12 months, including the:
- categories of personal data collected;
- categories of sources of personal data;
- business and/or commercial purposes for collecting your personal data;
- categories of third parties/with whom we have disclosed or shared your personal data; and
- categories of personal data that we have disclosed or shared with a third party for a business purpose.
You have the right to be free from unlawful discrimination for exercising your rights under the California Consumer Privacy Act.
Effective Date: 30-April-2022