Elucid Data Privacy Framework Program
Last updated August 23rd, 2024
Data Privacy Framework
Elucid Bioimaging Inc., (“Elucid,” “we,” “our,” and “us”), complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. Elucid has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Definitions
“Data Subject” means the individual to whom any given Personal Data covered by this Data Privacy Framework refers.
“Personal Data” means any information relating to an individual residing in the European Union that can be used to identify that individual either on its own or in combination with other readily available data.
“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
Scope and Responsibility
Data processed: Elucid complies with the Data Privacy Framework regarding the collection, use, and retention of personal information transferred from a European Economic Area (EEA) member countries to the U.S. pertaining to:
Customer Data:
We may collect Personal Data from individual customers when they purchase our products/services, visit our websites (including www.elucid.com) (“Site”), register on our Site, utilize other activities, services, features, or resources we make available on our Site, or when they request information or otherwise communicate with us.
The Personal Data we collect may vary based on the individual customer’s interaction with our Site, other requests for services, and other means of communication. As a general matter, Elucid collects the following types of Personal Data from its individual customers: name, email address, mailing address, phone number, company and job title. Elucid does not collect any Sensitive Personal Data from its customers. Users of our website may, however, visit our Site anonymously. We will collect Personal Data from customers only if they voluntarily submit such information to us. Customers can always refuse to supply Personal Data, except that it may prevent them from engaging in certain Site related activities.
We may collect non-personal identification information about Site users whenever they interact with our website. Non-personal identification information may include the browser name, the type of computer and technical information about Site users means of connection to our website, such as the operating system and the Internet service providers utilized and other similar information.
Our Site may use “cookies” to enhance user experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. Users may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.
How we use customer data:
Elucid may collect and use customers’ Personal Data for the following purposes:
- To deliver and provide services, to maintain and support our products, software and services, to comply with our contractual obligations related thereto, or to communicate for the purpose of engaging in contractual relations.
- To improve our products, software and services – We continually strive to improve our software, algorithms and features based on the data, information and feedback we receive, and we conduct research and development activities using such data, information and feedback.
- To improve customer service – Your information helps us to more effectively respond to your customer service requests and support needs.
- To send periodic emails – The email address customers provide will only be used to respond to their inquiries, and/or other requests or questions. Customers will only be sent marketing material if they provide their consent to the receipt of such material.
- To otherwise comply with applicable legal or regulatory requirements
- If we use your Personal Data for a purpose that is materially different than the purpose for which it was collected, we will provide you with the opportunity to opt out.
How we protect customer data:
We adopt appropriate data collection, storage and processing practices, and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information and data stored on our infrastructure. Some examples of security measures include:
- Encrypting personal data when it is stored at rest.
- Encrypting personal data when we transmit such information over the internet
- Proactively identifying and managing vulnerabilities to our systems
- Ensuring important data is appropriately backed up
- Requiring that our business partners and service providers protect personal data from unauthorized access, use and disclosure
How we protect Personal Health Information:
Elucid is a provider of medical image processing software and services. For certain Elucid products, we serve as a service provider, which may require remote access from the United States to Personal Health Information (PHI) and/or Personal Identification Information of customers’ patients in the EEA. In such cases, we may be acting as a data processor and our customers – as data controllers. We will process the PHI on behalf of and under the direction of the data controller and will process PHI only as needed to provide services to the data controller and fulfill contractual obligations.
We have implemented physical, administrative and technical measures and have trained our employees on the necessity of confidentiality.
Elucid commits to compliance with strict data confidentiality principles and practice with respect to PHI and PII made available by, or received from, our customers and has implemented measures to assist customers with compliance to data security requirements.
Elucid has implemented stringent requirements within the company to handle PHI and PII data if made available or obtained by us. Training on procedural instructions specifying how to handle confidential data (such as PHI) is provided to applicable employees, who also sign a statement confirming their understanding of the requirements. Elucid assists customers in securely transferring confidential data via an encrypted TLS transmission to the company, if there is a concern with the product. TLS In addition to these measures, the company has a robust firewall to electronically protect company computers and servers, with access strictly restricted to authorized personnel only with unique login credentials.
Third Parties:
We do not sell, trade, or rent Personal Data to any other third parties. We may transfer Personal Data to third party agents or service providers for the purposes outlined above. Where required by Data Privacy Framework, we enter into strict confidentiality agreements with those third-party agents and service providers requiring them to provide the same level of protection the Data Privacy Framework requires and limiting their use of the data to the specified services on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EEA Personal Data in accordance with our Data Privacy Framework obligations and to stop and remediate any unauthorized processing.
We may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them, unless the third party is directly responsible contractually or in tort liability for the event giving rise to the damage.
Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security, law enforcement, or other governmental requirements.
Data Privacy Framework:
Elucid commits to subject to the Data Privacy Framework Principles all Personal Data received by Elucid in the U.S. from European Union member countries in reliance on the respective Data Privacy framework.
- Notice
Elucid notifies Data Subjects covered by this Choice Data Privacy Framework about its data practices regarding Personal Data received by Elucid in the U.S. from European Union member countries and in reliance on the respective Data Privacy framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Elucid offers for limiting its use and disclosure of such Personal Data, how Elucid’s obligations under the Data Privacy are enforced, and how Data Subjects can contact Elucid with any inquiries or complaints. - Choice
If Personal Data covered by this Data Privacy Framework is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, Elucid will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: customersupport@elucid.com
If Sensitive Personal Data covered by this Data Privacy Framework is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently
authorized, or is to be disclosed to a third party, Elucid will obtain the Data Subject’s explicit consent prior to such use or disclosure.
- Accountability for Onward Transfer
In the event we transfer Personal Data covered by this Data Privacy Framework to a third party acting as a controller, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Data Privacy Framework Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Elucid has knowledge that a third party acting as a controller is processing Personal Data covered by this Data Privacy Framework in a way that is contrary to the Data Privacy Framework Principles, Elucid will take reasonable steps to prevent or stop such processing.
With respect to our agents, we will transfer only the Personal Data covered by this Data Privacy Framework needed for an agent to deliver to Elucid the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Elucid’s obligations under the Data Privacy Framework Principles;; and (iv) require the agent to notify Elucid if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
Elucid remains liable under the Data Privacy Framework Principles if an agent processes Personal Data covered by this Data Privacy Framework in a manner inconsistent with the Principles, except where Elucid is not responsible for the event giving rise to the damage.
- Security
Elucid takes reasonable and appropriate measures to protect Personal Data covered by this Data Privacy Framework from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data. - Data Integrity and Purpose Limitation
Elucid limits the collection of Personal Data covered by this Data Privacy Framework to information that is relevant for the purposes of processing. Elucid does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.Elucid takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Elucid takes reasonable and appropriate measures to comply with the requirement under the Data Privacy to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes Elucid’s obligations to comply with professional standards, Elucid’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Data Privacy Framework Principles for as long as it retains such Personal Data.
- Access
Data Subjects whose Personal Data is covered by this Data Privacy Framework have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: customersupport@elucid.com - Recourse, Enforcement, and Liability
Elucid’s participation in the EU-U.S. Data Privacy Framework are subject to investigation and enforcement by the Federal Trade Commission.In compliance with the EU-US Data Privacy Framework program’s Principles, Elucid commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union individuals with DPF inquiries or complaints should first contact Elucid at: customersupport@elucid.com
Elucid has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
Changes to this Data Privacy Framework:
This Data Privacy Framework may be amended from time to time consistent with the requirements of Data Privacy.