Elucid Data Privacy Framework Program  

Last updated August 4th, 2023

Data Privacy Framework
Elucid Bioimaging Inc., (“Elucid,” “we,” “our,” and “us”), complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. Elucid has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Definitions
“Data Subject” means the individual to whom any given Personal Data covered by this Data Privacy Framework refers.

“Personal Data” means any information relating to an individual residing in the European Union that can be used to identify that individual either on its own or in combination with other readily available data.

“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.

Scope and Responsibility
Data processed: Elucid Bioimaging complies with the Data Privacy Framework regarding the collection, use, and retention of personal information transferred from EEA member countries to the U.S. pertaining to:

Customer Data:
We may collect Personal Data from individual customers when they purchase our products/services, visit our websites (including www.elucid.com) (“Site”), register on our Site, utilize other activities, services, features, or resources we make available on our Site, or when they request information or otherwise communicate with us.

The Personal Data we collect may vary based on the individual customer’s interaction with our Site, other requests for services, and other means of communication. As a general matter, Elucid Bioimaging collects the following types of Personal Data from its individual customers: name, email address, mailing address, phone number, company and job title. Elucid Bioimaging does not collect any Sensitive Personal Data from its customers. Users of our website may, however, visit our Site anonymously. We will collect Personal Data from customers only if they voluntarily submit such information to us. Customers can always refuse to supply Personal Data, except that it may prevent them from engaging in certain Site related activities.

We may collect non-personal identification information about Site users whenever they interact with our website. Non-personal identification information may include the browser name, the type of computer and technical information about Site users means of connection to our website, such as the operating system and the Internet service providers utilized and other similar information.

Our Site may use “cookies” to enhance user experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. Users may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

How we use customer data:
Elucid Bioimaging Inc. may collect and use customers’ Personal Data for the following purposes:

  • To deliver and provide products/services, to maintain and support our products, to comply with our contractual obligations related thereto, or to communicate for the purpose of engaging in contractual relations
  • To register with our Site
  • To improve our Site – We continually strive to improve our website offerings based on the information and feedback we receive from you.
  • To improve customer service – Your information helps us to more effectively respond to your customer service requests and support needs.
  • To send periodic emails – The email address customers provide will only be used to respond to their inquiries, and/or other requests or questions. Customers will only be sent marketing material if they provide their consent to the receipt of such material.
  • To otherwise comply with applicable legal or regulatory requirements
  • If we use your Personal Data for a purpose that is materially different than the purpose for which it was collected, we will provide you with the opportunity to opt out.

How we protect customer data:
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our infrastructure. Any sensitive private data exchange is transmitted over an encrypted SSL secured communication channel.

“Protected Health Information” is protected in two ways. First, secure SSL certificates validated by 3rd parties are used for network transfer, and second, data identifiers are separated between data and identifying information linked by anonymized keys.
Personal Health Information

Elucid Bioimaging sells medical image processing software. For certain Elucid Bioimaging products, Elucid Bioimaging serves as a service provider, which may require remote access from the United States to Personal Health Information (PHI) and/or Personal Identification Information of customers’ patients in the EEA. In such cases, we are acting as a data processor. We will process the PHI on behalf of and under the direction of the data controller and will process PHI only as needed to provide technical support services and fulfill contractual obligations.

How we protect Personal Health Information:
We have implemented physical, administrative and technical measures and have trained our employees on the necessity of confidentiality.
Elucid Bioimaging prohibits the practice of transferring, using and storing PHI and PII. Should the need arise to temporarily handle PHI or PII, Elucid Bioimaging adheres to strict data confidentiality procedures implemented within the company to de-identify PHI and PII data. Elucid Bioimaging commits to compliance with strict data confidentiality principles and practice and has implemented measures to assist customers with compliance to data security requirements.
Elucid Bioimaging has implemented stringent requirements within the company to handle PHI and PII data if made available or obtained by company. Training on procedural instructions specifying how to handle confidential data (such as PHI) is provided to applicable employees, who also sign a statement confirming their understanding of the requirements. Elucid Bioimaging assists customers in securely transferring confidential data via an encrypted SSL transmission to the company, if there is a concern with the product. The strict Company policy is to de-identify PHI data, removing patient identifying information, prior to transmitting securely via SSL encryption, which is stored in secure servers. In addition to these measures, the company has a robust firewall to electronically protect company computers and servers, with access strictly restricted to authorized personnel only with unique login credentials.

Third Parties:
We do not sell, trade, or rent Personal Data to any other third parties. We may transfer Personal Data to third party agents or service providers for the purposes outlined above. Where required by Data Privacy Framework, we enter into strict confidentiality agreements with those third-party agents and service providers requiring them to provide the same level of protection the Data Privacy Framework requires and limiting their use of the data to the specified services on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EEA Personal Data in accordance with our Data Privacy Framework obligations and to stop and remediate any unauthorized processing.

We may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them, unless the third party is directly responsible contractually or in tort liability for the event giving rise to the damage.
Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security, law enforcement, or other governmental requirements.

Data Privacy Framework:
Elucid commits to subject to the Data Privacy Framework Principles all Personal Data received by Elucid in the U.S. from European Union member countries in reliance on the respective Data Privacy framework.

1. Notice
Elucid notifies Data Subjects covered by this Choice Data Privacy Framework about its data practices regarding Personal Data received by Elucid in the U.S. from European Union member countries and in reliance on the respective Data Privacy framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Elucid offers for limiting its use and disclosure of such Personal Data, how Elucid’s obligations under the Data Privacy are enforced, and how Data Subjects can contact Elucid with any inquiries or complaints.

2. Choice
If Personal Data covered by this Data Privacy Framework is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, Elucid will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: info@elucidbio.com

If Sensitive Personal Data covered by this Data Privacy Framework is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently
authorized, or is to be disclosed to a third party, Elucid will obtain the Data Subject’s explicit consent prior to such use or disclosure.

3. Accountability for Onward Transfer
In the event we transfer Personal Data covered by this Data Privacy Framework to a third party acting as a controller, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Data Privacy Framework Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Elucid has knowledge that a third party acting as a controller is processing Personal Data covered by this Data Privacy Framework in a way that is contrary to the Data Privacy Framework Principles, Elucid will take reasonable steps to prevent or stop such processing.

With respect to our agents, we will transfer only the Personal Data covered by this Data Privacy Framework needed for an agent to deliver to Elucid the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Elucid’s obligations under the Data Privacy Framework Principles;; and (iv) require the agent to notify Elucid if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.

Elucid remains liable under the Data Privacy Framework Principles if an agent processes Personal Data covered by this Data Privacy Framework in a manner inconsistent with the Principles, except where Elucid is not responsible for the event giving rise to the damage.

4. Security
Elucid takes reasonable and appropriate measures to protect Personal Data covered by this Data Privacy Framework from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

5. Data Integrity and Purpose Limitation
Elucid limits the collection of Personal Data covered by this Data Privacy Framework to information that is relevant for the purposes of processing. Elucid does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.
Elucid takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Elucid takes reasonable and appropriate measures to comply with the requirement under the Data Privacy to retain Personal Data in identifiable form only for as long as it serves a purpose of processing, which includes Elucid’s obligations to comply with professional standards, Elucid’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Data Privacy Framework Principles for as long as it retains such Personal Data.

6. Access
Data Subjects whose Personal Data is covered by this Data Privacy Framework have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: info@elucidbio.com

7. Recourse, Enforcement, and Liability
Elucid’s participation in the EU-U.S. Data Privacy Framework are subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the EU-US Data Privacy Framework program’s Principles, Elucid commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union individuals with DPF inquiries or complaints should first contact Elucid at: info@elucidbio.com

Elucid has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

Changes to this Data Privacy Framework:
This Data Privacy Framework may be amended from time to time consistent with the requirements of Data Privacy.