MedaSystems, Inc.
Privacy Policy
Effective: May 31, 2024
This Privacy Policy (“Policy”) explains how MedaSystems, Inc. uses the personal information that is collected from you when you visit our corporate website or our cloud-based software application (the “Service”).
What is “Personal Information”?
What Information do we Collect?
Data Automatically Collected Through Use of Our Website
Data Automatically Collected Through Use of the Service
Information Submitted by Individuals Through the Website
Information Submitted by Users of the Service
Initial Requests
Invitations to Clinicians to Create a MedaSystems Account
Additional Information Requested by a Customer
How do we collect information from visitors to our website and Users of our Service?
Use of Cookies and Technologies Similar to Cookies
Our Role in Relation to Personal Information
Legal Basis for Processing Personal Information
How do we keep your information secure?
Corrections or Updates to Information Provided to MedaSystems
Transfer of Data to Third Parties
Transfer or Use of Data Internationally
Information pertaining to Minor Children
Individual Data Protection Rights
General Rights
Rights of Individuals in the European Economic Area, the UK, or Switzerland
Patient Requests About Information Stored by MedaSystems
What is “Personal Information”?
“Personal information” as discussed in this Policy means information about an identifiable individual. Your personal information includes your full name, address, telephone number, date of birth, email address, and any other information that is connected to you, identifies you, or would allow someone to contact you.
What Information do we Collect?
Data Automatically Collected Through Use of Our Website
MedaSystems automatically collects certain information when individuals access our corporate website. This information does not reveal your specific identity (like your name or contact information). However, it may include device and usage information, such as your IP address, browser, device characteristics, operating system, language preferences, referring URLs, device name, country, geographic location, and information about how and when you use our application and other technical details. This information is primarily needed to maintain the security and operation of our website and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes:
Log and Usage Data. Log and usage data are service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use the website which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings, and information about your activity in the website (such as the date/time stamps associated with your usage, pages, and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports and hardware settings).
Device Data. We collect device data such as information about your computer, phone, tablet, or other devices you use to access the website Depending on the device used, this data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and mobile carrier, operating system, and system configuration information.
Location Data. We collect location data, such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the website For example, we may use technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt-out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note, however, that if you choose to opt-out, you may not be able to use certain aspects of the website.
Data Automatically Collected Through Use of the Service
Similar to our corporate website, certain information is automatically collected when individuals use our Service. Such information includes log and usage data to enable MedaSystems to monitor usage and access to the Service. In addition, local storage files are generated when a User logs into the Service. These files are stored on the User’s local browser.
Information Submitted by Individuals Through the Website
MedaSystems also collects information from individuals who submit information about themselves through the website (e.g., on the “Contact Us” page). This information includes email address, name, and company name.
Information Submitted by Users of the Service
MedaSystems provides the Service to connect health care providers, their staff, life science company employees, consultants, and agents, and/or patients (collectively “Users”) to enable Users to efficiently submit, process and manage requests for access to investigational drugs developed by a Customer.
Each life science company whose employees, consultants, or agents use the Service (each, a “Customer”) is a contracted customer of MedaSystems. As such, each Customer ultimately directs MedaSystems how to handle the information or data pertaining to requests submitted to the Customer through the Service, consistent with the Customer’s agreement(s) with MedaSystems, the Terms of Service governing how Users utilize the Service, and applicable law. The information provided while using the Service is governed by the Customer's privacy policy, except for identifiable information provided by patients/caregivers in connection with an Initial Request (see Section II.B.1), or personal information provided by physicians or physician's staff members for creating or maintaining their MedaSystems accounts (see Section II.B.2), which are governed by this Policy.
Be advised that Customers may ask physician Users to sign separate legal agreements with the Customer regarding confidentiality and data rights pertaining to information submitted by the physicians to the Customer. MedaSystems is not a party to any such agreements, and has no involvement with them. MedaSystems recommends that Users review any such agreements carefully, and consult their legal counsel if necessary.
Initial Requests
Information Collected from All Users: In the process of submitting an initial request through the Service (“Initial Request”), MedaSystems may collect personal information from a User which may include first/last name, mailing address, email address, and phone number. We convey and store this information based on the way the user initially identifies themselves (either as a physician or as a patient or caregiver), in the following manner:
Physicians: From physicians or their staff only, information collected also includes employer name and a brief medical history of the patient on whose behalf the request is being made. No protected health information relating to the patient is requested, and MedaSystems intends that no protected health information be provided. The information submitted in connection with an Initial Request is accessible by both (i) MedaSystems and (ii) the Customer to which the Initial Request is directed. This Policy governs MedaSystems’ use of that information, while the privacy policy of the Customer governs how the Customer will handle the information. A link to the Customer's privacy policy appears at the bottom of the Initial Request submission form. A copy of the policy may also be available on the Customer’s website.
Patients/Caregivers: If you are a patient or authorized caregiver and have specifically been prompted to make an Initial Request (e.g., by your physician), a different process applies. MedaSystems will notify the appropriate Customer of the fact that you are making an Initial Request and will provide to the Customer only information that cannot be used to identify you (e.g., age, gender, diagnosis). This Policy governs MedaSystems’ use of that information, while the privacy policy of the Customer governs how the Customer will handle the information. A link to the Customer's privacy policy appears at the bottom of the Initial Request submission form. A copy of the policy may also be available on the Customer’s website. In connection with an Initial Request, if a patient/caregiver provides their name, email address, phone number, mailing address, or any other piece of information that could be used to identify them, MedaSystems will not provide such information to the Customer; such information will be stored by MedaSystems and governed by this Policy.
Invitations to Clinicians to Create a MedaSystems Account
After an Initial Request has been submitted to a Customer, physician Users (or their authorized staff) may be invited by the Customer to create a MedaSystems account to access the Service to continue the processing of the request, and/or provide additional information to the Customer about the request and/or the patient.
If you are a physician User we may collect the following information from you when you create an account: name, employer, work address, work email, work phone number, mobile phone number, and information about your professional credentials, including a copy of your curriculum vitae. You will be asked to agree to our Terms of Service. If you are a member of the physician’s staff, you may be asked to provide some or all of this information on the physician’s behalf. In providing this information, you certify that the physician has authorized you to share this information.
Patients and their caregivers are not authorized to create an account or to utilize the Service apart from submitting an Initial Request. If a Customer receives an Initial Request submitted by a patient/caregiver and determines that the request should move forward, the Customer will direct the patient to have their physician contact the Customer directly.
Additional Information Requested by a Customer
On occasion, a Customer may ask a physician or their authorized staff member(s) to provide additional information about the physician or their patient beyond what is collected by MedaSystems when the User’s MedaSystems account is created. These requests will be sent by a Customer representative to the physician/staff member User through the Service.
Examples of additional information a physician may be asked to provide includes: a prior treatment history, lab results, medical images, proposed treatment plans including risk/benefit statements, information about where medications should be shipped, requests for initial supply and re-supply, and information about how the patient is reacting to the treatment.
Any information requested and provided in this manner will be governed by the privacy policy of the applicable Customer, and/or the agreement between the physician and the Customer (if applicable).
How do we collect information from visitors to our website and Users of our Service?
Use of Cookies and Technologies Similar to Cookies
In addition to collecting information through various fields and forms on the corporate website and in the Service (as described above), we may use “cookies” or similar technologies to collect information about you and your device. Cookies are small pieces of instruction stored on your hard drive or device. They may enhance your experience as you navigate our site. A "session cookie" disappears after you close your web browser, or may expire after a fixed period of time. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our site. We may use both session and persistent cookies on our corporate website. We currently do not use any non-essential cookies in our Service.
By “technologies similar to cookies” we mean any type of data storage and recovery mechanism used on a user’s device for purposes of obtaining information. The most common ones include:
Browser local storage. Certain websites use local storage called “sessionStorage” and “localStorage”, as well as the indexed database from the Internet browser to store information.
Local storage of browser plug-ins, namely Flash local storage (“Flash Local Shared Objects”) or Silverlight local storage (“Isolated Objects”).
Web beacons. Web beacons are a tracking technique, which consists of inserting into a website (or an e-mail) an image hosted on an Internet server, so that when a browser or an e-mail application connects to the server to download and view the image, this connection is registered. This allows us to know when a user viewed a web page or the e-mail. Sometimes this image is very small or transparent, preventing the user from being aware of its existence.
“Fingerprinting” is a technique combining information obtained from the browser or navigation equipment to set a user apart in their subsequent visits to different websites.
We currently use browser local storage in our Service to store content information and preferences. On certain sections of our corporate website, we may occasionally use web beacons that allow us to determine when users visited that section of the site.
There may be other tracking technologies now and later devised and used by us in connection with our corporate website. Further, third parties (e.g., Google) may use tracking technologies with our corporate website. We do not control those tracking technologies, and we are not responsible for them. However, be aware that you may potentially encounter third-party tracking technologies in connection with your use of our corporate website, and that this Policy does not apply to the tracking technologies or practices of such third parties.
Our Role in Relation to Personal Information
We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, the transmission of personal information to and from our website and the Service is at your own risk. You should only access the website and the Service within a secure environment.
| Situation | Our Role |
|---|---|
| When a patient or caregiver enters Personal Information in the Service in connection with an initial request for access to investigational products | We are a “Controller” of that Personal Information |
| When a physician enters Personal Information (pertaining to themselves or a patient) in connection with an initial request for access to investigational products | We are a “Processor” of that Personal Information |
| When Customers enter Personal Information in the Service in connection with their use of the Service to process requests for access to investigational products | We are a “Processor” of that Personal Information |
| When we handle Personal Information in connection with the execution and administration of our agreements with Customers (including contact details of Customer’s personnel/representatives) | We are a “Controller” of that Personal Information |
| When we handle Personal Information in the creation and maintenance of user accounts on the Service | We are a “Controller” of that Personal Information |
| When we anonymize Personal Information to perform analysis for the purposes of improving the Services | We are a “Controller” of that Personal Information |
Legal Basis for Processing Personal Information
We only process your personal information when we believe it is necessary and we have a valid legal basis to do so under applicable law, such as with your consent, to comply with laws, to provide you with services requested, to fulfill our contractual obligations, to protect your rights, and for our legitimate business interests.
We may use de-identified information created by us without restriction. When we use the term “de-identified information,” we mean information that cannot be used to personally identify you.
We may process your information if you have consented to allow MedaSystems to use your personal information for a specific purpose. You can withdraw your consent at any time by emailing us at privacy@medasystems.com.
More specifically, we may also process your personal information for the following purposes:
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our services or at your request before entering into a contract with you.
Legitimate business interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests, rights, and freedoms. For example, we may process your personal information the purposes described below:
To diagnose problems and prevent fraudulent activities
To identify usage trends, to understand better how the Service is being used and to make improvements.
To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
To deliver and facilitate the delivery of our Service. We may process your information to provide you with the requested service.
To respond to inquiries and offer support. We may use your information to respond to your questions and solve any potential issues you might have with the use of our Service.
To send administrative information to you. We may use your personal information to send you product, service, or new feature information, and information about changes to our terms, conditions, and policies.
To enable User-to-User communications. We may use your information, specifically your email address, to enable User-to-User communications.
To request feedback. We may use your information to request feedback and to contact you about your use of the Service.
To protect our Service. We may use your information as part of our efforts to keep the Service safe and secure (for example, for fraud monitoring and prevention).
To enforce our Terms of Service and policies
To comply with our contract with a Customer. Processing certain of your information may be a necessary component of a contract between MedaSystems and a Customer.
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. If we receive a subpoena or other lawful request, we may need to inspect the data we hold to determine how to respond, or we may process your information to comply with other legal or regulatory requirements.
To save or protect an individual's vital interests. We may process your information when necessary to save or protect an individual's vital interests, such as to protect human life or to prevent harm.
How do we keep your information secure?
We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, the transmission of personal information to and from our website and the Service is at your own risk. You should only access the website and the Service within a secure environment.
Corrections or Updates to Information Provided to MedaSystems
Corrections/Updates to Information Submitted with an Initial Request: If a User wants to update or correct any information submitted with an Initial Request, they should contact the life sciences company directly, or they may email privacy@medasystems.com and we will assist in processing any changes. If you are a patient/caregiver, and would like to correct, update or delete any personal information that has not been provided to the life sciences company by MedaSystems, you should contact MedaSystems at privacy@medasystems.com.
Corrections/Updates to Information Provided When Setting up a MedaSystems Account: If a User would like to correct or delete any of their information after their account has been created, please email privacy@medasystems.com. We will promptly amend or remove any information consistent with this Policy.
Corrections/Updates to Information Submitted by Physician Users to Customers: If you are a physician (or staff member) that would like to correct or remove any information uploaded and or shared with a Customer through the Service, you should do the following in order:
Log in to the Service and attempt to make the correction or deletion yourself;
Contact the Customer directly and ask them to make the correction or deletion;
If necessary, email privacy@medasystems.com and we will assist with processing the request, including providing additional instructions or information.
Transfer of Data to Third Parties
Unless described in this Policy, we do not share, sell, rent, or trade any of your information with third parties for promotional purposes. There may be circumstances in which we share or transfer your information to third parties for business purposes, such as:
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Vendors, Consultants and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include data analysis, email delivery, hosting services, and customer service. We may allow selected third parties to use technology on the Service, enabling them to collect data on our behalf about how you interact with the Service over time. This information may be used to, among other things, analyze data, determine the popularity of certain features, and better understand user activity. We have contracts in place with our data processors, which are designed to help safeguard your personal information. This means they cannot do anything with your personal information unless we have instructed them to do so. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.
Business Partners. We may share your information with our business partners to offer you certain products, services or promotions.
Requests from Public Authorities. We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In the case of onward transfers of personal information to third parties acting as agents on our behalf, we may remain liable in certain circumstances.
Transfer or Use of Data Internationally
We may transfer, store, and process your information in the United States, European Economic Area (EEA), the United Kingdom (UK), or Switzerland. If you are accessing the Service from outside these geographic locations, please be aware that these locations may not necessarily have equivalent privacy or data protection laws as those in your country. However, regardless of where your personal information is transferred, we will take all necessary measures to protect your personal information in accordance with this Policy, any applicable data exchange policies of our Customers, requirements of our Customer contracts, and applicable law.
Data Privacy Framework
We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that MedaSystems adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that MedaSystems adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website at https://www.dataprivacyframework.gov/.
See the list of entities that participate in the Data Privacy Framework here: https://www.dataprivacyframework.gov/list.
For the types of personal data collected, see Section II of this policy. The purposes for which we collect and use Personal Information can be found in Section V of this policy. For information on how to contact us with any inquiries or complaints, please see Section XVI of this policy. The type or identity of third parties to whom we disclose personal information can be found in Section VIII of this policy (including responses to lawful requests from public authorities). For the rights of individuals to access their personal data, see Section XIV.
We commit to subject all personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland to the DPF Principles in reliance on the relevant part(s) of the DPF program. By participating in the Data Privacy Framework, we are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) of the United States.
For disputes or complaints pertaining to data processed under the Data Privacy Framework, we use the independent dispute resolution panel established by the EU DPAs, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and the Swiss Federal Data Protection and Information Commissioner (FDPIC). Under certain conditions, individuals may also invoke a binding arbitration proceeding to resolve disputes.
Data Retention Period
We keep your information for as long as necessary to fulfill the purposes outlined in this Policy unless otherwise required by law. We will only keep your personal information for as long as it is necessary for the purposes set out in this Policy unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements), or as dictated by our contractual obligations to our Customers.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Marketing
We will not use your personal information for marketing purposes without your consent. You may revoke or withdraw your consent at any time by contacting us at privacy@medasystems.com.
Information pertaining to Minor Children
We do not knowingly collect data from individuals under 18 years of age. By using the website and the Service you represent that you are at least 18. If we learn that personal information has been collected from a user less than 18 years of age, we will deactivate the user account and take reasonable measures to delete such data from our records promptly. However, the Service may be used to collect de-identified data related to requests for treatment on behalf of a minor. If you become aware of any data we may have collected from a minor (other than in connection with a request for treatment for that individual), please contact us at privacy@medasystems.com.
Individual Data Protection Rights
General Rights
Individuals have the following rights pertaining to their personal information:
The right to be informed of how their data is collected and processed
The right of access to any of their data that has been collected
The right of rectification to any inaccurate or incomplete data
The right to erasure of any and all data
The right to restrict processing to only certain types
The right to data portability so that data can be retained and reused for other purposes
The right to object to the use of their data for specific processing activities
Rights in relation to automation so that decisions are not made about the user based exclusively on automated processing
You may exercise these rights by emailing us at privacy@medasystems.com.
Rights of Individuals in the European Economic Area, the UK, or Switzerland
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland and you believe we are unlawfully processing your personal information, in addition to the general rights above, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here https://ec.europa.eu/newsroom/article29/items/612080. If you are located in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.
Patient Requests About Information Stored by MedaSystems
If you are a patient whose physician requested expanded access treatment using the Service or who is currently receiving treatment, and you would like access to the information about you that has been provided by a User through the Service, contact privacy@medasystems.com, and we will assist you. We will correct, remove, or de-identify any information to the extent we are permitted to do so. However, please note, in all likelihood your physician is in the best position to share with you, or remove, any information about you that has been submitted through the Service.
Changes to Our Privacy Policy
We will update this notice as necessary to stay compliant with relevant laws. As such, we may update this Policy from time to time. The updated version will be indicated by an updated "Revised" date, and the updated version will be effective as soon as it is accessible. If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your Information.
How to Contact Us
If you have questions or comments about this Policy, you may contact our Data Protection Officer (DPO) by email at privacy@medasystems.com, or by post at the following corporate address:
MedaSystems, Inc.
3475 Edison Way, Suite R
Menlo Park, CA 94025
United States
Phone: (408) 365-4246
If you live in the European Union, the United Kingdom, or Switzerland you may contact our Local Representatives as follows:
EU - Ireland Representative
Instant EU GDPR Representative Ltd
2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland
Adam Brogden
contact@gdprlocal.com
Tel+ 353 15 549 700
EU residents may also submit a request online here: https://medasystemsinc.gdprlocal.com/eu
UK Representative
GDPR Local Ltd
1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB
Adam Brogden
contact@gdprlocal.com
Tel + 441 772 217 800
UK residents may also submit a request online here: https://medasystemsinc.gdprlocal.com/uk
Swiss Representative
Data Protection Representative Limited (DataRep)
Leutschenbachstrasse 95, Zurich, 8050, Switzerland
datarequest@datarep.com
Swiss residents may also submit a request online here: https://www.datarep.com/data-request