OUR COMMITMENT TO PRIVACY
Last Updated: 10/01/2020
- CellPort Software LLC
FOR INDIVIDUALS LOCATED IN THE EUROPEAN ECONOMIC AREA: Natural persons in the European Economic Area (EEA) whose information has been collected as a result of the use of our Service may have further protections under Europe’s General Data Protection Regulations (GDPR), please see Sections 14.
FOR CALIFORNIA RESIDENTS: California residents whose information has been collected as a result of the use of our Service may have further protections under the California Consumer Privacy Act (CCPA), please see Section 16.
Information collected by the Company or on our behalf may be stored on your computers, on your mobile devices, or on our servers, and may be transferred to, accessed from, or stored and processed in, the United States and other countries including but not limited to the EU and China, and any other country where the Company or its service providers maintain facilities. This policy will be adhered to at all times regardless of your jurisdiction and we will endeavor to protect your privacy rights at all times regardless of the location of our processing.
- Overview of the Company’s Services
Company is the developer of the CellPort POWR™ platform (and CellPort Analytics as a derivative product), a modular and integrated application suite offered as software-as-a-service to manage the definition and execution of consistent, reproducible, compliant and scalable laboratory operations. CellPort POWR™ was developed to support drug development and manufacturing. All service offerings are supported by computerized systems which, if applicable, are compliant with the International Conference on Harmonization (ICH), Good Clinical Practices (GCP) E6(R2) and 21 CFR Part 11 Electronic Records and Signatures, and are, by design, not intended to process unblinded personal information.
All relevant data processes and flows have been assessed as part of our Security Risk Register and meet the Data Protection Impact Assessment Requirements of the GDPR and HIPAA/HITECH.
- Alignment with Privacy Regulations and Statutory requirements
The Company has established policies and procedures to protect the privacy of our customers and individuals whose data we process. To do so transparently, our alignment with major domestic and international privacy is described below. Broadly, and regardless, of jurisdiction or country of resident, privacy inquiries specific to our use or processing of your data are welcomed via firstname.lastname@example.org. We may require verification of identity before processing a query or complaint.
- Information Collection
A. Business-to-Business Related Information. Our Service is intended for drug development and manufacturing businesses (“Customers”), and is not intended for general consumers. We collect information in the business-to-business context, including certain information that identifies employees or other individual’s related to such Customer (“Business Data”).
Business Data is generally provided by Customer’s voluntarily may include the following categories of information:
- Contact Data. Contact data may include your first and last name of identified contacts within the organization, business postal address, business email address, and business telephone number.
- Account Credentials. Account credentials may include user names, passwords and other information for authentication and account access.
B. Research Data. The Service is intended for Customers to assist in such customer’s execution of consistent, reproducible, compliant and scalable laboratory operations (“Research”) which may require the processing of data derived from a medical patient. As a result, Company may collect data that relates to individual patients that are participants and/or subjects of applicable Research (such data referred to as “Research Data”).
Research Data is always obtained from the respective Customer, and Company does not obtain such information directly from a patient. To the extent certain Research Data is protected by federal law including HIPAA/HITECH, Company relies on our Customer to provide such information in a properly de-identified form. Company does not engage in any reidentification of any Research Data.
C. Other Data Collected Automatically. Additionally, certain information will be collected Automatically when you use the Services (“Usage Data”). Usage Data may include, but is not limited to the internet protocol (“IP”) address used to connect your computer to the internet, device identifier, browser type and version, operating system and platform, mobile device type, data regarding network connected hardware, the average time you spent engaging the Service, access times, geo-location information, and/or other statistics and information about your use of the Service. The categories of information we automatically collect include: Service Use Data, including data about features you use, pages you visit, and content, products and services you view and purchase, the time of day you browse, and your referring and exiting pages.
- Device Data, including data about the type of device or browser you use, your device’s operating software, your internet service provider, your device’s regional and language settings, and device identifiers such as IP address and Ad Id.
- Location Data, including imprecise location data (such as location derived from an IP address (or data that indicates a city or postal code level) and, with your consent, precise location data (such as latitude/longitude data).
The various methods that may be used by Service to collect Usage Information include:
- Log Information: Log information is data about your use of Service, such as IP address, browser type, internet service provider, referring and exit pages, operating system, date/time stamps, and related data, which is stored in log files.
- Information Collected by Tracking Technologies: Cookies, web beacons (also known as “Tracking Pixels”) embedded scripts, location-identifying technologies, voice processing technologies, device fingerprinting, in-app tracking methods, and other tracking technologies now and hereafter developed (“Tracking Technologies”) may be used to collect information about your interactions with the Service, including information about your browsing and activity behavior. These tracking technologies allow us to determine unique preferences and trends based on a user’s use of the Service, as well as that user’s use of third-party online services participating in the same advertising network as Company.
- Cookies: A cookie is a small text file that is stored on a user’s device, which may be a session ID cookie or persistent cookie. Session cookies make it easier for you to navigate the Service and expire when you close your browser. Persistent cookies help in understanding how you use the Service and remain after you close your browser. The Service may associate some or all of these types of cookies with your devices. Cookies may remain on your device for extended periods of time.
- Web Beacons / Tracking Pixels: Web beacons are small graphic images, also known as “internet tags” or “cler gifs,” embedded in web pages and email messages. Web beacons may be used, without limitation, to count the number of visitors to the Service, to monitor how users navigate the Service, and to count content views.
- Embedded Scripts: An embedded script is programming code designed to collect information about your interactions with the Service. It is temporarily downloaded onto your device from our web server or a third party with whom we work, is active only while you are connected to the Service, and deleted or deactivated thereafter.
- Location-Identifying Technologies: GPS (global positioning systems) software, geo-filtering, Wi-Fi, and other location-identifying technologies locate (sometimes precisely) you for purposes such as verifying your location and delivering or restricting relevant content based on your location.
For further information on how we use Tracking Technologies for analytics, and your rights and choices regarding them, see the “Collection Technology and Analytic Services” section below.
D. Data Sharing: Non-Personally Identifiable Information.
We may share non-personally identifiable information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with interested third parties to help them understand the usage patterns for the Company Service and those of our partners. Such data consists solely of anonymized or pseudonymized data that does not identify any specific individual.
Non-personally identifiable information may be stored indefinitely.
- Use of Collected Data
To the extent there is personal information contained in Business Data, Research Data, Usage Data, such personal information is used by Company for the following reasons:
- To achieve the operational purpose for which the information was collected or processed or for another operational purpose that is compatible with the context in which the information was collected
- Auditing related to a current interaction with the our customers and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a Consumer or otherwise alter an individual Consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Notwithstanding the above, we may use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by any applicable law.
- Collection Technology and Analytic Services.
We use the information collected through Collection Technology for security purposes, to facilitate navigation, to display data more effectively, to personalize your experience while using the Websites and to recognize your computer to assist your use of the Service. We also gather statistical data to continually improve design and functionality, understand how the Service is used and assist us with resolving questions.
If you want to remove or block Cookies from your device at any time, you can update your browser settings (consult your browser’s “help” menu to learn how to remove or block cookies).We are not responsible for your browser settings. You can find good and simple instructions on how to manage Cookies on the different types of web browsers at www.allaboutcookies.org.
- Links to Other Websites
We process and store any obtained personal information, including that within Business Data, Research Data, and Usage Data, using reasonable physical, technical and administrative safeguards. Please be aware that the Service is not immune from typical vulnerabilities posed by the internet, and from time to time, may require maintenance or experience problems or breaches of security beyond our control. No transmission of data over the internet is guaranteed to be completely secure. It may be possible for third parties not under our control to intercept or access transmissions or private communications unlawfully. We cannot ensure or warrant the security of any information transmitted to us over the internet beyond the control of our implemented safeguards.
- In the event of a Data Breach
We have developed an internal process for the identification and processing of data breaches.
In the event of a personal data breach, the Company will notify the personal data breach to the supervisory authority competent in accordance with either: Article 55 for EU and Swiss subjects (Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the affected person(s)); or the national or state competent authority relevant to the residence of the Data Subject.
Further, as mitigation against data breaches and as an integrated part of our Information Security Management System we have integrated Data Protection Impact Assessments (DPIA) into our Security Risk Register.
We are additionally committed to the enforcement of The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 for US Data Subjects and the California CCPA.
If you are concerned that you have been impacted by a breach as a direct result of the Company processing your data, contact our Data Protection Officer: email@example.com.
- Change of Control
We may buy or sell/divest/transfer the Company (including any shares in the Company), or any combination of its products, services, assets and/or businesses. Your information such as customer names and email addresses, and other User information related to the Company may be among the items sold or otherwise transferred in these types of transactions. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the Company.
You will be notified via a prominent notice within the Service as to any change in uses of your personal information, as well as any choices you may have regarding your personal information.
- Legal Requirements
We may disclose such data in response to subpoenas, court orders, or other legal process, or to establish or exercise our legal rights and obligations or defend against legal claims.
Company’s Service is not intended for children under the age of 16, and we do not knowingly collect information from children under the age of 16. If you are concerned that such information has been collected inadvertently or otherwise, please contact firstname.lastname@example.org.
- Personal Data Protection Rights
Citizens of the EEA or Switzerland have full rights to access, update, object to, restrict, or request deletion of personal data or make use of data portability. If you wish to do so, contact us at email@example.com stating that request. We will respond within 96 hours of your request.
- Contact Us
435 Creamery Way, Exton, PA 19341
Our Data Protection Officer is Stephen R Ferrell CISA CRISC CDPSE who can be reached at:
Last updated as of October xx, 2020
- FOR EU RESIDENTS ONLY – EEA/Swiss Citizens Rights under the GDPR
The Company undertakes to respect the confidentiality of your Personal Data and to guarantee you can exercise your rights.
- Request access to your Personal Data. The right to access, update or delete the information that we hold about you. Whenever made possible, you can access, update or request deletion of your personal data by making a request via firstname.lastname@example.org.
- Request correction of the Personal Data that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected.
- Object to processing of your Personal Data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your Personal Data on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes (not a Company business practice).
- Request erasure of your Personal Data. You have the right to ask us to delete or remove Personal Data when at the conclusion of our data processing activities.
- Request the transfer of your Personal Data. We will provide to you, or to a third-party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for and does not apply to deidentified data that we have processed.
- Allow the Company, by your own consent, to process your data in conjunction with our contracted business practices.
- Withdraw your consent. You have the right to withdraw your consent on using your Personal Data. If you withdraw your consent, the Company will be unable to perform the contracted services we are engaged in, on your behalf.
A. The Company as the Data Controller or Processor.
When the Company acts as the data controller we are committed to the enforcement of all aspects of this policy. We have developed internal mechanisms for the receipt of complaints, for the communication of data breaches and for joint data processing engagements.
Technical and organizational measures which are designed to implement data-protection principles, such as pseudonymization and data minimization, will be applied as necessary and required by the study protocol and with the express consent of the study participants (data subjects).
Where processing is to be carried out by the Company on behalf of a controller, we are committed to agreeing a mutually executed Data Processing Agreement. the Company shall not engage another processor without prior specific or general written authorization of the controller.
In the case of general written authorization (as codified by our Data Processing Agreement), the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
All Company associates are trained on both this policy and additional internal privacy practices that have been created in support of this policy.
B. Legal Basis of Processing Data.
We may process Personal Data under the following conditions:
- Consent: You have given your consent for processing Personal Data for one or more specific purposes.
- Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
- Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
- Vital interests: Processing Personal Data is necessary to protect your vital interests or of another natural person.
- Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
- Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.
Under all conditions and at the request of an impacted data subject the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
C. Rights of Data Subjects.
You may exercise your rights of access, rectification, cancellation, and opposition by contacting email@example.com. Please note that we may ask you to verify your identity before responding to such requests, and further by making your request you are consenting for the personally identifiable information that you have provided to be used in the course of our internal response to your query or complaint.
You have the right to complain to a Data Protection Authority about Our collection and use of your Personal Data. For more information, if you are in the European Economic Area (EEA or Switzerland), please contact your local data protection authority in the EEA or Switzerland.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation will not be collected – unless:
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
- an additional exception rule of GDPR Article 9 is met
In the event our normal business practices require the identification of a data subject, we rely on our Customer’s to obtain the data subject’s prior written consent. Any questions or requests related to such consent must be directed at the Customer that has the direct relationship with data subject, and we will work with such Customer as necessary to satisfy any obligations with respect to such data subject.
When possible the Company will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, the Company will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. The Company shall treat as Sensitive Personal Information any information received from an individual where the individual would treat and identify it as Sensitive Personal Information.
E. Data Sharing: Personally, Identifiable Information.
The Company will not rent or sell your personally identifiable information to others. We may store personal information in locations outside the direct control of the Company (for instance, on servers or databases co-located with hosting providers).
- FOR RESIDENTS OF CALIFORNIA ONLY – California Consumer Privacy Act (CCPA) your Rights under the CCPA
- The right to notice: You must be properly notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.
- The right to access / the right to request: The CCPA permits you to request and obtain from the Company, information regarding the disclosure of your Personal Data that has been collected in the past 12 months by the Company or its subsidiaries to a third-party for the third party’s direct marketing purposes.
- The right to say no to the sale of Personal Data: You also have the right to ask the Company not to sell your Personal Data to third parties. You can submit such a request by emailing our Data Protection Officer at firstname.lastname@example.org.
- The right to know about your Personal Data: You have the right to request and obtain from the Company information regarding the disclosure of the following:
- The categories of Personal Data collected
- The sources from which the Personal Data was collected
- The business or commercial purpose for collecting or selling the Personal Data
- Categories of third parties with whom we share Personal Data
- The specific pieces of Personal Data we collected about you
- The right to delete Personal Data: You also have the right to request the deletion of your Personal Data that have been collected in the past 12 months.
- The right not to be discriminated against: You have the right not to be discriminated against for exercising any of your Consumer’s rights, including by:
- Denying goods or services to you
- Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties
- Providing a different level or quality of goods or services to you
- Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
A. Exercising Your CCPA Data Protection Rights.
In order to exercise any of your rights under the CCPA, and if you are a California resident, you can email us at email@example.com the Company will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.
B. CCPA: Do Not Sell My Personal Information.
We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology that “sells” personal information as defined by the CCPA law. If you wish to opt out of the use of your personal information for interest-based advertising purposes and these potential sales as defined under CCPA law, you may do so by following the instructions below.
Please note that any opt out is specific to the browser you use. You may need to opt out on every browser that you use.
You can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions as prompted.
The opt out will place a cookie on your computer that is unique to the browser you use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.
C. Mobile Devices.
Your mobile device may give you the ability to opt out of the use of information about the apps you use in order to serve you ads that are targeted to your interests:
* “Opt out of Interest-Based Ads” or “Opt out of Ads Personalization” on Android devices.
* “Limit Ad Tracking” on iOS devices.
You can also stop the collection of location information from your mobile device by changing the preferences on your mobile device.
“Do Not Track” Policy as Required by California Online Privacy Protection Act (CalOPPA).
Our Service does not respond to Do Not Track signals. However, some third-party websites do keep track of your browsing activities. If you are visiting such websites, you can set your preferences in your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of your web browser.
D. Your California Privacy Rights (California’s Shine the Light law).
Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties’ direct marketing purposes.
If you would like to request more information under the California Shine the Light law, and if you are a California resident, you can contact Us using the contact information provided below.
E. California Privacy Rights for Minor Users (California Business and Professions Code Section 22581).
California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services, or applications to request and obtain removal of content or information they have publicly posted. To request removal of such data, and if you are a California resident, you can contact us using the contact information provided below and include the email address associated with your account.
Be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.