inCytes™ Privacy Policy

Benchmarc™ Privacy Policy

See inCytes™ Privacy Policy in PDF view mode

June, 2022





Documents Incorporated by Reference

    1. Standard Definitions
    2. License Agreement
  1. Handling of Personal Data: inCytes™ Platform
    1. General
    2. Roles and Responsibilities
    3. Rights of Data Subjects
    4. Requests to Receive or Delete Personal Data
    5. Notification of Security Breach
    6. inCytes™ License Agreement
  2. Handling of Personal Data: Websites
    1. General
    2. Tracking Data
    3. Cookie Clause
  3. Specific GDPR and HIPAA Clauses
    1. GDPR
    2. HIPAA
  4. Other Terms And Conditions
    1. Authorized Communications
    2. Final Agreement
    3. Dispute Resolution
    4. Non-Personal Data
    5. Notices and Communications
    6. Governing Language

1. Documents Incorporated By Reference

1.1. Standard Definitions

See here for most recent current version.

1.2. License Agreement

See here for most recent current version.

2. Handling Of Personal Data: inCytes™ Platform

2.1. General

The handling of Personal Data is governed by the specific Privacy Laws and Policies applicable to the particular Data Subject. The inCytes™ Platform is designed to collect, communicate and record Personal Data in a manner fully consistent with those Privacy Laws and Policies.

Personal Data is immediately and automatically encrypted by the inCytes™ Platform. No Company representative has access to Personal Data. No Company representative will at any time, for any purpose, seek Personal Data from the Data Subject or an Authorized Recipient in the absence of an appropriate Consent.

Personal Data will be stored and processed within the United States, unless alternative arrangements have been made between the Company and the Data Controller, in which case the Data Controller shall provide the Data Subject the details relating to the location and other relevant terms.

2.2. Roles and Responsibilities

The Company is a Data Processor. An HCP and/or other Authorized Recipient is the Data Controller. Amazon Web Services (“AWS”) is a Data Sub-Processor. AWS policies on the handling of Personal Data for purposes of GDPR and HIPAA can be found here and here respectively.

Neither a Data Subject nor an Authorized Recipient shall, in the absence of an express writing to the contrary accepted by them, submit Personal Data to the Company. If the Company comes into possession of what it considers in its sole discretion to be Personal Data, it shall promptly communicate such fact through an Authorized Recipient to the Data Subject. The Company shall not delete any such Personal Data unless and until instructed by the Data Subject or an Authorized Recipient to do so.

The Company may at any time request instructions from the Data Subject or an Authorized Recipient with respect to handling Personal Data and shall comply with such instructions. In the event the Data Subject or an Authorized Recipient fails to provide instructions, the Company shall have the right to take such actions as it deems in its best judgment to comply with applicable Privacy Laws and Policies and shall have no liability to the Data Subject or Authorized Recipient with respect to any such actions.

2.3. Rights of Data Subjects

The relevant Privacy Laws and Policies and other rights of a Data Subject depend on a number of factors, including the jurisdiction in which he/she resides, and the nature of consents given to an Authorized Recipient. A Data Subject should, in the event of any doubt regarding its rights with respect to Personal Data, seek clarification from its HCP or other Authorized Recipient and/or legal counsel.

2.4. Requests To Receive or Delete Personal Data.

Within ten days of receipt of written instructions from the Data Subject or Authorized Recipient, the Company shall forward to the requesting party an electronic file comprising all Personal Data of such Data Subject, if any, maintained by the Company and shall, upon further written instructions from such Data Subject or Authorized Recipient, permanently delete all such Personal Data.

2.5. Notification of Security Breach

As soon as practicable upon becoming aware of a security breach experienced by the inCytes™ Platform, including that involving a Data Sub-Processor, the Company shall notify all inCytes™ Licensees of such breach and all available details concerning it, including steps taken or to be taken by the Company and/or Data Sub-Processor as applicable to remedy such breach.

2.6. inCytes™ License Agreement

The inCytes™ License Agreement shall be incorporated herein by reference, provided that in the event of any conflict between this Agreement and the inCytes™ License Agreement relating to the privacy rights of a Data Subject, the terms of this Agreement shall prevail. Otherwise, in the event of conflict between the two agreements, the terms of the inCytes™ License Agreement shall prevail.

3. Handling Of Personal Data: Websites

3.1. General

Company Websites are not intended to solicit, collect or maintain Personal Data. As and when the Company becomes aware of any information being communicated through a Company Website which information it believes in its sole discretion may constitute private health information, the Company shall and shall be entitled to delete it without notification to the submitting party.

Subject to the foregoing, the Company observes all commitments with respect to Personal Data described in this document in the context of Company Websites.

3.2. Tracking Data

In connection with its Websites only, the Company uses certain third-party analytics tools, including Microsoft Clarity™, to improve the user experience. The Company only uses analytics tools which are created and maintained by reputable third parties and are GDPR-compliant.

3.3. Cookie Clause

Cookies are pieces of data from a website that are stored within a web browser, so that the website can retrieve the data later. Cookies are used to tell the server that users have returned to their website. See here for more details on cookies and Company Websites.

4. Specific GDPR and HIPAA Clauses

4.1. GDPR

With respect only to Data Subjects covered by the GDPR:

a. This Agreement shall be deemed to incorporate by reference the Standard Contractual Clauses notified under document C(2010) 593.

b. The Company shall follow all supplementary measures that the European Union requires from time to time to remain compliant with the GDPR.

c. The Company is prohibited from processing Personal Data without the consent of the Data Subject or an Authorized Party

d. The Company will inform the Data Subject of any inability to comply with the GDPR as it pertains to the Data Subject.

4.2. HIPAA

a. Personal Data includes Protected Health Information. The Company and Sub-Processor are Business Associates. An Authorized Party may be a Covered Entity.

b. The Company agrees to:

i. Comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information.

ii. Report to the Data Subject or, as appropriate, an Authorized Party any use or disclosure of Personal Data not provided for by this Agreement and of which it becomes aware, including breaches of unsecured Personal Data as required at 45 CFR 164.410, and any other security incident of which it becomes aware.

iii. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Data Sub-Processor which creates, receives, maintains, or transmits Personal Data agrees to the same restrictions, conditions, and requirements that apply to the Company with respect to Personal Data.

iv. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

5. Other Terms and Conditions

5.1. Authorized Communications

A Data Subject may elect at any time to opt out of any Consent which he/she has previously communicated, provided that the Data’s Subject’s HCP must also request such opt-out in the event such Consent pertains to the medical care of the Data Subject.

5.2. Final Agreement

This is the final agreement between the Company and any user of the inCytes™ Platform concerning its content, and supersedes all prior agreements or understandings, written or oral, concerning its subject matter. No amendment or assignment of this Agreement shall be effective without the express written consent of the Company.

The Company shall make no change to this Agreement which in any way diminishes the rights of a Data Subject without the express written consent of such Data Subject. The Company may otherwise amend this Agreement from time to time, which amendment shall be notified to all inCytes™ Licensees, and shall be deemed accepted and binding upon such inCytes™ Users through their continued use of the inCytes™ Platform.

5.3. Dispute Resolution

The agreements shall be governed by the laws of the State of Delaware, U.S.A.. The parties hereto submit to the jurisdiction of the courts of the courts of Delaware for the purposes of resolving any dispute arising out of or in connection with this Agreement.

5.4. Non-Personal Data

HCP’s and Authorized Recipients may create aggregated datasets of Non-Personal Data for purposes of developing evidence-based standards of care.

5.5. Notices and Communications

Any questions arising in the context of this agreement should be directed to the Company’s Data Privacy Officer.

5.6. Governing Language

This Agreement may be translated into various languages. In the event of any doubt as to the accuracy of any such translation, the English-language version shall prevail.