This privacy policy pertains to the Solution and Website developed by Skippet, a société à responsabilité limitée, governed by the laws of the Grand Duchy of Luxembourg, having its registered office at 18 Beim Fussebur, L-5364 Schrassig and registered with the Luxembourg Registre de Commerce et des Sociétés under number B222512 (“MyMedBot” or “we”, “us” or “our”). The “Solution” consists of a mobile and browser-based tool that the Subscriber (as defined below) uses to gather information from the users (as defined below). The Solution can be downloaded from the Google Play or App Store or accessed at the link https://dashboard.mymedbot.lu. The “Website” is separate from the Solution and is used for marketing and informational purposes. It can be accessed at https://mymedbot.com.

You (“you” or “your” or a “user”) are receiving this privacy policy because you wish to use the Solution at the request of your employer, service-provider or educational institution who has requested your access to the Solution (the “Subscriber”), or because you have visited our Website.

We take our obligations under privacy and data protection law very seriously and aim to comply with any applicable requirement of privacy and data protection law. This privacy policy is designed to help you understand your rights about your Personal Data (as defined below) which may be collected through the Solution. By downloading, using or accessing our Solution or by using our Website, you accept our privacy policy and you consent to our collection, storage, use and disclosure of your Personal Data as described further in this privacy policy.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified by data such as his or her name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Our Solution works by collecting information on the Subscriber’s behalf about users. The Subscriber determines which data is collected and ultimately owns the data of the responses. The Subscriber can customize the Solution’s interface to request any information it chooses.

On the one hand, we are acting as a “processor” on behalf of the Subscriber. This means that (i) the Subscriber decides whether and which of your Personal Data will be collected through this Solution, as well as why and how your Personal Data will be processed; and that (ii) we process such data in accordance with the instructions of the Subscriber. We invite you to contact the Subscriber to obtain a copy of its privacy policy and to understand your rights regarding your Personal Data collected through this Solution according to the instructions of the Subscriber. We are not responsible for what the Subscriber does with or how it uses your Personal Data, nor for what information the Subscriber requests from you via our Solution.

On the other hand, we also collect, on our own behalf, certain general information about all the users of our Solution, which may include Personal Data (“User Data”). With regard to User Data which is Personal Data (the “User Personal Data”), we act as a “controller”. This privacy policy is designed to help you understand which User Personal Data we collect as a “controller”, why we collect this data, how we use it and who we share it with. It also explains the rights you have in connection with the User Personal Data, including how to contact us or how to make a complaint. Please note that failure to provide us with the User Personal Data as set out below in section 1 of this privacy policy, will prevent us from providing the Solution to you.

We invite you to carefully read this privacy policy, and for any further question in relation to the processing by us of your Personal Data or the collecting by us of your User Personal Data, we invite you to contact us at privacy@mymedbot.lu. 

This privacy policy may change from time to time and we will inform you and the Subscriber of any changes by updating the privacy policy on our Solution. We will make notifications of change through the Solution and/or by email. The continued use of the Solution following such notifications shall be constructed as a consent to the then-current terms.

This privacy policy was last updated on 4 February 2021.

1. WHAT USER DATA DO WE COLLECT ABOUT YOU 

We collect various types of User Data about you (i) from the Subscriber, (ii) from your use of our Solution, and (iii) from your voluntary submission of Personal Data on our Website, including: 

– your name and the names of people you may report for or may report for you within the Solution; 

– your email address; 

– information regarding your device, browser, operating system and IP address; 

– usage data (e.g., date and time of access of our Solution and date and time of certain actions performed on the Solution);

– user ID numbers inputted by the Subscriber in the Solution which may constitute employee, student or similar ID numbers.

2. THE WAY WE COLLECT USER DATA ABOUT YOU 

If you use our Solution:

We may collect or receive your User Data when your account is created and when you use the Solution. Some information about you comes from the Subscriber. We do not collect information about you from third parties in connection with providing the Solution to you.

If you visit our Website:

Users can subscribe to newsletters or other communications outside of our Solution on our Website. You may unsubscribe from these notifications at any time by visiting an opt-out page at http://mymedbot.com/optout. We use cookies to analyze traffic, to remember your preferences, to optimize navigation and to improve our services. We may use both persistent and session cookies. Persistent cookies remain on your computer after you close your session and until you delete them. Session cookies expire when you close your browser.  For example, we store a persistent cookie to track device information and anonymous location data. We also engage with third parties such as Google Analytics to understand how you use our Website. In the future we may use third party solutions to track user experience on our Website.

You may use the settings within your browser to control cookies or prevent accepting some or all cookies. To find out more useful information on how to block cookies using different browsers, please visit www.allaboutcookies.org. You can block or delete all or some cookies. However, blocking or deleting cookies may limit your use of full advantages of the marketing Website.

3. HOW WE RESPOND TO DO NOT TRACK SIGNALS

We treat users the same regardless of their do not track request. That is, we disregard any do not track requests by your browser, operating system or solution, and we do not respond to any do not track requests.

4. PURPOSES FOR USING USER PERSONAL DATA ABOUT YOU 

The User Personal Data collected from you will be used for the purposes of: 

– management of our users (e.g. registration, account management, answers to user questions and provision of technical support); 

– management and improvement of our Solution; 

– research and development purposes (analysis in order to better understand your needs and to better understand our business and develop our Solution); 

– improve and personalize your experience;  

– improve the quality of our Solution; 

– archiving and record keeping; and 

– any other purposes imposed by law and authorities. 

Management of our users includes the sending of periodic communication via e-mail.  Example e-mails may include a welcome e-mail, verification e-mails, or any other e-mails that are required to operate your account. 

5. LEGAL BASIS FOR USING USER PERSONAL DATA ABOUT YOU 

We will not use your User Personal Data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we may process your User Personal Data if we have at least one of the following: 

– consent (where you or your legal guardian have consented to our use of your User Personal Data);

– contract performance (where your information is necessary for the performance of a contract to which you are a party); 

–  legal obligations (where we need to use your information to comply with our legal obligations);

– legitimate interests (where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights); and

– legal claims (where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party).

If we learn that your Personal Data was wrongly collected by the Solution, we will take steps to delete the information as soon as possible.

6. WHO DO WE SHARE YOUR USER PERSONAL DATA WITH 

6.1 General provisions

We do not share, or otherwise transfer your User Personal Data to third parties, other than those indicated in this privacy policy. We do not sell User Personal Data to third parties.

In the course of our activities and for the same purposes as those listed in this privacy policy, your User Personal Data can be accessed or transferred to the Subscriber and, on a need to know basis or a need to operate the Solution basis, the following categories of recipients, and subject to the requirements of the applicable privacy and data protection laws: 

– the Subscriber;

– our personnel; 

– our service providers that provide services to us in the context of the Solution; 

– our IT systems providers, cloud service providers, database providers and consultants; 

– any third party to whom we assign or novate any of our rights or obligations to in the context of a sale or transfer of any part of our business or assets;

– our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets or if so requested to provide specific advice; and

– any national and/or international regulatory, enforcement, public body or court, where we are required to provide access by applicable law or regulation.

The above third parties are contractually or lawfully obliged to protect the confidentiality and security of your User Personal Data, in compliance with applicable law. 

6.2 GDPR provision

If you are a data subject under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), please note that we intend to transfer your User Personal Data outside of the European Economic Area.

In particular, the User Personal Data we collect from you may also be processed, accessed or stored in the United States. We rely on your consent to transfer your User Personal Data to the United States. Your consent in this respect will be requested through ticking the relevant box while accepting this privacy policy.  

Note that the European Commission has not adopted an adequacy decision regarding the United States and that the United States does not provide for the same level of personal data protection as the GDPR. On 16 July 2020 in the case ECJ C-311/18, Facebook Ireland and Schrems, 2020, the European Court of Justice has stated that the policies of the United States of America enable interference, based on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States. In particular, that Court has considered that the law of the United States does not provide for the necessary limitations and safeguards with regard to the interferences authorised by its national legislation and does not ensure effective judicial protection against such interferences, which violates the GDPR.

6.3 FERPA provision

The U.S. Family Education Rights and Privacy Act (“FERPA”) generally applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. As private schools generally do not receive funds from the U.S. Department of Education, FERPA generally does not apply to them. 

If the Subscriber is an educational institution or agency subject to FERPA (“Educational Institution”) and you are a student located in the United States (“Student”), the information that we collect about you may be considered part of the Student’s “education records” held by the Educational Institution as defined in 20 U.S.C. § 1232g(a)(4); 34 C.F.R. § 99.3, “Education records.”  “Eligible student” means a student who has reached 18 years of age or is attending an Educational Institution of postsecondary education. Unless excepted under FERPA, a parent or eligible student must provide a signed and dated written consent before a school discloses “personally identifiable information” from the student’s education records. 34 CFR § 99.30. This consent may be in electronic form and is the responsibility of the Educational Institution. In some cases, we may ask for your consent on behalf of the Subscriber in order to enroll or keep you in the Solution. 

By way of an example, when allowed under FERPA’s “health or safety emergency” exception, the Subscriber may share User Personal Data from Student education records with a public health agency, without your prior written consent. 20 U.S.C. § 1232g(b)(1)(I); 34 C.F.R. §§ 99.31(a)(10) and 99.36. The facts may qualify for other exceptions.     

To the extent FERPA applies to your Educational Institution, Parents (as defined below) and non-eligible Students may have a right to inspect and review the Student’s records and are given an opportunity to challenge or explain the content of a Student’s education records.  We will work with your Educational Institution to enable it to comply with its FERPA obligations in this regard. This Privacy Policy does not limit or expand your rights under FERPA with the Educational Institution. 

7. DATA SECURITY 

We encrypt your Personal Data at rest using AES-256 encryption on AWS and in transit using TLS. We store your data on cloud servers operated by Amazon Web Services (AWS) and located in the United States of America. We back up the data periodically and maintain auditable logs of access to your data. Our personnel retain access to your Personal Data for IT and customer support purposes. 

8. THIRD PARTIES

We use various third-party service providers to provide optimal Website and Solution functionality to you and our business operations. These third-party technology service providers have their own privacy policies addressing how they use such information. Not all of these third parties touch your Personal Data in every situation. While we take care in choosing our service providers with our users in mind, we cannot be responsible for the actions of these third parties except to the extent required by law. Below are some examples with links to their privacy policies.

Third parties used in the provision of our Solution to users:

–      We use the Expo Platform for our Solution development. You can find out more about their privacy at https://expo.io/privacy-explained and https://expo.io/privacy.  

–      We use Heroku, a Salesforce company, for our database development. You can find out more about their privacy policies at https://www.heroku.com/policy/security and https://www.salesforce.com/company/privacy/. 

–       We use MongoDb as a database system. You can find out more about their privacy policies at https://www.mongodb.com/legal/privacy-policy.

–       We use cloud storage and analytics services from Amazon Web Services. You can find out more about Amazon’s privacy policy here: https://aws.amazon.com/privacy/.

–       We use LogDNA to store and analyze logs related to the usage of our Solution, for customer support and auditing purposes. You can find out more about LogDNA’s privacy policy here: https://logdna.com/privacy/.

–       We use Freshdesk, an online software offered by Freshworks to help manage our customer support services that are offered to Subscriber’s personnel. You can find out more about Freshwork’s privacy policy here: https://www.freshworks.com/privacy/.

Third parties used in the provision of our marketing Website and for customer & marketing management:

We use third party website visitor tracking services such as Google Analytics, that collect, monitor and analyze the demographic information of the users visiting our Website in order to increase our Website’s functionality, appeal to prospective customers and measure the effectiveness of our online advertising. 

–      We use Google Analytics to track, analyze, monitor and report on the Solution and Website traffic. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page at: http://www.google.com/intl/en/policies/privacy/.  Any information regarding opting out of Google Analytics tracking can be consulted at: https://tools.google.com/dlpage/gaoptout.

–     We use website development tools like WordPress and related WordPress Solutions. Use of our Website and entering information into our “Contact Sales” and similar forms go through the WordPress platform where they store traffic data. You can find out more about WordPress’s privacy policy at: https://wordpress.org/about/privacy/. If you watch videos on our marketing Website your data may be collected through a service called Wistia, which helps companies gather data about prospective customers. You can learn more about Wistia’s privacy policy here at: https://wistia.com/privacy.

We use tools to manage our off-Solution communications with our customers, potential customers and other third parties through a mailing list and customer relationship management platforms offered by Freshworks. Mailchimp and GSuite. You can find their privacy policy at: https://support.freshsales.io/support/Solutions/articles/233227-privacy-policy; https://mailchimp.com/legal/privacy/ and http://www.google.com/intl/en/policies/privacy/.

As noted above, we compile Website usage statistics from data collected through cookies. We may publish those statistics or share them with third-party technology service providers, but they do not include Personal Data.

We are not responsible for the conduct of Google, Amazon, Heroku, MongoDB, LogDNA, Salesforce, Expo, WordPress, Freshworks, Mailchimp or any other third parties we may use. As noted above, their respective terms of service and privacy policies can be found on their Websites.  

It is possible that we or the Subscriber may provide links to or compatibility with other websites or applications. Following these links is optional. We are not responsible for the privacy practices employed by those Websites or the information or content they contain. This privacy policy applies solely to information collected by us through our Solution and our Website. Therefore, this privacy policy does not apply to your use of a third-party website accessed by selecting a link on our Solution or Website. We encourage our users to read the privacy statements of other Websites before proceeding to use them.

9. STORAGE PERIOD OF YOUR USER PERSONAL DATA 

Your User Personal Data will be stored as long as necessary to fulfil the purposes for which it was collected or to comply with legal or regulatory requirements. 

What this means in practice will vary depending on the types of data. When we consider the retention duration, we consider any continued need to process the data, together with our legal, regulatory and contractual obligations. For User Personal Data that is related to an agreement that you or your Subscriber has executed with us, the retention period is the duration of that agreement, plus the period until claims under the agreement become time-barred, unless legal or regulatory requirements require a longer or a shorter retention period. 

10. YOUR RIGHTS IN RELATION TO YOUR USER PERSONAL DATA 

You may be entitled to information or additional rights under applicable privacy and data protection law. Nothing in this section provides rights to individuals not entitled to such information or additional rights.

If you are entitled to these rights, we may require proof of such applicability, such as proof of European, California or other residence before responding to any request made under this section. 

This listing of any data protection laws in this Section is not an admission that such laws apply to MyMedBot.

If you have a question or want to exercise these rights, you may send an e-mail to privacy@mymedbot.lu. 

10.1 GDPR

If you are a data subject under the GDPR, you have:

– the right to request us to provide you with further details on the use we make of your User Personal Data; 

– the right to access or receive your User Personal Data as processed by us; 

– the right to request the update of any inaccuracies in your User Personal Data; 

– the right to request the deletion of your User Personal Data; 

– the right to request the restriction of processing to specific categories of your User Personal Data; 

– the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal; 

– the right to object, in whole or in part, to the processing of your User Personal Data; 

– the right to request the portability of your User Personal Data (i.e., that the User Personal Data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations); and

– the right to make a complaint to the competent data protection authority. 

10.2 US laws

10.2.1 HIPAA

If the Subscriber is a “covered entity” under the Health Insurance Portability and Accountability Act (“HIPAA”) and our legal relationship with Subscriber is that of a Business Associate (as defined under HIPAA), we will have a Business Associate Agreement (as defined under HIPAA) in place before the Subscriber or its users may place protected health information (“PHI”) on the Solution. To the extent that any of HIPAA, the HIPAA Privacy Rule, HIPAA Security Rule or otherwise, as they relate to business associates, conflict with the other terms of this privacy policy, the legal terms of these laws and rules will govern. Please look to the Subscriber for any inquiries or remedies under HIPAA that you may have. 

10.2.2 New York

If the Subscriber is an Educational Institution subject to the laws of New York, pursuant to New York Education Law § 2-d, Parents Bill of Rights for Data Privacy and Security shall be included with our contract with the Educational Institution.

10.2.4 California

If you are a user subject to the laws of California, you have:

– the right to receive equal services and prices as other consumers, even if exercising these rights herein, such as opting out of the sale of your data for marketing purposes (which we don’t do);

– the right to opt out of or into the sale or sharing of your User Personal Data (which we don’t do) other than to the Subscriber;

– the right to object to the processing of your User Personal Data for direct marketing purposes (we only do this if you voluntarily submit your data on our Website); 

– the right to request deletion of your User Personal Data, provided the provision of data is compliant by law and by our contract with the Subscriber;

– the right to get data in an easily accessible format, provided the provision of data is compliant by law and by our contract with the Subscriber; and

– the right to be notified in case of a personal data breach regarding your User Personal Data; and 

You should contact the Subscriber to exercise these rights, and we will work with the Subscriber to help it comply with its obligations under the law. Additionally, you may contact us at +1 (833) 578-1058 and privacy@mymedbot.lu.

If the Subscriber is an Educational Institution subject to the laws of California, we will not use the Educational Institution’s data for any purpose beyond the indicated purposes in the privacy policy. This includes not using the education records in targeted advertising

Any destruction of User Personal Data will be performed in accordance with the California Data Protection Act of 2004 (“CDPA”) (§§1798.80-84 of the Cal. Civ. Code).

Other than the categories of information listed above in Section 1, we do not collect Sensitive Personal Information (as defined in the CDPA) about you unless the Subscriber requires it. We do not have control of what the Subscriber asks its users.

10.2.3 Connecticut

If the Subscriber is an Educational Institution subject to the laws of Connecticut, we will not use the Educational Institution’s data for any purpose beyond the indicated purposes in the privacy policy.  This includes not using the education records in targeted advertising

We will use at least industry standard security to protect the educational records generated through our Solution. Pursuant to Public Act No. 16-189, Connecticut law shall govern the duties between us and the local or regional board of education for the Educational Institution, and we will comply with Public Act No. 16-189.

10.2.4 Maryland and Colorado

If the Subscriber is an Educational Institution subject to the laws of Maryland or Colorado, we will not use the Educational Institution’s data for any purpose beyond the indicated purposes in the privacy policy. This includes not using the education records in targeted advertising.

10.2.5 Florida and Pennsylvania

If the Subscriber is subject to the laws of Florida or Pennsylvania, pursuant to the Florida Information Protection Act of 2014 and Pennsylvania’s Breach of Personal Information Notification Act, we will provide notice to you of a security breach.

11. THE USER IS A MINOR

Please note that we will not knowingly collect, use or disclose User Personal Data from a minor under the age of 16 (the “Minor”) without consent given by a person with parental authority over such Minor (the “Parent”).

Any consents given by a Parent on behalf of a Minor, are deemed to be the consent of the Minor.

Through ticking the relevant box while accepting this privacy policy, the Parent:

–        represents and warrants that he or she has the legal authority to provide consent for and act on behalf of the Minor;

–      confirms that he or she has the right to authorize us to process the User Personal Data of the Minor in accordance with this privacy policy;

–       agrees to indemnify, defend and hold us harmless against any misuse of the Solution by the Minor or the Parent; and

–      represents and warrants that he or she has received the consent from all of the individuals who have the power to consent and withdraw consent for and on behalf of the Minor (for whatever reason and to whatever extent) to consent to the privacy policy for and on behalf of the Minor and the consent from such other individuals is irrevocable (but you may stop using the Solution at any time).   

12. JURISDICTION AND APPLICABLE LAW 

You agree that this privacy policy is managed, interpreted and executed in accordance with the laws of the Grand Duchy of Luxembourg without regard to conflicts of laws of the US or any US state and any dispute will be subject to the exclusive jurisdiction of the courts of the Grand Duchy of Luxembourg. 

You agree that the courts of the Grand Duchy of Luxembourg have personal jurisdiction over you (including the parent and the student) for any disputes arising hereunder and hereby waive any claims or assertions to the lack of personal jurisdiction or forum non conveniens in the courts of the Grand Duchy of Luxembourg.