August 29, 2022
PLEASE READ THIS AGREEMENT CAREFULLY. IT DESCRIBES RIGHTS TO WHICH YOU MAY BE ENTITLED AND OBLIGATIONS WHICH YOU ACCEPT.
BY USING INCYTES™ YOU AGREE TO BE BOUND BY ITS TERMS. IF YOU DO NOT WISH TO BE BOUND BY THIS AGREEMENT, YOU SHOULD NOT USE INCYTES™.
ABSENT A BREACH BY LICENSOR OF ITS OBLIGATIONS HEREIN, YOUR SOLE REMEDY FOR DISSATISFACTION WITH INCYTES™ IS TO STOP USING INCYTES™.
1.1. Standard Definitions
See here for most recent current version.
1.2. License Agreement
See here for most recent current version.
The handling of Personal Data is governed by the specific Privacy Laws and Policies applicable to the particular Data Subject. The inCytes™ Platform is designed to collect, communicate and record Personal Data in a manner fully consistent with those Privacy Laws and Policies.
Personal Data is immediately and automatically encrypted by the inCytes™ Platform. No Company representative has access to Personal Data. No Company representative will at any time, for any purpose, seek Personal Data from the Data Subject or an Authorized Personal Data Recipient in the absence of an appropriate Consent.
Personal Data will be stored and processed within the United States, unless alternative arrangements have been made between the Company and the Data Controller, in which case the Data Controller shall provide the Data Subject the details relating to the location and other relevant terms.
2.2. Roles and Responsibilities
The Company is a Data Processor. A healthcare professional and/or other Authorized Personal Data Recipient is the Data Controller. Amazon Web Services (“AWS”) is a Data Sub-Processor. AWS policies on the handling of Personal Data for purposes of GDPR and HIPAA can be found here and here respectively.
Neither a Data Subject nor an Authorized Personal Data Recipient shall, in the absence of an express writing to the contrary accepted by them, submit Personal Data to the Company. If the Company comes into possession of what it considers in its sole discretion to be Personal Data, it shall promptly communicate such fact through an Authorized Personal Data Recipient to the Data Subject. The Company shall not delete any such Personal Data unless and until instructed by the Data Subject or an Authorized Personal Data Recipient to do so.
The Company may at any time request instructions from the Data Subject or an Authorized Personal Data Recipient with respect to handling Personal Data and shall comply with such instructions. In the event the Data Subject or an Authorized Personal Data Recipient fails to provide instructions, the Company shall have the right to take such actions as it deems in its best judgment to comply with applicable Privacy Laws and Policies and shall have no liability to the Data Subject or Authorized Personal Data Recipient with respect to any such actions.
2.3. Rights of Data Subjects
The relevant Privacy Laws and Policies and other rights of a Data Subject depend on a number of factors, including the jurisdiction in which he/she resides, and the nature of consents given to an Authorized Personal Data Recipient. A Data Subject should, in the event of any doubt regarding its rights with respect to Personal Data, seek clarification from his/her healthcare professional or other Authorized Personal Data Recipient and/or legal counsel.
2.4. Requests To Receive or Delete Personal Data.
Within ten days of receipt of written instructions from the Data Subject or Authorized Personal Data Recipient, the Company shall forward to the requesting party an electronic file comprising all Personal Data of such Data Subject, if any, maintained by the Company and shall, upon further written instructions from such Data Subject or Authorized Personal Data Recipient, permanently delete all such Personal Data.
2.5. Notification of Security Breach
As soon as practicable upon becoming aware of a security breach experienced by the inCytes™ Platform, including that involving a Data Sub-Processor, the Company shall notify all inCytes™ Licensees of such breach and all available details concerning it, including steps taken or to be taken by the Company and/or Data Sub-Processor as applicable to remedy such breach.
2.6. inCytes™ License Agreement
The inCytes™ License Agreement shall be incorporated herein by reference, provided that in the event of any conflict between this Agreement and the inCytes™ License Agreement relating to the privacy rights of a Data Subject, the terms of this Agreement shall prevail. Otherwise, in the event of conflict between the two agreements, the terms of the inCytes™ License Agreement shall prevail.
Company Websites are not intended to solicit, collect or maintain Personal Data. As and when the Company becomes aware of any information being communicated through a Company Website which information it believes in its sole discretion may constitute private health information, the Company shall and shall be entitled to delete it without notification to the submitting party.
Subject to the foregoing, the Company observes all commitments with respect to Personal Data described in this document in the context of Company Websites.
3.2. Tracking Data
In connection with Company Websites, the Company uses certain third-party analytics tools, including Microsoft Clarity™, to improve the user experience. The Company only uses analytics tools which are created and maintained by reputable third parties and are GDPR-compliant.
With respect only to Data Subjects covered by the GDPR:
a. This Agreement shall be deemed to incorporate by reference the Standard Contractual Clauses notified under document C(2010) 593.
b. The Company shall follow all supplementary measures that the European Union requires from time to time to remain compliant with the GDPR.
c. The Company is prohibited from processing Personal Data without the consent of the Data Subject or an Authorized Party
d. The Company will inform the Data Subject of any inability to comply with the GDPR as it pertains to the Data Subject.
a. Personal Data includes “protected health information”. The Company and Sub-Processor are “business associates”. An Authorized Party may be a “covered entity”.
b. The Company agrees to:
i. Comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information.
ii. Report to the Data Subject or, as appropriate, an Authorized Party any use or disclosure of Personal Data not provided for by this Agreement and of which it becomes aware, including breaches of unsecured Personal Data as required at 45 CFR 164.410, and any other security incident of which it becomes aware.
iii. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Data Sub-Processor which creates, receives, maintains, or transmits Personal Data agrees to the same restrictions, conditions, and requirements that apply to the Company with respect to Personal Data.
iv. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
5.1. Authorized Communications
A Data Subject may elect at any time to opt out of any Consent which he/she has previously communicated, provided that the Data’s Subject’s HCP must also request such opt-out in the event such Consent pertains to the medical care of the Data Subject.
5.2. Final Agreement
This is the final agreement between the Company and any user of the inCytes™ Platform concerning its content, and supersedes all prior agreements or understandings, written or oral, concerning its subject matter. No amendment or assignment of this Agreement shall be effective without the express written consent of the Company.
The Company shall make no change to this Agreement which in any way diminishes the rights of a Data Subject without the express written consent of such Data Subject. The Company may otherwise amend this Agreement from time to time, which amendment shall be notified to all inCytes™ Licensees, and shall be deemed accepted and binding upon such inCytes™ Users through their continued use of the inCytes™ Platform.
5.3. Dispute Resolution
The agreements shall be governed by the laws of the State of Delaware, U.S.A.. The parties hereto submit to the jurisdiction of the courts of the courts of Delaware for the purposes of resolving any dispute arising out of or in connection with this Agreement.
5.4. Non-Personal Data
HCP’s and Authorized Personal Data Recipients may create aggregated datasets of Non-Personal Data for purposes of developing evidence-based standards of care.
5.5. Notices and Communications
Any questions arising in the context of this agreement should be directed to the Company’s Data Privacy Officer.
5.6. Governing Language
This Agreement may be translated into various languages. In the event of any doubt as to the accuracy of any such translation, the English-language version shall prevail.