Knowledge Base for Clinicians

Searching for patient related article? Navigate to the 
Knowledge Base for Patients

inCytes™ Privacy Policy and Agreement

CIRCLES AND INCYTES™ ARE PRODUCT-AGNOSTIC, CLOUD-BASED, CLINICAL-GRADE PLATFORMS USED TO SUPPORT EVIDENCE-BASED HEALTHCARE DECISIONS. PLEASE READ THIS PRIVACY POLICY AND AGREEMENT CAREFULLY. BY ACCEPTING IT, AND USING INCYTES™, YOU AGREE TO BE BOUND BY ITS TERMS. PLEASE CONSULT WITH YOUR HEALTHCARE PROFESSIONAL REGARDING ANY MEDICAL OR OTHER HEALTH-RELATED DECISION.

Sections

Table of Contents

1. DEFINITIONS
1.1. AUTHORIZED PARTY
1.2. COMPANY
1.3. COMPANY REPRESENTATIVE
1.4. CONSENT
1.5. DATA CONTROLLER
1.6. DATA PROCESSOR
1.7. DATA PRIVACY OFFICER
1.8. DATA SUBJECT
1.9. DATA SUB-PROCESSOR
1.10. GDPR
1.11. HCP
1.12. HIPAA
1.13. INCYTES™ LICENSE AGREEMENT
1.14. INCYTES™ PLATFORM
1.15. INCYTES™ USER
1.16. JOINT CONTROLLER
1.17. NON-PERSONAL DATA
1.18. PERSONAL DATA
1.19. PRIVACY LAWS AND POLICIES
2. HANDLING OF PERSONAL DATA
2.1. GENERAL
2.2. ROLES AND RESPONSIBILITIES
2.3. JOINT CONTROLLER
2.4. RIGHTS OF DATA SUBJECTS
2.5. REQUESTS TO RECEIVE OR DELETE PERSONAL DATA
2.6. NOTIFICATION OF SECURITY BREACH
3. SPECIFICALLY APPLICABLE CLAUSES
3.1. GDPR
3.2. HIPAA
4. OTHER TERMS AND CONDITIONS
4.1. FINAL AGREEMENT
4.2. DISPUTE RESOLUTION
4.3. NON-PERSONAL DATA
4.4. INCYTES™ LICENSE AGREEMENT
4.5. NOTICES AND COMMUNICATIONS
4.6. GOVERNING LANGUAGE

1. Definitions

1.1. Authorized Party

shall mean any HCP or other individual or entity authorized through a Consent executed by a Data Subject to maintain or review, solely for the purposes specified in such Consent, the Personal Data of such Data Subject. Unless otherwise specified in a writing executed by the Data Subject and such Authorized Party and provided to the Company, each such Authorized Party is deemed a Data Controller.

1.2. Company

shall mean Regenerative Medicine LLC, a limited liability company formed and operating under the laws of the State of Delaware, U.S.A., and/or Regen Med Europe SLU, a limited liability company formed and operating under the laws of Spain, with its registered office at C/ Muntaner, 200, Primera Planta 08036 Barcelona, España.

1.3. Company Representative

shall mean any officer, director, employee, shareholder or other representative of the Company.

1.4. Consent

shall have the meaning attributed to it in GDPR Article 4.

1.5. Data Controller

shall have the meaning attributed to it in GDPR Article 4.

1.6. Data Processor

shall have the meaning attributed to it in GDPR Article 4.

1.7. Data Privacy Officer

Nicolas R. Tierney, ntierney@rgnmed.com.

1.8. Data Subject

shall have the meaning attributed to it in GDPR Article 4.

1.9. Data Sub-Processor

shallhave the meaning attributed to it in paragraphs 2 and 4 of Article 28 of the GDPR.

1.10. GDPR

means the European General Data Protection Regulation.

1.11. HCP

shall mean a healthcare professional, and shall include any nurse, physician’s assistant, laboratory technician and other individual engaged in patient care, treatment or assessment.

1.12. HIPAA

means The U.S. Health Insurance Portability and Privacy Act of 1996

1.13. inCytes™ License Agreement

shall mean the document found here, as amended from time to time and as accepted by each inCytes™ User upon logging onto the inCytes™ Platform.

1.14. inCytes™ Platform

shall mean the software, features, content and other elements described here.

1.15. inCytes™ User

shall mean any natural individual or legal entity which uses the inCytes platform for any purpose.

1.16. Joint Controller

shall have the meaning attributed to it in Article 26 of the GDPR.

1.17. Non-Personal Data

shall mean Personal Data which has been adequately pseudonymized pursuant to Recital 26 of the GRPR such that it could not be attributed to a natural person.

1.18. Personal Data

shall have the meaning attributed to it in GDPR Article IV, as well as any data or information specific to an individual which is considered by applicable law, regulations or the policies of an institution to be private or otherwise subject to protection, non-disclosure and/or privacy.

1.19. Privacy Laws and Policies

shall mean the GDPR, HIPAA and other rules, regulations, laws, directives, and/or institutional policies governing the collection, dissemination, protection and other use of Personal Data.

2. Handling Of Personal Data

2.1. General

Data Controllers will use inCytes™ to collect and record Personal Data, as well as to communicate it to Data Subjects in various formats, including through the inCytes™ platform. The handling of Personal Data will be governed by the specific Privacy Laws and Policies applicable to the specific interaction between Data Subjects and their Data Controllers.

Personal Data is automatically encrypted and otherwise pseudonymized by the inCytes™ platform to render it Non-Personal Data. No Company representative has access to Personal Data. No Company representative will at any time, for any purpose, seek Personal Data from the Data Subject or a Data Controller in the absence of an express written Consent allowing such access.

Personal Data will be stored and processed within the United States, unless alternative arrangements have been made between the Company and the Data Controller, in which case the Data Controller shall provide the Data Subject the details relating to the location and other relevant terms.

Further details on the processes used by the Company to protect Personal Data may be found here.

2.2. Roles and Responsibilities

The Company is a Data Processor. Amazon Web Services (“AWS”) is a Data Sub-Processor. AWS policies on the handling of Personal Data for purposes of GDPR and HIPAA can be found here and here respectively. Each Authorized Party is a Data Controller absent an express agreement between the Authorized Party and the Data Subject to the contrary.

Neither a Data Subject nor a Data Controller shall, in the absence of an express writing to the contrary executed by each of them, submit Personal Data to the Company. If the Company comes into possession of what it considers in its sole discretion to be Personal Data, it shall promptly communicate such fact to the Data Controller.

The Company shall not delete any such Personal Data unless and until instructed by the Data Controller to do so. The Company may at any time request instructions from the Data Controller with respect to handling Personal Data and shall comply with such instructions. In the event the Data Controller fails to provide instructions, the Company shall have the right to take such actions as it deems in its best judgment to comply with applicable Privacy Laws and Policies and shall have no liability to the Data Subject or Data Controller with respect to any such actions.

2.3. Joint Controllers

The Company may require a written agreement among Joint Controllers nominating a single Data Controller from which the Company is to receive instructions regarding the Personal Data with respect to which such Joint Controllers are responsible. In addition, the Data Subject may be entitled to receive from a Data Controller a copy or summary of such agreement.

In the event the Company receives conflicting instructions from Joint Controllers, it shall be entitled to refrain from following any such conflicting instructions pending clarification from the Joint Controllers, an appropriate regulatory agency, or a duly appointed representative of the Data Subject with respect to its responsibilities. The Company shall have no liability to any Data Subject or Data Controller under such circumstances pending clarification of its responsibilities.

2.4. Rights of Data Subjects

The relevant Privacy Laws and Policies and other rights of a Data Subject depend on a number of factors, including the jurisdiction in which he/she resides, the nature of Consents and arrangements among Joint Controllers. A Data Subject should, in the event of any doubt regarding its rights with respect to Personal Data, seek clarification from its HCP or other Data Controller and/or legal counsel.

2.5. Requests To Receive or Delete Personal Data.

Within ten days of receipt of written instructions from the Data Subject or an authorized Data Controller, the Company shall forward to the requesting party an electronic file comprising all Personal Data of such Data Subject, if any, maintained by the Company and/or shall, upon further written instructions from such Data Subject, permanently delete all such Personal Data. The Company may require the instructions to be accompanied by appropriate releases covering its handling of Personal Data.

2.6. Notification of Security Breach

As soon as practicable upon becoming aware of a security breach experienced by the inCytes™ platform, including that involving a Data Sub-Processor, the Company shall notify all inCytes™ Users of such breach and all available details concerning it, including steps taken or to be taken by the Company and/or Data Sub-Processor as applicable to remedy such breach.

3. Specifically Applicable Clauses

3.1. GDPR

With respect only to Data Subjects covered by the GDPR:
a. This Agreement shall be deemed to incorporate by reference the Standard Contractual Clauses notified under document C(2010) 593.
b. The Company shall follow all supplementary measures that the European Union requires from time to time to remain compliant with the GDPR.
c. The Company is prohibited from processing Personal Data without the consent of the Data Subject or an authorized Data Controller.
d. d. The Company will inform the Data Subject through the Data Controller of any inability to comply with the GDPR as it pertains to the Data Subject.

3.2. HIPAA

a. Personal Data includes Protected Health Information. The Company and Sub-Processor are Business Associates. A Data Controller may be a Covered Entity.
b. The Company agrees to:
i. Comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information.
ii. ii. Report to the Data Subject or, as appropriate, a Data Controller any use or disclosure of Personal Data not provided for by this Agreement and of which it becomes aware, including breaches of unsecured Personal Data as required at 45 CFR 164.410, and any other security incident of which it becomes aware.
iii. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Data Sub-Processor which creates, receives, maintains, or transmits Personal Data agrees to the same restrictions, conditions, and requirements that apply to the Company with respect to Personal Data.
iv. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

4. Other Terms and Conditions

4.1. Final Agreement

This is the final agreement between the Company and any inCytes™ User concerning its subject matter, and supersedes all prior agreements or understandings, written or oral, concerning that subject matter. No amendment or assignment of this Agreement shall be effective without the express written consent of the Company.

The Company shall make no change to this Agreement which in any way diminishes the rights of a Data Subject without the express written consent of such Data Subject. The Company may otherwise amend this Agreement from time to time, which amendment shall be notified to all inCytes™ Users, and shall be deemed accepted and binding upon such inCytes™ Users through their continued use of the platform.

4.2. Dispute Resolution

This agreement shall be governed by the laws of the State of Delaware, U.S.A. The parties hereto submit to the jurisdiction of the courts of the courts of Delaware for the purposes of resolving any dispute arising out of or in connection with this Agreement. The rights of Data Subjects with respect to Data Controllers, and Joint Controllers as among themselves, may be governed by separate agreements, each with its own governing law and dispute resolution procedures.

4.3. Non-Personal Data

HCP’s and Data Controllers may create aggregated datasets of Non-Personal Data for purposes of developing evidence-based standards of care.

4.4. inCytes™ License Agreement

The inCytes™ License Agreement shall be incorporated herein by reference. In the event of any conflict between this Agreement and the inCytes™ License Agreement relating to the privacy rights of a Data Subject, the terms of the former shall prevail, provided that under no circumstances shall the rights of a Data Subject under this Agreement be diminished.

4.5. Notices and Communications

Any questions arising in the context of this agreement should be directed to the Company’s Data Privacy Officer, or to the relevant Data Controller.

4.6. Governing Language

This Agreement may be translated into various languages. In the event of any doubt as to the accuracy of any such translation, the English-language version shall prevail.

Haven't found a solution?

CONTACT US