Last Update: July 31, 2018
Additional information about OsteoStrong’s Data Privacy and Data Security practices, including OsteoStrong’s commitments with regard to the General Data Protection Regulation (GDPR), can be found at the bottom of this page.
Information Gathering and Usage
In connection with operation of the Web Sites and providing our services to you, we may collect the following types of user information (“Information”):
• Personal Information. We collect personal information (“Personal Information”) from you and those individuals to whom you have given Web Site access. This Personal Information is used for billing purposes, account management purposes and for you to utilize the features of the Web Sites to which you have purchased access. Examples of Personal Information we might collect include but are not limited to: first name, last name, email address, mailing address, etc. We also collect Personal Information provided to us via any emails you send to us and via any user information added by you to the Web Sites (including Personal Information for users other than yourself).
• Browsing Information. We may collect information about your computer hardware and software and browsing activity.
• Training Information. We may collect information on learning/training activities
• Survey Information. We may collect responses to any OsteoStrong-sponsored Web Site surveys.
We collect this Information for the following general purposes: products and services provisioning, billing, identification and authentication, Web Site improvement, contacts, and research.
OsteoStrong may disclose your Information to third parties under the following circumstances:
• Disclosure to Successors. We may disclose your Information to any actual or potential successor-in-interest of ours, such as a company that is seeking to acquire us or the Web Site(s).
• Third-Party Service Providers. We may use third-party partners to help us operate and maintain our Web Sites and deliver our products and services. We may also share your Information with our service providers and other third parties (“Affiliated Parties”) that provide products or services for or through the Web Sites or for our business (such as website or database hosting companies, CRMs, e-mail service providers, analytics companies, credit card processing companies and other similar service providers that use such information on our behalf or at the direction of your employer). Third-party service providers are contractually restricted from using or disclosing the Information, except as necessary to perform services on our behalf or to comply with legal requirements. Information may be processed in the European Union or the United States depending upon contractual requirements and in accordance with legal jurisdictions for the region(s) to which OsteoStrong is subject.
• Other Disclosure. We may disclose your Information to prevent an emergency, to protect or enforce our rights, to protect or enforce the rights of a third party, or as required or permitted by law (including, without limitation, to comply with a subpoena or court order).
Pages of our services or our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an e-mail and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
OsteoStrong uses third party vendors and hosting partners to provide some of the necessary hardware, software, networking, storage, and related technology required to run the Websites. Although OsteoStrong owns the code, databases, and all rights to the Websites, you retain all rights to your data.
Protecting Personal Information
We understand the importance of safeguarding your Information. We employ administrative, physical, and electronic measures designed to protect your Information from unauthorized access. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account technological reality, cost, the scope, context and purposes of processing weighted against the severity and likelihood that the processing could threaten individual rights and freedom. Despite our efforts, we cannot guarantee the security of your Information. Accordingly, we assume no liability for any disclosure of data due to errors in transmission, unauthorized third-party access or other acts of third parties, or acts or omissions beyond our reasonable control.
• We have applied to participate in Privacy Shield.
• We collect only Personal Information provided by the individual or the individual’s employer, including but not limited to name, address and email.
• Upon approval of OsteoStrong’s Privacy Shield application, OsteoStrong will be subject to the Principles of all personal data received from the EU in reliance on the Privacy Shield.
• OsteoStrong collects Personal Information for authentication and personalization of the user experience.
• Other than to the Third-Party Service Providers referenced above, OsteoStrong does not disclose any Personal Information to third parties.
• OsteoStrong’s customers can request to view their personal data.
• All user accounts are password protected, and an individual’s Personal Information is only available to that individual when logged in.
• Upon approval of OsteoStrong’s Privacy Shield application, OsteoStrong is subject to the investigatory and enforcement powers of the FTC.
• OsteoStrong understands the possibility, under certain conditions, for the individual to invoke binding arbitration.
• OsteoStrong is required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• OsteoStrong is liable in cases of onward transfers to third parties.
In compliance with the Privacy Shield Principles, OsteoStrong commits to resolve complaints about our collection or use of your Personal Information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact OsteoStrong at: [email protected]
OsteoStrong has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.
Third Party Websites
We are committed to protecting the privacy of children. Our solutions are not intended for anyone under the age of 13. If you are under 13, do not use or provide any information on or through our solutions. If we learn we have collected or received Personal Data from a child under 13 without verification of parental consent, we will delete that information. If you are a parent or guardian or otherwise believe we might have any information from or about a child under 13, please contact us so that we can delete the child’s information. Our services will never knowingly accept, collect, maintain or use any information from a child under the age of 13. If a child whom we know to be under the age of 13 sends Personal Data to us online, we will only use that information to respond directly to that child or notify parents.
OsteoStrong Data Privacy & Data Security Statement
This Data Privacy & Data Security Statement (the “Statement”), is provided by OsteoStrong Franchising, L.L.C. and OsteoStrong International, Inc. (“OsteoStrong”) to its Clients (each, a “Client”) and to users of OsteoStrong’s Services affiliated with the Clients (“Users”). This Statement describes OsteoStrong’s commitments with regard to data privacy and data security. OsteoStrong may update this Statement from time to time. Updated versions will be published on OsteoStrong’s website.
• “Authorized Persons” means OsteoStrong’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable OsteoStrong to provide the Services.
• “Controller” means a controller as defined under the GDPR.
• “Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to OsteoStrong and the Services.
• “Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of User Data that occurs while such User Data is in the possession of or under the control of OsteoStrong.
• “GDPR” means the EU General Data Protection Regulation 2016/679.
• “Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• “Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
• “Processor” means a processor as defined under the GDPR.
• “Services” means OsteoStrong’s services, solutions and products.
• “Sub-Processor” shall mean an entity engaged by OsteoStrong to assist it in Processing the User Data in fulfillment of its obligations with regard to the Services.
• “Third Party” is any person or entity other than OsteoStrong and Client and Client’s Users.
• “User Data” means all data relating to a User that is (i) provided to OsteoStrong by Client or User or (ii) otherwise obtained, accessed, developed, or produced by OsteoStrong. User Data may include Personal Data.
2. Data Privacy
• 2.1. Compliance with Laws. OsteoStrong is committed to complying with its obligations under all Data Protection Laws. For purposes of the GDPR, Client is considered the Controller and OsteoStrong is its Processor; if Client is considered a Processor for purposes of the GDPR, then OsteoStrong is considered its Sub-Processor.
• 2.2. Distribution of User Data. Users should provide OsteoStrong only with Personal Data that is requested by OsteoStrong or that is otherwise necessary for OsteoStrong to provide the Services. OsteoStrong is not responsible for any other Personal Data. Client will not provide OsteoStrong with Personal Data unless Client has obtained all required consents from Users.
• 2.3. Limitations on Use of Personal Data. OsteoStrong shall not Process User Data other than for the purposes specified by Users. OsteoStrong shall not Process User Data for the benefit of any Third Party. OsteoStrong shall access only the User Data that it needs to perform the Services (i.e., no more than necessary). OsteoStrong will not store User Data longer than necessary to achieve the permitted purposes specified by User.
• 2.4. Restrictions. Except with a User’s prior, written approval, on a case-by-case basis, OsteoStrong will not: (a) use User Data other than as necessary for OsteoStrong to provide the Services, (b) disclose, sell, assign, lease or otherwise provide User Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge User Data with other data, modify or commercially exploit any User Data.
• 2.5. Sensitive Personal Data. Clients and Users are advised never to provide OsteoStrong with Sensitive Personal Data. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.
• OsteoStrong may engage Sub-Processors in connection with the provision of the Services, provided, however, that OsteoStrong may not provide a Sub-Processor with access to User Data unless the Sub-Processor has: (i) a business need to know / access the relevant User Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect User Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access.
4. Data Subject Rights; Cooperation
• OsteoStrong shall use commercially reasonable efforts to cooperate and assist with a User’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by OsteoStrong, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR.
5. Return or Destruction of User Data
• Upon the written request of a User, OsteoStrong will return User Data to the User in a commonly readable format or securely delete User Data as soon as reasonably practicable. However, if OsteoStrong is required by law to retain User Data or if User Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then OsteoStrong will continue to protect such User Data in accordance with this Statement and limit any use to the purposes of such retention.
6. Data Security
• 6.1. Security Program Requirements. OsteoStrong will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. OsteoStrong’s security program shall be designed to protect the security and confidentiality of User Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of User Data. At a minimum, OsteoStrong’s security program shall include: (a) limiting access of User Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within OsteoStrong’s possession or control; (d) means for encrypting User Data stored on media within OsteoStrong’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting User Data transmitted by OsteoStrong over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
• 6.2. Regular Reviews. OsteoStrong shall ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.
7. Data Breach Procedures
• 7.1. Notification. OsteoStrong shall notify Client and any affected User of any Data Breach as soon as practicable and without undue delay after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, the categories and numbers of Users concerned, and the categories and numbers of Personal Data records concerned; (ii) communicate the name and contact details of OsteoStrong’s data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach.
• 7.2. Remedial Actions. In the event of a Data Breach for which OsteoStrong is responsible, OsteoStrong will use commercially reasonable efforts to: (a) remedy the Data Breach condition, investigate, document, restore the Services, and undertake required response activities; (b) provide regular status reports to Client on Data Breach response activities; (c) assist Client with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Client in its Data Breach response efforts.
8. Cross-Border Transfers
• 8.1. Location. OsteoStrong systems and OsteoStrong’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). OsteoStrong will not transfer any User Data outside of the Processing Jurisdictions except as directed by or with the consent of Client and/or User.
• 8.2. Sub-Processors. Before providing User Data of a European citizen to Sub-Processors, OsteoStrong will use commercially reasonable efforts to ensure that the Sub-Processors will either be certified under the EU-US Privacy Shield or that the Sub-Processors execute EU-prescribed Standard Contractual Clauses.