MedaSystems, Inc.
Privacy Policy
Effective: January 30, 2023
This Privacy Policy (“Policy”) explains how MedaSystems, Inc. uses the personal information that is collected from you when you visit our corporate website or our cloud-based software application (the “Service”).
What is “Personal Information”?
What Information do we Collect?
Data Automatically Collected Through Use of Our Website
Data Automatically Collected Through Use of the Service
Information Submitted by Individuals Through the Website
Information Submitted by Users of the Service
Initial Requests
Invitations to Clinicians to Create a MedaSystems Account
Additional Information Requested by a Customer
How do we collect information from visitors to our website and Users of our Service?
Use of Cookies and Technologies Similar to Cookies
Legal Basis for Processing Personal Information
How do we keep your information secure?
Corrections or Updates to Information Provided to MedaSystems
Transfer of Data to Third Parties
Transfer or Use of Data Internationally
Information pertaining to Minor Children
Individual Data Protection Rights
General Rights
Rights of Individuals in the European Economic Area or the UK
Patient Requests About Information Stored by MedaSystems
California Privacy Rights
What is “Personal Information”?
“Personal information” as discussed in this Policy means information about an identifiable individual. Your personal information includes your full name, address, telephone number, date of birth, email address, and any other information that is connected to you, identifies you, or would allow someone to contact you.
What Information do we Collect?
Data Automatically Collected Through Use of Our Website
MedaSystems automatically collects certain information when individuals access our corporate website. This information does not reveal your specific identity (like your name or contact information). However, it may include device and usage information, such as your IP address, browser, device characteristics, operating system, language preferences, referring URLs, device name, country, geographic location, and information about how and when you use our application and other technical details. This information is primarily needed to maintain the security and operation of our website and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes:
Log and Usage Data. Log and usage data are service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use the website which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings, and information about your activity in the website (such as the date/time stamps associated with your usage, pages, and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports and hardware settings).
Device Data. We collect device data such as information about your computer, phone, tablet, or other devices you use to access the website Depending on the device used, this data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and mobile carrier, operating system, and system configuration information.
Location Data. We collect location data, such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the website For example, we may use technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt-out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note, however, that if you choose to opt-out, you may not be able to use certain aspects of the website.
Data Automatically Collected Through Use of the Service
Similar to our corporate website, certain information is automatically collected when individuals use our Service. Such information includes log and usage data to enable MedaSystems to monitor usage and access to the Service. In addition, local storage files are generated when a User logs into the Service. These files are stored on the User’s local browser.
Information Submitted by Individuals Through the Website
MedaSystems also collects information from individuals who submit information about themselves through the website (e.g., on the “Contact Us” page). This information includes email address, name, and company name.
Information Submitted by Users of the Service
MedaSystems provides the Service to connect health care providers, their staff, life science company employees, consultants, and agents, and/or patients (collectively “Users”) to enable Users to efficiently submit, process and manage requests for access to investigational drugs developed by a Customer.
Each life science company whose employees, consultants, or agents use the Service (each, a “Customer”) is a contracted customer of MedaSystems. As such, each Customer ultimately directs MedaSystems how to handle the information or data pertaining to requests submitted to the Customer through the Service, consistent with the Customer’s agreement(s) with MedaSystems, the Terms of Service governing how Users utilize the Service, and applicable law. The information provided while using the Service is governed by the Customer's privacy policy, except for identifiable information provided by patients/caregivers in connection with an Initial Request (see Section II.B.1), or personal information provided by physicians or physician's staff members for creating or maintaining their MedaSystems accounts (see Section II.B.2), which are governed by this Policy.
Be advised that Customers may ask physician Users to sign separate legal agreements with the Customer regarding confidentiality and data rights pertaining to information submitted by the physicians to the Customer. MedaSystems is not a party to any such agreements, and has no involvement with them. MedaSystems recommends that Users review any such agreements carefully, and consult their legal counsel if necessary.
Initial Requests
Information Collected from All Users: In the process of submitting an initial request through the Service (“Initial Request”), MedaSystems may collect personal information from a User which may include first/last name, mailing address, email address, and phone number. We convey and store this information based on the way the user initially identifies themselves (either as a physician or as a patient or caregiver), in the following manner:
Physicians: From physicians or their staff only, information collected also includes employer name and a brief medical history of the patient on whose behalf the request is being made. No protected health information relating to the patient is requested, and MedaSystems intends that no protected health information be provided. The information submitted in connection with an Initial Request is accessible by both (i) MedaSystems and (ii) the Customer to which the Initial Request is directed. This Policy governs MedaSystems’ use of that information, while the privacy policy of the Customer governs how the Customer will handle the information. A link to the Customer's privacy policy appears at the bottom of the Initial Request submission form. A copy of the policy may also be available on the Customer’s website.
Patients/Caregivers: If you are a patient or authorized caregiver and have specifically been prompted to make an Initial Request (e.g., by your physician), a different process applies. MedaSystems will notify the appropriate Customer of the fact that you are making an Initial Request and will provide to the Customer only information that cannot be used to identify you (e.g., age, gender, diagnosis). This Policy governs MedaSystems’ use of that information, while the privacy policy of the Customer governs how the Customer will handle the information. A link to the Customer's privacy policy appears at the bottom of the Initial Request submission form. A copy of the policy may also be available on the Customer’s website. In connection with an Initial Request, if a patient/caregiver provides their name, email address, phone number, mailing address, or any other piece of information that could be used to identify them, MedaSystems will not provide such information to the Customer; such information will be stored by MedaSystems and governed by this Policy.
Invitations to Clinicians to Create a MedaSystems Account
After an Initial Request has been submitted to a Customer, physician Users (or their authorized staff) may be invited by the Customer to create a MedaSystems account to access the Service to continue the processing of the request, and/or provide additional information to the Customer about the request and/or the patient.
If you are a physician User we may collect the following information from you when you create an account: name, employer, work address, work email, work phone number, mobile phone number, and information about your professional credentials, including a copy of your curriculum vitae. You will be asked to agree to our Terms of Service. If you are a member of the physician’s staff, you may be asked to provide some or all of this information on the physician’s behalf. In providing this information, you certify that the physician has authorized you to share this information.
Patients and their caregivers are not authorized to create an account or to utilize the Service apart from submitting an Initial Request. If a Customer receives an Initial Request submitted by a patient/caregiver and determines that the request should move forward, the Customer will direct the patient to have their physician contact the Customer directly.
Additional Information Requested by a Customer
On occasion, a Customer may ask a physician or their authorized staff member(s) to provide additional information about the physician or their patient beyond what is collected by MedaSystems when the User’s MedaSystems account is created. These requests will be sent by a Customer representative to the physician/staff member User through the Service.
Examples of additional information a physician may be asked to provide includes: a prior treatment history, lab results, medical images, proposed treatment plans including risk/benefit statements, information about where medications should be shipped, requests for initial supply and re-supply, and information about how the patient is reacting to the treatment.
Any information requested and provided in this manner will be governed by the privacy policy of the applicable Customer, and/or the agreement between the physician and the Customer (if applicable).
How do we collect information from visitors to our website and Users of our Service?
Use of Cookies and Technologies Similar to Cookies
In addition to collecting information through various fields and forms on the corporate website and in the Service (as described above), we may use “cookies” or similar technologies to collect information about you and your device. Cookies are small pieces of instruction stored on your hard drive or device. They may enhance your experience as you navigate our site. A "session cookie" disappears after you close your web browser, or may expire after a fixed period of time. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our site. We may use both session and persistent cookies on our corporate website. We currently do not use any non-essential cookies in our Service.
By “technologies similar to cookies” we mean any type of data storage and recovery mechanism used on a user’s device for purposes of obtaining information. The most common ones include:
Browser local storage. Certain websites use local storage called “sessionStorage” and “localStorage”, as well as the indexed database from the Internet browser to store information.
Local storage of browser plug-ins, namely Flash local storage (“Flash Local Shared Objects”) or Silverlight local storage (“Isolated Objects”).
Web beacons. Web beacons are a tracking technique, which consists of inserting into a website (or an e-mail) an image hosted on an Internet server, so that when a browser or an e-mail application connects to the server to download and view the image, this connection is registered. This allows us to know when a user viewed a web page or the e-mail. Sometimes this image is very small or transparent, preventing the user from being aware of its existence.
“Fingerprinting” is a technique combining information obtained from the browser or navigation equipment to set a user apart in their subsequent visits to different websites.
We currently use browser local storage in our Service to store content information and preferences. On certain sections of our corporate website, we may occasionally use web beacons that allow us to determine when users visited that section of the site.
There may be other tracking technologies now and later devised and used by us in connection with our corporate website. Further, third parties (e.g., Google) may use tracking technologies with our corporate website. We do not control those tracking technologies, and we are not responsible for them. However, be aware that you may potentially encounter third-party tracking technologies in connection with your use of our corporate website, and that this Policy does not apply to the tracking technologies or practices of such third parties.
Legal Basis for Processing Personal Information
We only process your personal information when we believe it is necessary and we have a valid legal basis to do so under applicable law, such as with your consent, to comply with laws, to provide you with services requested, to fulfill our contractual obligations, to protect your rights, and for our legitimate business interests.
We may use de-identified information created by us without restriction. When we use the term “de-identified information,” we mean information that cannot be used to personally identify you.
We may process your information if you have consented to allow MedaSystems to use your personal information for a specific purpose. You can withdraw your consent at any time by emailing us at privacy@medasystems.com.
More specifically, we may also process your personal information for the following purposes:
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our services or at your request before entering into a contract with you.
Legitimate business interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests, rights, and freedoms. For example, we may process your personal information the purposes described below:
To diagnose problems and prevent fraudulent activities
To identify usage trends, to understand better how the Service is being used and to make improvements.
To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
To deliver and facilitate the delivery of our Service. We may process your information to provide you with the requested service.
To respond to inquiries and offer support. We may use your information to respond to your questions and solve any potential issues you might have with the use of our Service.
To send administrative information to you. We may use your personal information to send you product, service, or new feature information, and information about changes to our terms, conditions, and policies.
To enable User-to-User communications. We may use your information, specifically your email address, to enable User-to-User communications.
To request feedback. We may use your information to request feedback and to contact you about your use of the Service.
To protect our Service. We may use your information as part of our efforts to keep the Service safe and secure (for example, for fraud monitoring and prevention).
To enforce our Terms of Service and policies
To comply with our contract with a Customer. Processing certain of your information may be a necessary component of a contract between MedaSystems and a Customer.
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. If we receive a subpoena or other lawful request, we may need to inspect the data we hold to determine how to respond, or we may process your information to comply with other legal or regulatory requirements.
To save or protect an individual's vital interests. We may process your information when necessary to save or protect an individual's vital interests, such as to protect human life or to prevent harm.
How do we keep your information secure?
We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, the transmission of personal information to and from our website and the Service is at your own risk. You should only access the website and the Service within a secure environment.
Corrections or Updates to Information Provided to MedaSystems
Corrections/Updates to Information Submitted with an Initial Request: If a User wants to update or correct any information submitted with an Initial Request, they should contact the life sciences company directly, or they may email privacy@medasystems.com and we will assist in processing any changes. If you are a patient/caregiver, and would like to correct, update or delete any personal information that has not been provided to the life sciences company by MedaSystems, you should contact MedaSystems at privacy@medasystems.com.
Corrections/Updates to Information Provided When Setting up a MedaSystems Account: If a User would like to correct or delete any of their information after their account has been created, please email privacy@medasystems.com. We will promptly amend or remove any information consistent with this Policy.
Corrections/Updates to Information Submitted by Physician Users to Customers: If you are a physician (or staff member) that would like to correct or remove any information uploaded and or shared with a Customer through the Service, you should do the following in order:
Log in to the Service and attempt to make the correction or deletion yourself;
Contact the Customer directly and ask them to make the correction or deletion;
If necessary, email privacy@medasystems.com and we will assist with processing the request, including providing additional instructions or information.
Transfer of Data to Third Parties
Unless described in this Policy, we do not share, sell, rent, or trade any of your information with third parties for promotional purposes. There may be circumstances in which we share or transfer your information to third parties for business purposes, such as:
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Vendors, Consultants and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include data analysis, email delivery, hosting services, and customer service. We may allow selected third parties to use technology on the Service, enabling them to collect data on our behalf about how you interact with the Service over time. This information may be used to, among other things, analyze data, determine the popularity of certain features, and better understand user activity. We have contracts in place with our data processors, which are designed to help safeguard your personal information. This means they cannot do anything with your personal information unless we have instructed them to do so. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.
Business Partners. We may share your information with our business partners to offer you certain products, services or promotions.
Transfer or Use of Data Internationally
We may transfer, store, and process your information in the United States, European Economic Area (EEA), or the United Kingdom (UK). If you are accessing the Service from outside these geographic locations, please be aware that these locations may not necessarily have equivalent privacy or data protection laws as those in your country. However, regardless of where your personal information is transferred, we will take all necessary measures to protect your personal information in accordance with this Policy, any applicable data exchange policies of our Customers, requirements of our Customer contracts, and applicable law.
Data Retention Period
We keep your information for as long as necessary to fulfill the purposes outlined in this Policy unless otherwise required by law. We will only keep your personal information for as long as it is necessary for the purposes set out in this Policy unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements), or as dictated by our contractual obligations to our Customers.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Marketing
We will not use your personal information for marketing purposes without your consent. You may revoke or withdraw your consent at any time by contacting us at privacy@medasystems.com.
Information pertaining to Minor Children
We do not knowingly collect data from individuals under 18 years of age. By using the website and the Service you represent that you are at least 18. If we learn that personal information has been collected from a user less than 18 years of age, we will deactivate the user account and take reasonable measures to delete such data from our records promptly. However, the Service may be used to collect de-identified data related to requests for treatment on behalf of a minor. If you become aware of any data we may have collected from a minor (other than in connection with a request for treatment for that individual), please contact us at privacy@medasystems.com.
Individual Data Protection Rights
General Rights
Individuals have the following rights pertaining to their personal information:
The right to be informed of how their data is collected and processed
The right of access to any of their data that has been collected
The right of rectification to any inaccurate or incomplete data
The right to erasure of any and all data
The right to restrict processing to only certain types
The right to data portability so that data can be retained and reused for other purposes
The right to object to the use of their data for specific processing activities
Rights in relation to automation so that decisions are not made about the user based exclusively on automated processing
You may exercise these rights by emailing us at privacy@medasystems.com.
Rights of Individuals in the European Economic Area or the UK
If you are located in the European Economic Area (EEA) or the United Kingdom and you believe we are unlawfully processing your personal information, in addition to the general rights above, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here https://ec.europa.eu/newsroom/article29/items/612080. If you are located in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.
Patient Requests About Information Stored by MedaSystems
If you are a patient whose physician requested expanded access treatment using the Service or who is currently receiving treatment, and you would like access to the information about you that has been provided by a User through the Service, contact privacy@medasystems.com, and we will assist you. We will correct, remove, or de-identify any information to the extent we are permitted to do so. However, please note, in all likelihood your physician is in the best position to share with you, or remove, any information about you that has been submitted through the Service.
California Privacy Rights
This section applies only to California residents. It describes how we collect, use and share Personal Information of California residents in operating our business, and their rights with respect to that Personal Information. For purposes of this section, “Personal Information” has the meaning given in the California Consumer Privacy Act of 2018 (“CCPA”) but does not include information exempted from the scope of the CCPA.
As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
The categories of Personal Information that we have collected.
The categories of sources from which we collected Personal Information.
The business or corporate purpose for collecting and/or selling Personal Information.
The categories of third parties with whom we share Personal Information. Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third-party recipient.
Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third-party recipient.
Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
Deletion. You can ask us to delete the Personal Information that we have collected from you.
Opt-out of sales. If we sell your Personal Information, you can opt-out. In addition, if you direct us not to sell your Personal Information, we will consider it a request pursuant to California’s “Shine the Light” law to stop sharing your personal information covered by that law with third parties for their direct marketing purposes.
Opt-in. We contractually prohibit our publishing and advertising clients from placing our technology on pages that target individuals younger than 16 years old. If we learn that you are younger than 16 years old, we will asking for your permission (or if you are younger than 13 years old, your parent or guardian’s permission) to sell your Personal Information before we do so.
Non-discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
California Civil Code Section 1798.83, known as the “Shine the Light” law, permits individuals who are California residents to request and obtain from us a list of what personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. We will never disclose your personal information to third parties for direct marketing purposes without your authorization.
You may exercise your California privacy rights described above by emailing us at privacy@medasystems.com.
Changes to Our Privacy Policy
We will update this notice as necessary to stay compliant with relevant laws. As such, we may update this Policy from time to time. The updated version will be indicated by an updated "Revised" date, and the updated version will be effective as soon as it is accessible. If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your Information.
How to Contact Us
If you have questions or comments about this Policy, you may contact our Data Protection Officer (DPO) by email at privacy@medasystems.com, or by post at the following corporate address:
MedaSystems, Inc.
3475 Edison Way, Suite R
Menlo Park, CA 94025
United States
Phone: (408) 365-4246
If you live in the European Union or the United Kingdom, you may contact our Local Representatives as required under Article 27 as follows:
EU - Ireland Representative
Instant EU GDPR Representative Ltd
2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland
Adam Brogden
contact@gdprlocal.com
Tel+ 353 15 549 700UK Representative
GDPR Local Ltd
1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB
Adam Brogden
contact@gdprlocal.com
Tel + 441 772 217 800