Privacy Policy

Last updated on May 17, 2019

Optima Curis Inc. and its affiliates around the world, (“OC”) believes in the importance of thoughtfully handling personal information and is committed to privacy practices that are transparent and compliant. This Privacy Policy sets out how OC uses the personal information we collect and receive about you as part of our delivery of cloud-based services (“eCuris”). Your privacy is our chief concern.

OC is a private company that aims to transform how people engage with their health and wellbeing. OC believes that by using eCuris, a user has the potential to improve their health outcomes and well-being, help them become more informed and engaged on health topics and issues, while more easily engaging and communicating with their health or social service providers who participate on the eCuris platform.

As part of our Services, we follow the Privacy and Data protection laws, which vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections as described in this Privacy Policy. We also work to comply with certain legal frameworks relating to the transfer of data, such as the European frameworks described below.

To transfer data from the EEA to other countries, such as the United States, we comply with legal frameworks that establish an equivalent level of protection with EU law.

EU-US Privacy Shield framework As described in our Privacy Shield Certification we comply with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries. Optima Curis Inc, has certified that it adheres to the Privacy Shield Principles. Optima Curis remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf. To learn more about the Privacy Shield program, and to view our certification, please visit the Optima Curis Privacy Shield certification.

If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. Optima Curis is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority, and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to Privacy Shield Principles at: https://www.privacyshield.gov/

Model contract clauses for EEA The European Commission has approved the use of model contract clauses as a means of ensuring adequate protection when transferring data outside of the EEA. By incorporating model contract clauses into a contract established between the parties transferring data, personal data can be protected when transferred outside the EEA to countries which have not been deemed by the European Commission to adequately protect personal data.

First, this is what we do.

There are several ways you can use eCuris to help accomplish your health goals:

(1) Health Communities: We enable people to join Health Communities, where they can participate with others to share health information, their own personal health experiences and other information online using eCuris. By doing this, the platform provides support, aids self-management, and improves interactions with professionals; all with the aim of improving day-to-day health and well-being.

When a user posts, comments or replies in our Health Communities they are identified only by their chosen username. A user selects a user name upon registration and can change it in their profile setting at any time using eCuris. If a user wishes to remain anonymous for postings in Health Communities, we suggest that they choose a username that does not identify them.

(2) Health Boards: The purpose of the Health Board is to message with other users in eCuris about a patient’s health and well-being including the provision or coordination of particular health or social service. Users accessing the Health Board can be the patient, but could include the patient’s caregivers, family members or the patient’s associated health and social service professionals. All the information used in the Health Board is restricted and can only be seen and accessed by the patient’s authorized health and social service providers or those caregivers or family members invited to participate in a patient’s “Circle of Care”.

The Health Board can also send patients or their caregivers surveys to collect information. These surveys are typically used to track symptoms, vital signs, wellbeing questions or patient satisfaction or quality of service information. The messaging and surveys can collect Personal Identifier Information “PII” and Personal Health information “PHI” or both.

The patient, or their caregiver, (if the patient has provided consent to allow the caregiver access), controls who has access to the patient’s Circle of Care. This access can be changed/removed by the Patient or Caregiver at any time by using eCuris.

When using the Health Board you understand that you are allowing your Circle of Care to view your PII and PHI as it is included in the messaging or surveys you are part of. If you are not comfortable sharing your PII or PHI with your “Circle of Care” do not use eCuris Health Board or restrict your messaging or responses to only information you wish to share.

Next, this is what Privacy and Data Security means to you when using our Services.

Privacy when using eCuris. We strongly believe that using eCuris to become more informed and engaged on health topics and issues and more easily connect with your health and social service providers and to others with similar health issues can greatly improve a person’s health and wellbeing but this may necessarily involve sharing sensitive information about your health and treatment. Therefore, we want to share the clear and transparent privacy guidelines we use to enable you to understand what we do and how we protect your information and how you can control what happens to information you share on eCuris.

Types of Personal Information

OC collects personal information in support of its mission to help transform how people engage with their providers and others, for their health and wellbeing. Personal information may include but not be limited to personal health information, other personal identifying information from things like credit cards, or specifically that information which is used below in this Section. We take into consideration whether something may actually be able to indirectly as well as directly identify a person, to ensure that we use the utmost care with that potential information as part of our responsibility as part of participating in protection of our customers under the Privacy Shield.

This personal information is collected through the registration and use of our software on this application. We also collect personal information when you actually use or visit the OC website and we have our privacy statement there as well. We may also receive information about you from your health or social service providers when they use eCuris as part of your Circle of Care.

The type of information we may collect will depend on your interactions with OC.

The minimum information we require for you to participate in our Health Communities is your name and email address. The minimum information we require for you to participate in our Health Board is your name, email address and date of birth. To use the Health Board the date of birth is required as an extra identifier so your health or social service providers can ensure they have the correct patient or participant.

Certain other additional information is voluntary and may include:

(a) Personal Data or PII including:

Personal, Contact and Log In Information. Name, Date of Birth, employer, title, email address, physical address, phone number, and similar contact info, user names and password for eCuris.
Demographic Information. Employment status, occupation, region, gender, race and age.
Registration Information. Product registration information, product interest information, and transaction information.
General profile Information including other biographical data, and general health interests.

(b) Personal Health Information or PHI
that may form part of your care record could also be collected in eCuris. This could include information about your current health conditions, treatments, medicines, illnesses or allergies, symptoms, vitals, names of your health or social service providers or other patient reported information and health goals.

(c) Device Data information from your medical devices or fitness trackers.

(d) Usage and Geographic Data. OC collects this personal information related to your use of our products, services and website. We analyze that usage data so that we can improve our products and your experience with them.

Usage data may include information about your computer's or mobile device’s operating system and browser type; your device type; details about how you are using our products (including natural language queries); view your Internet Protocol (IP) address, and geographic areas derived from your IP address; networking connection data; OC cookie information; file information; metadata; time stamped logs regarding access times and duration of visits; and other usage data relating to your activities on our Sites, including the pages you request.

Please note: If you decline to provide your personal information or ask us to delete it, we may be unable to continue to provide or support our products or services to you.

Ways we Use Personal Information

We use the personal information we collect for the purposes described in this Privacy Policy, as covered in any agreement that incorporates this Policy, or as disclosed to you in connection with our websites. For example, we will use your information to:

Enable your health and social service providers also using eCuris to better provide you with those health or social services.

Enable your family circle and circle of care to be better informed and engaged on your health and wellbeing to better provide you support.

Enable OC to:
• Provide and deliver products or services, including software updates to our products and services;
• Operate and improve our operations, systems, products, and services;
• Understand you and your preferences to enhance your experience for using our services;
• Respond to your comments and questions and provide customer service;
• Provide service and support, such as sending confirmations, invoices, technical notices, updates, security alerts, and administrative messages and providing customer support and troubleshooting;
• Communicate with you about potential products and services offered by OC;
• Enforce our terms and conditions or protect our business, partners, or users; or
• Protect against, investigate, and deter fraudulent, unauthorized, or illegal activity, as the case may be

Reasons for Using Your Information

When we process your personal information, we will only do so where at least one of the following applies:
• We need to use your personal information to enable your health and social service providers also using eCuris to better provide you with those health or social services.
• We need to use your personal information to enable your family circle and circle of care to be better informed and engaged on your health and wellbeing to better provide you support.
• We need to use your personal information to perform our responsibilities under our contract with you and to provide you with products, tools and services;
• We have a legitimate reason to collect and use your personal information. For example, (and by no means limited to) the following: it is in our legitimate interests to use usage date including your personal information to understand how you and other customers interact with our systems, improve our products and services; to tell you about changes to this Privacy Policy and other policies; to tell you about new products, services and events or changes to our products, services or websites
• You have given consent to use your personal information. You may withdraw consent by "opting out" at any time, by using the information below;
• If it is necessary for us to use your personal information in order to comply with a legal obligation; or
• You have chosen to make the information public.

You should not share any personal information which you wish to keep confidential or private.

Sharing of Personal Information

OC works to keep your personal information confidential and secure and does not sell your personal data or open it up for unaffiliated third parties to use. In some limited circumstances, as part of the eCuris platform, OC may share your information with third parties, for example:
• We may share your personal information when we have your permission to enable your health and social service providers also using eCuris to better provide you with those health or social services.
• We may share your personal information when we have your permission to enable your family circle and circle of care to be better informed and engaged on your health and wellbeing to better provide you support.
• We may share your personal information when we have your permission, including when you choose to share information by posting to our Health Communities, messaging in chats or using the Health Board to message with your Circle of Care.
• We provide personal information to trusted partners who work on behalf of or with OC to provide us with certain services. We share encrypted information with our data storage provider, Amazon Web Services. They may use your personal information to perform services and to help OC communicate with you. For any other provider, OC will maintain contracts with any company restricting their access, use and disclosure of personal information in compliance with this Privacy Policy and any legal obligations. We will update our list of providers on our website;
• We may share your personal information with our current or future affiliates, which may include parent and subsidiary companies, joint ventures, or other companies under common control, requiring them to honor this Privacy Policy at all times;
• We may be required to disclose your personal information to comply with legal requirements, for example, in response to a court order or a subpoena. We may also disclose your personal information in response to a law enforcement agency's request, or where we believe it is necessary to investigate, verify, prevent, enforce compliance with, or take action regarding illegal or suspected illegal activities; suspected fraud; situations involving potential threats to the physical safety of any person; protection of the rights and property of OC, our agents, customers, or others; violations or suspected violations of our agreements and policies; or as otherwise required or permitted by law or consistent with legal requirements;

Storage and Security of Your Personal Information

We have comprehensive, reasonable and appropriate physical, electronic, and managerial procedures in place to help safeguard your personal information. However, you should know that no company, including OC, can fully eliminate all security risks associated with personal information.

To help protect yourself, use a strong password, do not use the same passwords to access your OC accounts that you use with other accounts or services, and protect your user names and passwords to help prevent others from accessing your accounts and services.

We offer you the ability to post information through our website. Because your posts and information shared through OC are or may become public and seen by others, we caution all users to consider what they post and not to disclose any non-essential personal information as part of the Health Board or other interactive experiences with third parties in eCuris. OC will not be responsible in the event that you disclose personal information in your posts, through our services or during any other communication with other website users.

Information collected by OC or on our behalf may be stored on our servers, and may be transferred to, accessed from, or stored and processed in, the United States and other countries in the European Union, including but not limited to the UK, Australia, and any other country where OC or its service providers maintain facilities or support centers including jurisdictions that may not have data privacy laws that provide protections equivalent to those provided in your home country. However, we will protect all personal information we obtain in accordance with this Privacy Policy and take reasonable steps to ensure that it is treated lawfully.

OC uses the Amazon Web Services (AWS) cloud service computing environment to process, store and transmit the protected health information (PHI) of our customers. AWS services and data centers have multiple layers of operational and physical security to ensure the integrity and safety of data.

OC store all data in AWS zones in the USA. For the personal information of residents of the European Economic Area (EEA), OC adheres to the Privacy Shield Principles (as outlined at https://www.privacyshield.gov/) and is an active participant in the EU-US Privacy Shield framework. All data is encrypted in transit and at rest. Our application data and PHI are kept within the Amazon Relational Database Service (RDS) environment. On a database instance running with Amazon RDS encryption, data stored "at rest" in the underlying storage is encrypted, as are automated backups, read replicas and snapshots. Data "in transit" is protected by SSL/TSL, an industry standard cryptographic protocols that provide communications security between web browsers and servers.

Our application access is protected by authentication and authorization rules, in order to provide appropriate access control.

Password policies, temporary account lock out due to failed attempts, and auto-logout are enforced in the application.

Passwords are further encrypted in the database to prevent snooping.

The terms of use for the application are explained and participants' consent is required for the use of the application.

PHI is never sent via email or SMS messages, and no PHI is stored on client computers or mobile devices as it is stored in the AWS cloud.

In certain circumstances we may retain your personal information after you have closed your account or are no longer actively engaged with OC. For example:
• We may retain your personal information in order to protect our legal rights, or those of third parties, or to comply with the law; or
• We may retain personal information about how you have used our products and services in order to improve and develop our business; or
• Some of your Personal Information may become part of your health or medical record and will need to be retained by eCuris to support legal requirements of your health or social service providers that are also using eCuris; or
• If you purchase products or services from us, we may retain your personal information for as long as we need to in order to provide you with customer service, or for compliance purposes, for example, in order to comply with our local record keeping requirements.

Controlling your Personal Information/Opting Out

Our application and website permit you to "opt-out". You may contact us at opt-out@optimacuris.com, at any time to let us know that you no longer wish to participate in any eCuris service, or receive further emails or for transactions. If you opt-out, we may still send you transactional emails. Transactional emails include emails about your account and our business dealings with you, such as renewals and updates, and, as allowed by applicable law.

When you use our website, you can usually choose to set your browser to remove cookies and to reject cookies from our servers, if we collect information from you. If you choose to remove or reject cookies, this could affect certain features or services of our website. For information about how to remove or manage cookies please read our Cookie Policy.

You may have the right, depending on which country you reside in, to ask us to provide a copy of the personal information we hold about you (provided that we may ask you for a few forms of proof of your identity). You may also have the right to ask us to correct any inaccuracies in your personal information or to ask us to delete it. We will always consider and act upon these requests regardless of where you live.

EU Citizens:

In addition, if you are based in the EU and accessing our Site, then you also have the right to ask us to:
• Confirm whether or not personal information about you is being processed;
• Provide you with details about how we process your personal information;
• Consider your valid objection to the processing of your personal information (including the right to object to processing on grounds relating to your particular situation where we are relying on our legitimate interests as a legal basis for processing your personal information);
• Update or delete personal information which we hold about you;
• Restrict the way we process your personal information;
• Consider your valid request to transfer your personal information to a third party provider of services (data portability); and
• Ask us to treat your consent as withdrawn if you have previously provided us with consent to process your personal information and we rely on it as our legal basis for processing.

If you need help or wish to exercise any of the above rights or have questions about them, please contact us at privacy@optimacuris.com or call us at +1-800-459-2003. We will consider all such requests and provide our response as soon as possible. Please note, however, that personal information may be exempt from such requests in certain circumstances, which may include circumstances where we need to keep processing your personal information for our legitimate business interests or to comply with a legal obligation. We may request you provide us with information necessary to confirm your identity.

Cookies

Our website may use various software technologies including “cookies”. “Cookies” are small text files that we and others may place in visitors' computer browsers to store their preferences. This Privacy Policy does not apply to, and we are not responsible for, cookies and other technologies if used in third party advertising. We encourage you to check the privacy policies of third-party advertisers and/or ad services to learn about their use of cookies and other technology.

Privacy Shield and Data Transfer

For the personal information of residents of the European Economic Area (EEA), OC adheres to the Privacy Shield Principles (as outlined here: https://www.privacyshield.gov/) and is an active participant in the EU-US Privacy Shield framework. Our Privacy Shield certification covers the types of personal information set out in this Privacy Policy, and OC is subject to the investigative and enforcement powers of the Federal Trade Commission in the US.

OC complies with the Privacy Shield principles for onward transfers, including the liability provisions. If we transfer your personal information to third parties outside the EEA, we will only do so where one of the following applies:
• In the case of transfers of personal information to the US, if the recipient is a member of the Privacy Shield Framework;
• Where we have in place standard model contractual clauses approved by the European Commission or other legally compliant terms; or
• There is an adequacy decision by the European Commission which means that the recipient country is deemed to provide adequate protection for such personal information.

You may direct any inquiries or complaints concerning our Privacy Shield compliance to privacy@optimacuris.com. You may also contact JAMS, at www.jamsadr.com/eu-us-privacy-shield. JAMS is a Privacy Shield dispute resolution mechanism. JAMS has committed to respond to complaints and to provide appropriate recourse at no cost to you. If neither OC nor JAMS resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. You may also make a complaint to the relevant EU data privacy supervisory authority.

How to contact us

OC is a located in the US and the European Economic Area.

If you have any questions about how we use your personal information, or if you have any other privacy- related questions, please contact us at privacy@optimacuris.com or at

UK and European Economic Area:
Optima Curis Limited Attn:
Chief Privacy and Compliance Officer Optima Curis limited
71-75 Shelton Street Covent Garden
London
WC2H 9JQ
United Kingdom

USA and rest of world Attn:
Chief Privacy and Compliance Officer Optima Curis Inc
1262 N Norman Place
Los Angeles Ca
90049
USA

Updates

From time to time, we may update this Privacy Policy.
In the event there are material changes to our information practices, we will note those changes on OC’s Privacy Policy webpages at www.optimacuris.com/privacy and in some cases send a notification of changes via email.