1. PRIVACY STATEMENT
OlaWell has established this Privacy Statement to inform you of the specific practices and
guidelines that help ensure the security and confidentiality of your personal information. By
using or accessing in any way the websites we control and operate, including www.olawell.com
(our "Websites"), and our online requisition portal https://account.olawell.com/user/login (our
"Account Portal") or by transmitting information to us by email or other electronic means, you
agree to the terms of this Privacy Statement. If you do not agree with the terms of this Privacy
Statement, please do not access or use the Websites.
NOTE:
If you are accessing our Website from within the European Economic Area (EEA), or
have obtained OlaWell services while within the EEA, please review our GDPR Privacy Policy,
available as a part of this document. OlaWell intends to provide GDPR protection consistently to
individuals regardless of whether GDPR applies.
UPDATES
OlaWell may revise this Privacy Statement from time to time. All updates to this statement will
be posted on this web page. If we make significant changes, OlaWell will notify you by posting a
notice on the website. Please check the website for the most current version of our Privacy
Statement. Your continued use of the website after we have posted a notice on the website
constitutes your acceptance of such changes.
LINKED WEBSITES
The OlaWell Websites may contain links to external websites. OlaWell does not maintain these
sites and is not responsible for the privacy practices of sites that it does not operate. Please refer
to the specific privacy statements posted on these sites.
AGGREGATE DATA COLLECTION
OlaWell tracks visits to our Websites and uses visitor logs to compile anonymous aggregate
statistics. This aggregate information is collected sitewide and includes anonymous website
statistics. In addition, when you browse our Websites, our system automatically collects
information such as your web request, Internet Protocol ("IP") address, browser type, browser
language, domain names, referring and exit pages and URLs, platform type, pages viewed and
the order of these page views, the amount of time spent on particular pages, the date and time of
your request and one or more cookies that may uniquely identify your browser. This information
is used to analyze trends, administer the Websites, improve the design of our Websites, and
otherwise enhance the services we provide.
COOKIES
Certain pages of the Websites and/or html email correspondence may use session cookies,
persistent cookies or web beacons to anonymously track unique visitors, save website
preferences and to allow us to recognize visits from the same computer and browser. You have
the option to reject the Websites's; cookies and still use the Website. However, your access to
the Website may be limited.
CHILDREN
The OlaWell Websites are directed toward adults. If you are under the age of 16, you must
obtain the authorization of a responsible adult (parent, legal custodian, or teacher) before using
or accessing our Websites. We will not knowingly collect or use any personal information from
any children under the age of 16. If we become aware that we have collected any personal
information from children under 16, we will promptly remove such information from our
databases.
TYPES OF PERSONAL INFORMATION COLLECTED
OlaWell may collect, store, and use personally identifiable information that you provide or we
receive from others, such as:
- Registration Information: Information submitted when creating an account. (I.E
name,
- email address/preference, postal code, telephone number).
- Information you submit when contacting us: (I.E. name, contact information, any
other
- information you chose to submit).
- Information you submit to the Account Portal.
- Information from third parties (I.E. Information submitted by a physician)
- Job application information: (I.E. references or background check for job applicants,
- resume, contact information, employment and education history).
USE OF PERSONAL INFORMATION
OlaWell may collect, store and use personally identifiable information for our general
commercial purposes, such as to improve our Websites, and to offer you information which we
believe may be of interest to you. This may include the following purposes, for example:
- To contact you,
- To improve this website and expand our business,
- To provide you with information that you have requested,
- To respond to your inquiries,
- To provide you with technical support,
- To enforce our Terms and Conditions and other policies governing uses of our Websites,
- To alert you to new features or services,
- To communicate with you about your transactions or potential transactions with us,
- To provide information about our Websites, login information, and related clinical and research information,
- To administer your account,
- To ensure that our Websites and Services function properly,
- To keep our website secure,
- To measure and understand the effectiveness of advertising and outreach,
- If you are a healthcare provider or patient ordering our Services, to contact you about research opportunities, clinical trials, or clinical treatments for you or your patients when appropriate.
- To communicate with you about subscription updates/terms and conditions/ inquiries,
- To send the product to your address
SUBSCRIPTION
When you sign up for a subscription it is required that you submit your name, email, shipping address, and/or payment information (if this is a gift then no payment information is needed).
*If we offer special rewards or initiatives for birthdays that also requires the above mentioned information.*
Subscription services use this information every month until the subscription ends.
We use this information to contact you and for billing and delivery purposes.
If you purchase a subscription, we create an order ID that is unique to you, which we use to provide reports.
All personally identifiable information provided, exchanged or created pursuant to a subscription will be treated as, and be subject to, the terms and conditions of this privacy policy.
DISCLOSURE OF PERSONAL INFORMATION
OlaWell will not sell or rent your personal information to any other company or organization.
OlaWell may access and/or disclose your personal information in the following circumstances:
- If you request or authorize it;
- If the Information is provided to help complete a transaction for you;
- If the Information is provided to comply with the law, applicable regulations, or if we
believe necessary or appropriate in connection with an investigation of illegal activity
or to enforce the policies governing our website.
- If the disclosure is done as part of a purchase, transfer or sale of services (I.E.
Corporate restructuring, merger or consolidation with, or sale of substantially all of
our assets to a third party.)
- If the Information is provided to third party service providers to perform functions on
our behalf (I.E. analyzing data, providing marketing assistance, providing customer
services).
SECURITY MEASURES
Information that you provide to OlaWell through these Websites is encrypted using industry
standard Secure Sockets Layer (SSL) technology, with the exception of information you send via
email. Your information is processed and stored on controlled servers with restricted access.
Unfortunately, we cannot ensure or warrant the security of any information you transmit to our
Websites, and you do so at your own risk. As a consequence, OlaWell disclaims any warranties
or representations relating to maintenance or nondisclosure of private information.
INFORMATION ACCESS, UPDATES AND CHOICE
You may choose to provide information to OlaWell by completing the registration form, sending
us an email or otherwise contacting us. In the registration form, you may have an opportunity
to elect to receive certain communications from us. OlaWell email correspondence will include
instructions on how to update certain personal information and how to unsubscribe from our
emails and postal mail correspondence. Please follow the instructions in the emails to notify
OlaWell of changes to your name, email address and preference information. OlaWell will take
reasonable steps, such as confirmation emails, to verify your identity before granting access to
your personal information. If you choose to unsubscribe from our email and/or postal mail
services, you will no longer receive this correspondence. However, OlaWell may retain your
information for a period of time to resolve disputes, troubleshoot problems or for other valid
business or legal reasons.
THIRD PARTY INFORMATION
You agree that you have provided notice to, and obtained consent from, any third party
individuals whose personal information you supply to us, including with regard to: (a) the
purposes for which such third party's personal information has been collected; (b) the intended
recipients or categories of recipients of the third party's personal information; (c) which of the
third party's information is obligatory and which information, if any, is voluntary; and (d) how
the third party can access and, if necessary, rectify the information held about them.
FINANCIAL INFORMATION:
We do not currently collect financial information, such as your payment method (valid credit
card number, type, expiration date or other financial information); that information is collected
and stored by our third-party payment processing company (the “Payment Processor”), and use
and storage of that information is governed by the Payment Processor’s applicable terms of
service and privacy policy.
EMAIL COMMUNICATIONS WITH US:
As part of the Services, you may occasionally receive email and other communications from us,
such as communications relating to your Account. Communications relating to your Account
will only be sent for purposes important to the Services, such as password recovery.
GOVERNING LAW
Our Websites are controlled and operated by OlaWell. By choosing to visit our Websites or
otherwise provide information to OlaWell, you agree that any dispute over privacy or the terms
contained in this Privacy Statement will be governed by the laws of the State of Massachusetts.
If you are accessing our Websites from any location with regulations or laws governing personal
data collection, use or disclosure that differ from United States laws or regulations, please note
that through your continued use of our Websites, which is governed by the laws of the State of
Massachusetts and the United States of America and this Privacy Statement, you are
transferring personal information to the United States of America and you consent to that
transfer and to the collection and processing of such information in the United States. You also
consent to the adjudication of any disputes arising in connection with our Websites in the
federal and state courts of Essex County in the State of Massachusetts. You also agree to
attempt to mediate any such disputes.
ACCOUNT PORTAL
In addition to the other terms of this Privacy Statement, the following terms concern how
medical information concerning our patients is used or disclosed through our Account Portal.
Users
- The Account Portal is only for the use of physicians and their authorized representatives
as stated in the Terms and Conditions of Use for the Account Portal.
Protected Health Information - The Account Portal is used for the storage and transmission of
Protected Health Information between OlaWell and physicians and their authorized
representatives. Protected Health Information is used in accordance with the Health
Information Portability and Accountability Act (HIPAA) and applicable federal and state laws
governing patient privacy. Protected Health Information available on the Account Portal may
only be used or disclosed for treatment and other authorized purposes as stated in the Notice
of Privacy Practices.
Security Measures
- Information accessed through this Account Portal, including Protected
Health Information, is secured using administrative, physical and technical safeguards. For
example, the transfer of information is encrypted using industry standard Secure Sockets Layer
(SSL) technology and information is stored on controlled servers with restricted access. All
access is password protected and each individual user has his/her own user name and
password. All access is tracked at OlaWell for security purposes.
2. NOTICE OF PRIVACY PRACTICES
This Notice describes the privacy practices of OlaWell, its employees and other personnel.
OUR RESPONSIBILITY
OlaWell and the members of its workforce are committed to protecting the privacy and
confidentiality of your personal information, microbiome information and laboratory test results.
OlaWell is required by the Health Insurance Portability and Accountability Act of 1996
(HIPAA) to keep your personal health information ("Protected Health Information") confidential.
This Notice that describes our legal duties, privacy practices and explains your patient privacy
rights. When we use or disclose your Protected Health Information, we are required to abide by
the terms of this Notice.
What is protected health information?
Protected Health Information is your demographic information, medical history, laboratory
results, insurance information and other health information that is collected, generated, used and
communicated by OlaWell to produce microbiome testing results and bill for our testing
services. Examples of Protected Health Information include your name, date of birth, medical
record number, social security number, insurance beneficiary number and microbiome
information.
How we use and disclose your health information
Your Protected Health Information may be used and disclosed for treatment, payment, healthcare
operations and other purposes permitted or required by law. OlaWell may use and disclose your
Protected Health Information for the following purposes: We may use or disclose your Protected
Health Information for treatment purposes. For example, we may use your Protected Health
Information to perform our testing services and disclose your microbiome testing results to your
physician and other healthcare providers involved in your care.
HEALTHCARE OPERATIONS
We may use and disclose your Protected Health Information for our healthcare operations. For
example, we may use your Protected Health Information to monitor the quality of our testing
services including 3rd party laboratory business associates (as defined in OlaWell Terms of Use)
and review the competence and qualifications of our laboratory professionals.
PERSONAL REPRESENTATIVES
We may disclose Protected Health Information about you to your authorized personal
representative, such as a lawyer, administrator, executor or other authorized person responsible
for you or your estate.
COMMUNICATIONS ABOUT PRODUCTS AND SERVICES
We may use and disclose your Protected Health Information to contact you about other OlaWell
products and services which we believe may be of interest to you. Any use, disclosure or sale of
Protected Health Information to third parties for marketing purposes requires your written
authorization.
DISCLOSURES TO BUSINESS ASSOCIATES
We may disclose your Protected Health Information to other companies or individuals, known as
"Business Associates," who provide services to us. For example, we may use a company to
perform billing services on our behalf. Our Business Associates are required to protect the
privacy and security of your Protected Health Information and notify us of any improper
disclosure of information.
AS REQUIRED BY LAW
We must disclose your Protected Health Information when required to do so by any applicable
federal, state or local law.
PUBLIC HEALTH ACTIVITIES
We may disclose your Protected Health Information for public health-related activities.
Examples include: reporting diseases to authorized public health authorities or public health
investigations; or notifying a manufacturer of a product regulated by the U.S. Food and Drug
Administration of a possible problem encountered when using the product in our testing process.
HEALTH OVERSIGHT ACTIVITIES
We may disclose your Protected Health Information to a healthcare oversight agency for
activities that are authorized by law, such as audits, investigations, inspections and licensure
activities. For example, we may disclose your Protected Health Information to agencies
responsible for ensuring compliance with the rules of government health programs such as
Medicare or Medicaid.
RESEARCH
Under certain circumstances, we may use or disclose your Protected Health Information for
research purposes. All research projects at OlaWell are subject to review by a committee
responsible for ensuring the protection of individual research subjects, appropriate patient
authorization and an adequate plan to safeguard Protect Health Information. In preparation for
research, we may review limited Protected Health Information to draft research protocols, to
identify prospective research participants or for similar purposes provided the information is not
removed from our premises.
CORONERS, MEDICAL EXAMINERS AND FUNERAL DIRECTORS
We may disclose Protected Health Information to coroners, medical examiners or funeral
directors to identify a deceased patient, to determine cause of death or other duty authorized by
law.
JUDICIAL AND ADMINISTRATIVE PROCEEDINGS
Under certain circumstances, we may disclose your Protected Health Information in the course of
a judicial or administrative proceeding in response to a court order, subpoena or other lawful
process.
LAW ENFORCEMENT
We may disclose your Protected Health Information to the police or other law enforcement
officials as required by law or in compliance with a court order, warrant, subpoena, summons or
other legal process for locating a suspect, fugitive, witness, missing person or victim of a crime.
THREATS TO HEALTH OR SAFETY
We may disclose Protected Health Information to prevent or reduce the risk of a serious and
imminent threat to the health or safety of an individual or the general public.
VICTIMS OF ABUSE, NEGLECT OR VIOLENCE
If required or authorized by law, we may disclose Protected Health Information to a government
agency, such as social services or a protective services agency, if we reasonably believe that an
individual adult or child is the victim of abuse, neglect or domestic violence.
SPECIALIZED GOVERNMENT FUNCTIONS
Under certain circumstances, we may disclose your Protected Health Information to units of the
government with special functions, such as the U.S. Military or the U.S. Department of State.
WORKERS COMPENSATION PROGRAMS
We may disclose your Protected Health Information as necessary to comply with requirements of
workers' compensation or similar programs that provide benefits for work-related injuries or
illness.
ALL OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
We will ask for your written authorization before using or disclosing your Protected Health
Information for any purpose not described above. You may revoke your authorization, in writing,
at any time, except for disclosures that the company has already acted upon.
YOUR RIGHTS REGARDING YOUR MEDICAL INFORMATION
You have the following rights with respect to your Protected Health Information. To exercise
any of these rights, please contact our Privacy Office using the contact information provided at
the end of this Notice.
ACCESS TO PROTECTED HEALTH INFORMATION
You, or your authorized or designated personal representative, have the right to inspect and copy
the Protected Health Information maintained by us. We may deny access to certain information
for specific reasons, for example, where Federal and state laws regulating laboratories prohibit us
from disclosing microbiome testing results directly to a patient. We strive to respond to all
complaints as quickly as possible, usually within 30 days of your request.
RESTRICTIONS ON USES AND DISCLOSURES
You have the right to request restrictions on our use and disclosure of your Protected Health
Information. While we will consider all requests for additional restrictions carefully, we are not
required to agree to a requested restriction except for Payment or Operations restrictions where
payment has been made "out-of-pocket" and paidin-full. If we do agree to a requested restriction,
we will notify you in writing.
CONFIDENTIAL COMMUNICATIONS
You have the right to request that we communicate with you about your Protected Health
Information by alternative means or to an alternative address. Your request must be in writing
and must specify the alternative means or location. We will accommodate reasonable requests
for confidential communications.
CORRECT OR UPDATE INFORMATION
If you believe the Protected Health Information we maintain about you contains an error, you
may request that we correct or update your information. Your request must be in writing and
must explain why the information should be corrected or updated. We may deny your request
under certain circumstances and provide a written explanation. We strive to respond to all
requests, and will provide a response as quickly as possible, usually within 60 days.
ACCOUNTING OF DISCLOSURES
You may request a list, or accounting, of certain disclosures of your Protected Health
Information made by us or our business associates for purposes other than treatment, payment,
healthcare operations and certain other activities. The request must be in writing and the list will
include disclosures made within the prior six years.
COPY OF NOTICE
Upon request, you may obtain a paper or electronic copy of this Notice.
Information breach notification
We are required to notify you following the discovery of a breach of unsecured Protected Health
Information, unless there is a demonstration, based on a risk assessment, that there is a "low
probability" that the Protected Health Information has been compromised. You will be notified
in a timely fashion, no later than 60 days after discovery of the breach.
Questions and complaints
If you have questions or concerns about our privacy practices or would like a more detailed
explanation about your privacy rights, please contact our Privacy Office using the contact
information below.
If you believe that we may have violated your privacy rights, you may submit a complaint to our
Privacy Office. You also may submit a written complaint to the U.S. Department of Health and
Human Services. We will provide you with the address to file your complaint with the U.S.
Department of Health and Human Services upon request. OlaWell will not take retaliatory action
against you and you will not be penalized in any way if you choose to file a complaint with us or
with the U.S. Department of Health and Human Services.
Changes to our notice of privacy practices
We reserve the right to change our privacy practices and the terms of this Notice at any time,
provided such changes are permitted by applicable law. We will promptly post any changes to
this Notice on our website at www.olawell.com. Please review this website periodically to ensure
that you are aware of any updates.
Contact information
When communicating with us regarding this Notice, our privacy practices or your privacy rights,
please contact the Privacy Office using the following contact information:
OlaWell Inc.
Attention: Privacy Officer
PO 185 Manchester,
MA 01944
USA
aberbic@olawell.com
3. GDPR PRIVACY POLICY
OlaWell has established this GDPR Privacy Policy to inform you of the specific practices and
guidelines that help ensure the security and confidentiality of your personal information. By
using or accessing in any way the websites we control and operate, including www.olawell.com
(our "Website(s)";), and our online requisition portal account.olawell.com/user/login (our
"Account Portal") or by transmitting information to us by email or other electronic means, you
agree to the terms of this GDPR Privacy Policy. If you do not agree with the terms of this
GDPR Privacy Policy, please do not access or use the Websites.
OlaWell is committed to upholding the confidentiality of personal information and strives to
collect, use and disclose personal information in a manner consistent with the laws and
regulations of the countries in which it does business.
1. Your Legal Rights: What Rights you have to your Data.
Subject to applicable law, you have a number of rights regarding the Processing of your
Personal Data. These rights include:
- The right to request access to, or copies of, your Personal Data that OlaWell
Processes or controls; together with information regarding the nature, processing
and disclosure of those Personal Data:
- The right to request rectification of any inaccuracies in your Personal Data
that OlaWell Processes or controls;
- The right to request erasure of your Personal Data or restriction of
Processing of your Personal Data that OlaWell controls or Processes.
- The right to have your Personal Data that OlaWell controls or Processes
transferred to another Controller, to the extent applicable;
- Where OlaWell processes your Personal Data on the basis of your consent,
the right to withdraw that consent;
- The right to lodge a complaint with a Data Protection Authority regarding the
Processing of Personal Data by OlaWell or on OlaWell’s behalf.
- The right to object to the Processing of your Personal Data by OlaWell.
- The Right to object to the Processing of your Personal Data by OlaWell, or to
- Processing on our behalf, for direct marketing purposes.
2. Data Minimization: How much Data we collect.
OlaWell take reasonable steps to ensure that Personal Data Processed by OlaWell is limited
to the Personal Data reasonably required in connection with the purposes set out in this
Policy.
3. Data Retention: How long we hold Your Data.
OlaWell take reasonable steps to ensure that your Personal Data is only Processed for the
minimum period necessary for the purposes set out in this Policy. The criteria for determining
the duration for which OlaWell retains your Personal Data is as follows:
I. OlaWell will retain copies of your Personal Data in a form that permits identification
only for as long as:
A. OlaWell maintains an ongoing relationship with you; or
B. Your Personal Data is necessary in connection with the lawful purposes set out in
this Policy, for which OlaWell has a valid legal basis.
II. Additionally, OlaWell will retain copies for the duration of:
A. Any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with
your Personal Data, or to which your Personal Data may be relevant); and
B. An additional 2 (two) month period following the end of any such
applicable limitation period.
III. In addition, if any relevant legal claims are brought, OlaWell may continue to Process
your Personal Data for such additional periods as are necessary in connection with that
claim.
During the periods noted in paragraph ii (A) and ii (B), OlaWell will restrict our Processing of
your Personal Data to storage of, and maintaining the security of, that data, except to the
extent that the data need to be reviewed in connection with any legal claim or obligation.
Once the applicable period has ended, OlaWell will either:
- Permanently Destroy or delete the relevant Personal Data;
- Achieve your Personal Data so that it is beyond use; or
- Anonymise the Relevant Personal Data.
4. Data Security: How we keep your Data safe.
OlaWell has implemented appropriate technical and organizational security measures designed
to protect your Personal Data against accidental or unlawful loss, alteration, disclosure, access,
destruction, and unlawful or unauthorized forms of Processing.
Information that you provide to OlaWell through these Websites is encrypted using industry
standard Secure Sockets Layer (SSL) technology, with the exception of information you send
via email. Your information is processed and stored on controlled servers with restricted access.
Unfortunately, we cannot ensure or warrant the security of any information you transmit to our
Websites, and you do so at your own risk. As a consequence, OlaWell disclaims any warranties
or representations relating to maintenance or nondisclosure of private information.
5. Data Accuracy: How we make sure your Data is accurate.
OlaWell takes reasonable steps to ensure that Personal Data that is Processed by OlaWell is
accurate, and, if necessary, up to date, and to ensure that any of your Personal Data processed
by OlaWell that is inaccurate (having regard to the purposes for which it is Processed) is
erased or rectified. OlaWell may ask you to confirm the accuracy of your Personal Data.
6. Disclosure of Personal Data to Third Parties: Who we may provide your Data to,
and why.
OlaWell may disclose your Personal Data to other entities for legitimate business purposes
(including providing services to you and operating our Websites) in accordance with applicable
law. In addition, OlaWell may disclose your Personal Data to:
- You, and, where appropriate, your family or authorized legal representative.
- Your Physician (where appropriate)
- Third party Processors (e.g. payment services providers, shipping companies, etc).
- Web service providers: (e.g. cloud storage, data aggregation services, targeted marketing)
- Information OlaWell shares with commonly owned entities.
- Any relevant third-party acquirer(s), in the event that we sell or transfer all or any
relevant portion of our business or assets (including in the event of a reorganization,
dissolution, or liquidation).
- Disclosures required by law or for regulatory compliance.
- Any relevant party for the purposes of prevention, investigation, detection or
prosecution of illegal activity that may expose us to legal liability or costs, to enforce
our policies governing our Websites.
Our Websites may use third party plugins or content. If you chose to interact with any such plug-
in or content, your Personal Data may be shared with the third-party provider of the relevant
social media platform. OlaWell recommend that you review that third party’s privacy policy
before interacting with its plugins or content.
If OlaWell engages a third-party Processor to Process your Personal Data, the Processor will
be subject to binding contractual obligations to only Process the Personal Data in accordance
with our prior written instruction, and to use measures to protect the confidentiality and
security of the Persona Data, along with any additional requirements under applicable law.
OlaWell uses Amazon Web Services (“AWS”) as a Processor. For more information about
the protections offered by AWS, please visit their webpage at
https://aws.amazon.com/compliance/eu-data-protection/.
OlaWell uses Microsoft Azure (Microsoft) as a Processor. For more information about the
protections offered by Microsoft, please visit their webpage at https://www.microsoft.com/en-
us/trustCenter/privacy/gdpr.
7. Cookies: How our website collects information.
Certain pages of our Websites or email correspondence may use session cookies, persistent
cookies, or web beacons to anonymously track unique visitors, save website preferences, and
allow us to recognize visits from the same computer and browser. You have the option to reject
our Website’s cookies and still use our Websites; however, your access may be limited.
8. Direct Marketing: We may, with your consent, contact you with new products or
services.
OlaWell may Process your Personal Data to contact you, primarily via email, so OlaWell may
provide you with information concerning products and services that may be of interest.
OlaWell will not take these actions without having first obtaining your consent. If you do not
wish to receive marketing emails from us, you can opt out at any time.
9. International Transfer of Personal Data: Why OlaWell may transfer your data
overseas.
OlaWell may need to transfer your Personal Data within OlaWell, and to third parties as noted
above, in connection with the purposes set out in this Policy. For this reason, OlaWell may
transfer your Personal Data to other countries that may have different laws and data protection
compliance requirements. There is the possibility these countries will have a lower standard of
protection than those that would apply in the country in which you are located in. Where
OlaWell transfers your Personal Data to other countries, it is on the basis of:
- Adequacy decisions;
- Binding Corporate Rules;
- Suitable Standard Contractual Clauses; or
- Other valid transfer mechanisms.
For more information on these safeguards, please contact OlaWell via the information provided
in Section 12.
10. Processing your Personal Data: How OlaWell uses your Personal Data.
Collection of Personal Data: OlaWell collects Personal Data about you from a variety of sources:
- OlaWell obtains your Personal Data when you provide it to us (e.g. where you contact
us via email or telephone or by other means).
- OlaWell may request your Personal Data when such collection is necessary to fulfill
the services you have selected.
- OlaWell collects your Personal Data in the ordinary course of our relationship with you.
- OlaWell collects Personal Data that you manifestly choose to make public, including
Social Media.
- OlaWell receives Personal Data from third parties who provide it to us (e.g. your
doctor, law enforcement agencies)
- OlaWell receives Personal Data from third parties when you purchase any of our
products or services through such third parties.
- OlaWell collects or obtains Personal Data when you visit our Websites or use any
features or resources available on or through our Websites. When you visit our
Websites, your device and browsers may automatically disclose certain information,
such as device type, operating system, browser type, browser settings, IP address,
language settings, time and date of connection, and other technical information, some of
which may constitute Personal Data.
Creation of Personal Data: OlaWell creates Personal Data about you, such as records of your
interactions with us, and details about your account, subject to applicable law.
Relevant Personal and Sensitive Personal Data: The categories of Personal and Sensitive
Personal Data about you that OlaWell Processes, subject to applicable law, are as follows:
- Registration Information: Personal Details (name; gender; date of birth; age; nationality)
- Authentication data (passwords; security questions & answers)
- Contact details (address; telephone number; email address; social media profiles)
- Referral Information: Details on people or entities you’d like your data shared with (i.e.
Doctor, Family Member)
- Views and opinions: any views or opinion that you choose to send to us.
- Microbiome Data: As submitted to us for testing in relation to OlaWell Products.
- Electronic identifying Data: IP addresses; cookies; activity logs; online identifiers;
unique device identifies; geolocation data.
- Job application information (references or background check for job applicants,
resume, contact information, employment and education history).
Processing your Sensitive Personal Data: OlaWell will seek to collect or otherwise Process
your Sensitive Personal Data only when:
- OlaWell has, in accordance with applicable law, obtained your explicit consent prior
to processing your Sensitive Personal Data. (I.E. in relation to ordering a OlaWell
product).
- The Processing is necessary for the detection or prevention of crime, to the extent
permitted by applicable law.
- The Processing is necessary for compliance with a legal obligation.
- The Processing is necessary for the establishment, exercise or defense of legal rights.
- The Processing is necessary for reasons of substantial public interest and occurs on the
basis of an applicable law that is proportionate to the aim pursued and provides for
suitable and specific measures to safeguard your fundamental rights and interest.
Purposes for which OlaWell may Process your Personal Data, and legal basis for Processing:
The purposes for which OlaWell may Process Personal Data, subject to applicable law, and the
legal basis on which OlaWell may perform such Processing, are:
Processing Purpose
|
Legal basis for Processing
|
Microbiome Sequencing: Performing
microbiome sequencing for |
• OlaWell has obtained your express prior consent to
the |
customers, processing and delivering
results. |
Processing (this legal basis is only used in relation
to
Processing that is entirely voluntary).
• The processing is necessary in connection with any
contract that you may enter into with us, or to take
steps
prior to entering into a contract with us. |
Customer Contact: To respond to
customer inquiries, provide
information
about our website, communicate with
you about transactions, provided
technical support. |
• The Processing is necessary in connection with any
contract that you may enter into with us, or take
steps
prior to entering into a contract with us.
• OlaWell has obtained your express prior consent to
the
Processing (this legal basis is only used in relation
to
Processing that is entirely voluntary). |
Legal Compliance: Compliancy with
legal and regulatory obligations under
applicable law, screening against
sanction lists. |
• The Processing is necessary for compliance with a
legal
obligation.
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms). |
Legal Proceedings: Establishing,
exercising, and defending legal rights. |
• The Processing is necessary for compliance with a
legal
obligation.
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms). |
Security: Physical security of our
premises (including records of visits
to
our premises and Security recording) |
• The Processing is necessary for compliance with a
legal
obligation.
• OlaWell has a legitimate interest in carrying out the |
and
electronic security (including login
records, device details, access
details). |
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms). |
Marketing: communications via
email,
phone, or other means, subject to
ensuring that such communications
are
provided to you in compliance with
applicable law. |
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms).
• OlaWell has obtained your express prior consent to
the
Processing (this legal basis is only used in relation
to
Processing that is entirely voluntary). |
Operation of Website: Operation,
management, and improvement of our
Website, communicating and
interacting
with you via Our Website. |
• The Processing is necessary in connection with any
contract that you may enter into with us, or take
steps
prior to entering into a contract with us.
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms).
• OlaWell has obtained your express prior consent to
the
Processing (this legal basis is only used in relation
to
Processing that is entirely voluntary) |
IT Operations: Management of our
communications systems, operation
of IT
security, Security audits. |
• The Processing is necessary for compliance with a
legal
obligation
• The Processing is necessary in connection with any
contract that you may enter into with us, or take
steps |
|
prior to entering into a contract with us.
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms). |
Investigations: Detecting,
investigating
and preventing breaches of policy |
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms). |
Improving Products & Services:
Identifying issues and planning
improvements for existing products
and
services, creating new products and
services. |
• The Processing is necessary in connection with any
contract that you may enter into with us, or take
steps
prior to entering into a contract with us.
• OlaWell has a legitimate interest in carrying out the
Processing for the purposes of establishing,
exercising, or defending our legal rights (to the
extent that such
legitimate interest is not overridden by your
interests or
fundamental rights and freedoms).
• OlaWell has obtained your express prior consent to
the
Processing (this legal basis is only used in relation
to
Processing that is entirely voluntary) |
11. Scope: Who this policy applies to.
This GDPR Privacy Policy (the “Policy”) sets forth the privacy principles that OlaWell
follows with respect to the processing of personal data where:
a. The processor or controller is located within the European Union (EU);
b. The data subject is located within the EU, by a controller or processor not
established in the EU, where the processing relates to:
I. The offering of goods or services to data subjects in the EU;
II. The monitoring of data subject’s behavior, as far as it takes places in the EU.
c. The controller is not established in the EU, but in a place where EU Member State
law applies by virtue of public international law.
NOTE:
OlaWell intends to provide GDPR protection consistently to individuals, regardless if
GDPR applies.
12. Contact Details: How you can contact OlaWell.
If you have comments, questions or concerns about any of the information in this Policy,
or any other issues relating to the Processing of Personal Data by OlaWell, please contact
OlaWell at:
OlaWell Inc.
PO 185 Manchester,
MA 01944
USA
aberbic@olawell.com
13. Changes to this policy: How we’ll contact you if we update this document.
OlaWell may revise this Privacy Statement from time to time. All updates to this statement
will be posted on this web page. If we make significant changes, OlaWell will notify you by
posting a notice on our Websites. Please check our Websites for the most current version of
our Privacy Statement. Your continued use of the website after we have posted a notice on the
website constitutes your acceptance of such changes.
14. Definitions: How specific terms are defined
TERM
|
Definition
|
Personal Data |
any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or
indirectly, in particular by reference to an identifier
such as a name, an identification number, location data,
an online identifier or to one or more factors specific to
the physical, physiological, microbiome, mental,
economic, cultural or social identity of that natural
person; |
Microbiome Data |
personal data relating to the inherited or acquired
microbiome characteristics of a natural person which
give unique information about the physiology or the
health of that natural person and which result, in
particular, from an analysis of a biological sample from
the natural person in question; |
Processing |
any operation or set of operations which is performed
on personal data or on sets of personal data, whether or
not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction |
Controller |
the natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing
of personal data; where the purposes and means of
such processing are determined by Union or Member
State law, the controller or the specific criteria for its
nomination may be provided for by Union or Member
State law; |
Processor |
a natural or legal person, public authority, agency or
other body which processes personal data on behalf of
the controller; |
Data Protection Authority |
An independent public authority that is legally tasked
with overseeing compliance with applicable data
protection laws. |
Sensitive Personal Data |
Personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade
union membership, and the processing of microbiome data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or
data concerning a natural person’s sex life or sexual
orientation |
4. SAFE HARBOR PRIVACY POLICY
OlaWell is committed to upholding the confidentiality of personal information and strives to
collect, use and disclose personal information in a manner consistent with the laws and
regulations of the countries in which it does business. OlaWell fully intends to follow all
applicable regulations promulgated on the topic of transatlantic exchanges of personal data for
commercial purposes, including the EU-US Privacy Shield and The Data Protection Act 1998 of
the United Kingdom. Further, OlaWell is committed to fully preparing for the upcoming General
Data Protection Regulations (GDPR) which are set to come into enforcement on May 25, 2018.
This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that OlaWell
follows with respect to personal information transferred from the European Economic Area
(“EEA”) (which includes the 27-member states of the European Union (EU) plus Iceland,
Liechtenstein and Norway) and Switzerland to the United States of America.
1. SAFE HARBOR
The United States Department of Commerce, the European Commission and the Swiss Federal
Data Protection and Information Commissioner (FDPIC) have jointly agreed on a set of data
protection principles and frequently asked questions (the “Safe Harbor Principles”) to enable
U.S. companies to satisfy the requirement under European Union and Swiss law that adequate
protection is given to personal information transferred from the EU or Switzerland to the United
States.
The EEA and Switzerland have recognized the U.S. Safe Harbor as providing adequate data
protection. OlaWell has established a comprehensive Privacy and Security Compliance program
and is committed to protecting personal privacy consistent with the seven Safe Harbor Principles.
2. SCOPE
This Safe Harbor Privacy Policy (the “Policy”) applies to all personal information received by
OlaWell in the United States of America from the EEA and Switzerland, in any form including
electronic, paper or verbal.
3. DEFINITIONS
For purposes of this Policy, the following definitions shall apply: "Agent" means any third party
that collects or uses personal information under the instructions of OlaWell or to which OlaWell
discloses personal information for use on OlaWell’s behalf.
"OlaWell Inc.” means OlaWell, its successors, affiliates, subsidiaries, divisions and groups in the
United States of America.
"Personal information" means any information or set of information that identifies or is used by
or on behalf of OlaWell to identify an individual. Personal information does not include
information that is encoded or anonymized, or publicly available information that has not been
combined with non-public personal information. "Sensitive personal information" means
personal information that reveals race, ethnic origin, political opinions, religious or philosophical
beliefs or trade union membership, or that concerns health or sex life. OlaWell will treat any
information received from a third party as sensitive personal information where that third party
treats and identifies the information as sensitive personal information.
4. PRIVACY PRINCIPLES
The privacy principles in this Policy are based on the Safe Harbor Principles. Notice: Where
OlaWell collects personal information directly from individuals in the EEA or Switzerland, it
will inform them about the purposes for which it collects and uses such personal information and
the type of Agents to which it discloses such information. Notice will be provided in clear and
conspicuous language when individuals are first asked to provide personal information to
OlaWell, or as soon as practicable thereafter, and in any event before OlaWell uses or discloses
the information for a purpose other than that for which it was originally collected. Where
OlaWell receives personal information from its subsidiaries, affiliates or other entities in the
EEA or Switzerland, it will use and disclose such information in accordance with the notices
provided by such entities and the choices made by the individuals with respect to their personal
information.
Choice: OlaWell does not use personal information for purposes other than which it was
collected, i.e., the provision of OlaWell laboratory services. Personal information is not disclosed
to non-agent third parties.
Onward Transfer: OlaWell ensures that any Agent to whom it transfers personal information will
safeguard personal information consistent with the terms of this Policy. The majority of Agents
to whom OlaWell transfers sensitive personal information are subject to the Health Information
Portability and Accountability Act of 1996 (HIPAA) and are bound to protect the privacy and
security of patient information. In the event that information is transferred to an Agent who is not
subject to the HIPAA Rules, OlaWell will assure that: the Agent is contractually obligated to
provide at least the same level of protection as is required by HIPAA; is subject to EU Directive
95/46/EC (the EU Data Protection Directive); has certified to the Safe Harbor, or is subject to
another European Commission adequacy finding (e.g., companies located in Switzerland).
Where OlaWell has knowledge that an Agent is using or disclosing personal information in a
manner contrary to this Policy, OlaWell will take all reasonable steps to prevent or stop that use
or disclosure.
Security: OlaWell will take all reasonable precautions to protect personal information in its
possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
OlaWell uses a combination of technologies, procedures and organizational measures to
safeguard personal information. Data Integrity: OlaWell will use personal information only in
ways that are compatible with the purposes for which it was collected or subsequently authorized
by the individual. OlaWell will take all reasonable steps to ensure that personal information is
relevant to its intended use and is accurate, complete and current.
Access and Correction: Upon request, OlaWell will grant individuals reasonable access to
personal information that it holds about them. In addition, OlaWell will take reasonable steps to
permit individuals to correct, amend or delete information that is inaccurate or incomplete.
OlaWell will take reasonable steps to facilitate amendments to information provided by third
parties if an individual raises a query. Enforcement: OlaWell will conduct compliance audits of
its relevant privacy practices to verify adherence to this Policy. Any employee that OlaWell
determines is in violation of this policy will be subject to disciplinary action up to and including
termination of employment.
Dispute Resolution: Any questions or concerns regarding the use or disclosure of personal
information should be directed to the OlaWell Privacy Officer at the address given below.
OlaWell will investigate and attempt to resolve complaints and disputes regarding use and
disclosure of personal information in accordance with the principles contained in this Policy. For
complaints that cannot be resolved between OlaWell and the complainant, OlaWell has agreed to
participate in the dispute resolution procedures of the panel established by the European Data
Protection Authorities and the Swiss Federal Data Protection and Information Commissioner to
resolve disputes pursuant to the Safe Harbor Principles.
5. LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by OlaWell to these Safe Harbor Principles may be limited (a) to the extent required
to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an
applicable law, rule or regulation.
6. INTERNET PRIVACY
OlaWell sees the Internet and online technologies as valuable tools for communicating and
interacting with consumers, employees, healthcare professionals, business partners and others.
OlaWell recognizes the importance of maintaining the privacy of information collected and/or
stored online and has created an Internet Privacy Policy governing personal information
collected or stored through the websites it operates. With respect to personal information that is
transferred from the EEA or Switzerland to the United States of America the Privacy Policy is
subordinate to this policy. However, the Privacy Policy also reflects additional legal
requirements and evolving standards with respect to Internet privacy.
7. CONTACT INFORMATION
Questions or comments regarding this Policy should be submitted to the OlaWell Privacy Officer
by mail as follows:
OlaWell Inc.
Attention: Privacy Officer
PO 185 Manchester,
MA 01944
USA
aberbic@olawell.com
8. CHANGES TO THIS SAFE HARBOR PRIVACY POLICY
This Policy may be amended from time to time, consistent with the requirements of the Safe
Harbor Principles. If we make changes to this Policy, we will promptly post a copy of the
updated Policy on our website www.olawell.com A notice will be posted on OlaWell's website
whenever this Safe Harbor Privacy Policy is changed in a material way.