Privacy Policy Page | OlaWell Skip to main content

Privacy Policy

Version: 1.0!

OlaWell Inc., ("OlaWell", "we" or "us") is committed to protecting the privacy of all visitors to the OlaWell website. OlaWell privacy policy consists of 4 sections (1) privacy statement, (2) notice of privacy practices, (3) GDPR privacy policy and (4) safe harbor privacy policy.

Effective: May 27, 2019

Last Updated: May 27, 2019

1. PRIVACY STATEMENT
OlaWell has established this Privacy Statement to inform you of the specific practices and guidelines that help ensure the security and confidentiality of your personal information. By using or accessing in any way the websites we control and operate, including www.olawell.com (our "Websites"), and our online requisition portal https://account.olawell.com/user/login (our "Account Portal") or by transmitting information to us by email or other electronic means, you agree to the terms of this Privacy Statement. If you do not agree with the terms of this Privacy Statement, please do not access or use the Websites.

NOTE:
If you are accessing our Website from within the European Economic Area (EEA), or have obtained OlaWell services while within the EEA, please review our GDPR Privacy Policy, available as a part of this document. OlaWell intends to provide GDPR protection consistently to individuals regardless of whether GDPR applies.

UPDATES
OlaWell may revise this Privacy Statement from time to time. All updates to this statement will be posted on this web page. If we make significant changes, OlaWell will notify you by posting a notice on the website. Please check the website for the most current version of our Privacy Statement. Your continued use of the website after we have posted a notice on the website constitutes your acceptance of such changes.

LINKED WEBSITES
The OlaWell Websites may contain links to external websites. OlaWell does not maintain these sites and is not responsible for the privacy practices of sites that it does not operate. Please refer to the specific privacy statements posted on these sites.


AGGREGATE DATA COLLECTION
OlaWell tracks visits to our Websites and uses visitor logs to compile anonymous aggregate statistics. This aggregate information is collected sitewide and includes anonymous website statistics. In addition, when you browse our Websites, our system automatically collects information such as your web request, Internet Protocol ("IP") address, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the order of these page views, the amount of time spent on particular pages, the date and time of your request and one or more cookies that may uniquely identify your browser. This information is used to analyze trends, administer the Websites, improve the design of our Websites, and otherwise enhance the services we provide.

COOKIES
Certain pages of the Websites and/or html email correspondence may use session cookies, persistent cookies or web beacons to anonymously track unique visitors, save website preferences and to allow us to recognize visits from the same computer and browser. You have the option to reject the Websites's; cookies and still use the Website. However, your access to the Website may be limited.

CHILDREN
The OlaWell Websites are directed toward adults. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent, legal custodian, or teacher) before using or accessing our Websites. We will not knowingly collect or use any personal information from any children under the age of 16. If we become aware that we have collected any personal information from children under 16, we will promptly remove such information from our databases.

TYPES OF PERSONAL INFORMATION COLLECTED
OlaWell may collect, store, and use personally identifiable information that you provide or we receive from others, such as:

  • Registration Information: Information submitted when creating an account. (I.E name,
  • email address/preference, postal code, telephone number).
  • Information you submit when contacting us: (I.E. name, contact information, any other
  • information you chose to submit).
  • Information you submit to the Account Portal.
  • Information from third parties (I.E. Information submitted by a physician)
  • Job application information: (I.E. references or background check for job applicants,
  • resume, contact information, employment and education history).

USE OF PERSONAL INFORMATION
OlaWell may collect, store and use personally identifiable information for our general commercial purposes, such as to improve our Websites, and to offer you information which we believe may be of interest to you. This may include the following purposes, for example:

  • To contact you,
  • To improve this website and expand our business,
  • To provide you with information that you have requested,
  • To respond to your inquiries,
  • To provide you with technical support,
  • To enforce our Terms and Conditions and other policies governing uses of our Websites,
  • To alert you to new features or services,
  • To communicate with you about your transactions or potential transactions with us,
  • To provide information about our Websites, login information, and related clinical and research information,
  • To administer your account,
  • To ensure that our Websites and Services function properly,
  • To keep our website secure,
  • To measure and understand the effectiveness of advertising and outreach,
  • If you are a healthcare provider or patient ordering our Services, to contact you about research opportunities, clinical trials, or clinical treatments for you or your patients when appropriate.

DISCLOSURE OF PERSONAL INFORMATION
OlaWell will not sell or rent your personal information to any other company or organization. OlaWell may access and/or disclose your personal information in the following circumstances:

  • If you request or authorize it;
  • If the Information is provided to help complete a transaction for you;
  • If the Information is provided to comply with the law, applicable regulations, or if we believe necessary or appropriate in connection with an investigation of illegal activity or to enforce the policies governing our website.
  • If the disclosure is done as part of a purchase, transfer or sale of services (I.E. Corporate restructuring, merger or consolidation with, or sale of substantially all of our assets to a third party.)
  • If the Information is provided to third party service providers to perform functions on our behalf (I.E. analyzing data, providing marketing assistance, providing customer services).

SECURITY MEASURES
Information that you provide to OlaWell through these Websites is encrypted using industry standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk. As a consequence, OlaWell disclaims any warranties or representations relating to maintenance or nondisclosure of private information.

INFORMATION ACCESS, UPDATES AND CHOICE
You may choose to provide information to OlaWell by completing the registration form, sending us an email or otherwise contacting us. In the registration form, you may have an opportunity to elect to receive certain communications from us. OlaWell email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify OlaWell of changes to your name, email address and preference information. OlaWell will take reasonable steps, such as confirmation emails, to verify your identity before granting access to your personal information. If you choose to unsubscribe from our email and/or postal mail services, you will no longer receive this correspondence. However, OlaWell may retain your information for a period of time to resolve disputes, troubleshoot problems or for other valid business or legal reasons.

THIRD PARTY INFORMATION
You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to: (a) the purposes for which such third party's personal information has been collected; (b) the intended recipients or categories of recipients of the third party's personal information; (c) which of the third party's information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.

FINANCIAL INFORMATION:
We do not currently collect financial information, such as your payment method (valid credit card number, type, expiration date or other financial information); that information is collected and stored by our third-party payment processing company (the “Payment Processor”), and use and storage of that information is governed by the Payment Processor’s applicable terms of service and privacy policy.

EMAIL COMMUNICATIONS WITH US:
As part of the Services, you may occasionally receive email and other communications from us, such as communications relating to your Account. Communications relating to your Account will only be sent for purposes important to the Services, such as password recovery.

GOVERNING LAW
Our Websites are controlled and operated by OlaWell. By choosing to visit our Websites or otherwise provide information to OlaWell, you agree that any dispute over privacy or the terms contained in this Privacy Statement will be governed by the laws of the State of Massachusetts. If you are accessing our Websites from any location with regulations or laws governing personal data collection, use or disclosure that differ from United States laws or regulations, please note that through your continued use of our Websites, which is governed by the laws of the State of Massachusetts and the United States of America and this Privacy Statement, you are transferring personal information to the United States of America and you consent to that transfer and to the collection and processing of such information in the United States. You also consent to the adjudication of any disputes arising in connection with our Websites in the federal and state courts of Essex County in the State of Massachusetts. You also agree to attempt to mediate any such disputes.

ACCOUNT PORTAL
In addition to the other terms of this Privacy Statement, the following terms concern how medical information concerning our patients is used or disclosed through our Account Portal.

Users
- The Account Portal is only for the use of physicians and their authorized representatives as stated in the Terms and Conditions of Use for the Account Portal. Protected Health Information - The Account Portal is used for the storage and transmission of Protected Health Information between OlaWell and physicians and their authorized representatives. Protected Health Information is used in accordance with the Health Information Portability and Accountability Act (HIPAA) and applicable federal and state laws governing patient privacy. Protected Health Information available on the Account Portal may only be used or disclosed for treatment and other authorized purposes as stated in the Notice of Privacy Practices.

Security Measures
- Information accessed through this Account Portal, including Protected Health Information, is secured using administrative, physical and technical safeguards. For example, the transfer of information is encrypted using industry standard Secure Sockets Layer (SSL) technology and information is stored on controlled servers with restricted access. All access is password protected and each individual user has his/her own user name and password. All access is tracked at OlaWell for security purposes.

2. NOTICE OF PRIVACY PRACTICES
This Notice describes the privacy practices of OlaWell, its employees and other personnel.


OUR RESPONSIBILITY
OlaWell and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, microbiome information and laboratory test results. OlaWell is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to keep your personal health information ("Protected Health Information") confidential. This Notice that describes our legal duties, privacy practices and explains your patient privacy rights. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice.

What is protected health information?
Protected Health Information is your demographic information, medical history, laboratory results, insurance information and other health information that is collected, generated, used and communicated by OlaWell to produce microbiome testing results and bill for our testing services. Examples of Protected Health Information include your name, date of birth, medical record number, social security number, insurance beneficiary number and microbiome information.

How we use and disclose your health information
Your Protected Health Information may be used and disclosed for treatment, payment, healthcare operations and other purposes permitted or required by law. OlaWell may use and disclose your Protected Health Information for the following purposes: We may use or disclose your Protected Health Information for treatment purposes. For example, we may use your Protected Health Information to perform our testing services and disclose your microbiome testing results to your physician and other healthcare providers involved in your care.

HEALTHCARE OPERATIONS
We may use and disclose your Protected Health Information for our healthcare operations. For example, we may use your Protected Health Information to monitor the quality of our testing services including 3rd party laboratory business associates (as defined in OlaWell Terms of Use) and review the competence and qualifications of our laboratory professionals.

PERSONAL REPRESENTATIVES
We may disclose Protected Health Information about you to your authorized personal representative, such as a lawyer, administrator, executor or other authorized person responsible for you or your estate.

COMMUNICATIONS ABOUT PRODUCTS AND SERVICES
We may use and disclose your Protected Health Information to contact you about other OlaWell products and services which we believe may be of interest to you. Any use, disclosure or sale of Protected Health Information to third parties for marketing purposes requires your written authorization.

DISCLOSURES TO BUSINESS ASSOCIATES
We may disclose your Protected Health Information to other companies or individuals, known as "Business Associates," who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.

AS REQUIRED BY LAW
We must disclose your Protected Health Information when required to do so by any applicable federal, state or local law.

PUBLIC HEALTH ACTIVITIES
We may disclose your Protected Health Information for public health-related activities. Examples include: reporting diseases to authorized public health authorities or public health investigations; or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration of a possible problem encountered when using the product in our testing process.


HEALTH OVERSIGHT ACTIVITIES
We may disclose your Protected Health Information to a healthcare oversight agency for activities that are authorized by law, such as audits, investigations, inspections and licensure activities. For example, we may disclose your Protected Health Information to agencies responsible for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.


RESEARCH
Under certain circumstances, we may use or disclose your Protected Health Information for research purposes. All research projects at OlaWell are subject to review by a committee responsible for ensuring the protection of individual research subjects, appropriate patient authorization and an adequate plan to safeguard Protect Health Information. In preparation for research, we may review limited Protected Health Information to draft research protocols, to identify prospective research participants or for similar purposes provided the information is not removed from our premises.

CORONERS, MEDICAL EXAMINERS AND FUNERAL DIRECTORS

We may disclose Protected Health Information to coroners, medical examiners or funeral directors to identify a deceased patient, to determine cause of death or other duty authorized by law.

JUDICIAL AND ADMINISTRATIVE PROCEEDINGS
Under certain circumstances, we may disclose your Protected Health Information in the course of a judicial or administrative proceeding in response to a court order, subpoena or other lawful process.

LAW ENFORCEMENT
We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons or other legal process for locating a suspect, fugitive, witness, missing person or victim of a crime.

THREATS TO HEALTH OR SAFETY
We may disclose Protected Health Information to prevent or reduce the risk of a serious and imminent threat to the health or safety of an individual or the general public.

VICTIMS OF ABUSE, NEGLECT OR VIOLENCE
If required or authorized by law, we may disclose Protected Health Information to a government agency, such as social services or a protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect or domestic violence.

SPECIALIZED GOVERNMENT FUNCTIONS
Under certain circumstances, we may disclose your Protected Health Information to units of the government with special functions, such as the U.S. Military or the U.S. Department of State.


WORKERS COMPENSATION PROGRAMS
We may disclose your Protected Health Information as necessary to comply with requirements of workers' compensation or similar programs that provide benefits for work-related injuries or illness.

ALL OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
We will ask for your written authorization before using or disclosing your Protected Health Information for any purpose not described above. You may revoke your authorization, in writing, at any time, except for disclosures that the company has already acted upon.

YOUR RIGHTS REGARDING YOUR MEDICAL INFORMATION
You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please contact our Privacy Office using the contact information provided at the end of this Notice.


ACCESS TO PROTECTED HEALTH INFORMATION
You, or your authorized or designated personal representative, have the right to inspect and copy the Protected Health Information maintained by us. We may deny access to certain information for specific reasons, for example, where Federal and state laws regulating laboratories prohibit us from disclosing microbiome testing results directly to a patient. We strive to respond to all complaints as quickly as possible, usually within 30 days of your request.

RESTRICTIONS ON USES AND DISCLOSURES
You have the right to request restrictions on our use and disclosure of your Protected Health Information. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for Payment or Operations restrictions where payment has been made "out-of-pocket" and paidin-full. If we do agree to a requested restriction, we will notify you in writing.

CONFIDENTIAL COMMUNICATIONS
You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications.

CORRECT OR UPDATE INFORMATION
If you believe the Protected Health Information we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation. We strive to respond to all requests, and will provide a response as quickly as possible, usually within 60 days.

ACCOUNTING OF DISCLOSURES
You may request a list, or accounting, of certain disclosures of your Protected Health Information made by us or our business associates for purposes other than treatment, payment, healthcare operations and certain other activities. The request must be in writing and the list will include disclosures made within the prior six years.

COPY OF NOTICE
Upon request, you may obtain a paper or electronic copy of this Notice.

Information breach notification
We are required to notify you following the discovery of a breach of unsecured Protected Health Information, unless there is a demonstration, based on a risk assessment, that there is a "low probability" that the Protected Health Information has been compromised. You will be notified in a timely fashion, no later than 60 days after discovery of the breach.

Questions and complaints
If you have questions or concerns about our privacy practices or would like a more detailed explanation about your privacy rights, please contact our Privacy Office using the contact information below. If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Office. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request. OlaWell will not take retaliatory action against you and you will not be penalized in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

Changes to our notice of privacy practices
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We will promptly post any changes to this Notice on our website at www.olawell.com. Please review this website periodically to ensure that you are aware of any updates.

Contact information
When communicating with us regarding this Notice, our privacy practices or your privacy rights, please contact the Privacy Office using the following contact information: OlaWell Inc. Attention: Privacy Officer PO 185 Manchester, MA 01944 USA aberbic@olawell.com

3. GDPR PRIVACY POLICY
OlaWell has established this GDPR Privacy Policy to inform you of the specific practices and guidelines that help ensure the security and confidentiality of your personal information. By using or accessing in any way the websites we control and operate, including www.olawell.com (our "Website(s)";), and our online requisition portal account.olawell.com/user/login (our "Account Portal") or by transmitting information to us by email or other electronic means, you agree to the terms of this GDPR Privacy Policy. If you do not agree with the terms of this GDPR Privacy Policy, please do not access or use the Websites. OlaWell is committed to upholding the confidentiality of personal information and strives to collect, use and disclose personal information in a manner consistent with the laws and regulations of the countries in which it does business.

1. Your Legal Rights: What Rights you have to your Data.
Subject to applicable law, you have a number of rights regarding the Processing of your Personal Data. These rights include:

  • The right to request access to, or copies of, your Personal Data that OlaWell Processes or controls; together with information regarding the nature, processing and disclosure of those Personal Data:  
  • The right to request rectification of any inaccuracies in your Personal Data that OlaWell Processes or controls;  
  • The right to request erasure of your Personal Data or restriction of Processing of your Personal Data that OlaWell controls or Processes.  
  • The right to have your Personal Data that OlaWell controls or Processes transferred to another Controller, to the extent applicable;  
  • Where OlaWell processes your Personal Data on the basis of your consent, the right to withdraw that consent;  
  • The right to lodge a complaint with a Data Protection Authority regarding the Processing of Personal Data by OlaWell or on OlaWell’s behalf.  
  • The right to object to the Processing of your Personal Data by OlaWell.  
  • The Right to object to the Processing of your Personal Data by OlaWell, or to  
  • Processing on our behalf, for direct marketing purposes.

2. Data Minimization: How much Data we collect.
OlaWell take reasonable steps to ensure that Personal Data Processed by OlaWell is limited to the Personal Data reasonably required in connection with the purposes set out in this Policy.

3. Data Retention: How long we hold Your Data.
OlaWell take reasonable steps to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Policy. The criteria for determining the duration for which OlaWell retains your Personal Data is as follows:

I. OlaWell will retain copies of your Personal Data in a form that permits identification only for as long as:

   A. OlaWell maintains an ongoing relationship with you; or

   B. Your Personal Data is necessary in connection with the lawful purposes set out in this Policy, for which OlaWell has a valid legal basis.

II. Additionally, OlaWell will retain copies for the duration of:

   A. Any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with    your Personal Data, or to which your Personal Data may be relevant); and

   B. An additional 2 (two) month period following the end of any such applicable limitation period.


III. In addition, if any relevant legal claims are brought, OlaWell may continue to Process your Personal Data for such additional periods as are necessary in connection with that claim.

  During the periods noted in paragraph ii (A) and ii (B), OlaWell will restrict our Processing of your Personal Data to storage of, and maintaining the security of, that data, except to the    extent that the data need to be reviewed in connection with any legal claim or obligation.

Once the applicable period has ended, OlaWell will either:

  • Permanently Destroy or delete the relevant Personal Data;  
  • Achieve your Personal Data so that it is beyond use; or  
  • Anonymise the Relevant Personal Data.

4. Data Security: How we keep your Data safe.
OlaWell has implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful loss, alteration, disclosure, access, destruction, and unlawful or unauthorized forms of Processing. Information that you provide to OlaWell through these Websites is encrypted using industry standard Secure Sockets Layer (SSL) technology, with the exception of information you send via email. Your information is processed and stored on controlled servers with restricted access. Unfortunately, we cannot ensure or warrant the security of any information you transmit to our Websites, and you do so at your own risk. As a consequence, OlaWell disclaims any warranties or representations relating to maintenance or nondisclosure of private information.

5. Data Accuracy: How we make sure your Data is accurate.
OlaWell takes reasonable steps to ensure that Personal Data that is Processed by OlaWell is accurate, and, if necessary, up to date, and to ensure that any of your Personal Data processed by OlaWell that is inaccurate (having regard to the purposes for which it is Processed) is erased or rectified. OlaWell may ask you to confirm the accuracy of your Personal Data.

6. Disclosure of Personal Data to Third Parties: Who we may provide your Data to, and why.
OlaWell may disclose your Personal Data to other entities for legitimate business purposes (including providing services to you and operating our Websites) in accordance with applicable law. In addition, OlaWell may disclose your Personal Data to:

  • You, and, where appropriate, your family or authorized legal representative.  
  • Your Physician (where appropriate)  
  • Third party Processors (e.g. payment services providers, shipping companies, etc).  
  • Web service providers: (e.g. cloud storage, data aggregation services, targeted marketing)  
  • Information OlaWell shares with commonly owned entities.  
  • Any relevant third-party acquirer(s), in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation).  
  • Disclosures required by law or for regulatory compliance.  
  • Any relevant party for the purposes of prevention, investigation, detection or prosecution of illegal activity that may expose us to legal liability or costs, to enforce our policies governing our Websites.

Our Websites may use third party plugins or content. If you chose to interact with any such plug- in or content, your Personal Data may be shared with the third-party provider of the relevant social media platform. OlaWell recommend that you review that third party’s privacy policy before interacting with its plugins or content. If OlaWell engages a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to only Process the Personal Data in accordance with our prior written instruction, and to use measures to protect the confidentiality and security of the Persona Data, along with any additional requirements under applicable law. OlaWell uses Amazon Web Services (“AWS”) as a Processor. For more information about the protections offered by AWS, please visit their webpage at https://aws.amazon.com/compliance/eu-data-protection/. OlaWell uses Microsoft Azure (Microsoft) as a Processor. For more information about the protections offered by Microsoft, please visit their webpage at https://www.microsoft.com/en- us/trustCenter/privacy/gdpr.

7. Cookies: How our website collects information.
Certain pages of our Websites or email correspondence may use session cookies, persistent cookies, or web beacons to anonymously track unique visitors, save website preferences, and allow us to recognize visits from the same computer and browser. You have the option to reject our Website’s cookies and still use our Websites; however, your access may be limited.

8. Direct Marketing: We may, with your consent, contact you with new products or services.
OlaWell may Process your Personal Data to contact you, primarily via email, so OlaWell may provide you with information concerning products and services that may be of interest. OlaWell will not take these actions without having first obtaining your consent. If you do not wish to receive marketing emails from us, you can opt out at any time.

9. International Transfer of Personal Data: Why OlaWell may transfer your data overseas.
OlaWell may need to transfer your Personal Data within OlaWell, and to third parties as noted above, in connection with the purposes set out in this Policy. For this reason, OlaWell may transfer your Personal Data to other countries that may have different laws and data protection compliance requirements. There is the possibility these countries will have a lower standard of protection than those that would apply in the country in which you are located in. Where OlaWell transfers your Personal Data to other countries, it is on the basis of:

  • Adequacy decisions;  
  • Binding Corporate Rules;  
  • Suitable Standard Contractual Clauses; or  
  • Other valid transfer mechanisms.

For more information on these safeguards, please contact OlaWell via the information provided in Section 12.

10. Processing your Personal Data: How OlaWell uses your Personal Data.
Collection of Personal Data: OlaWell collects Personal Data about you from a variety of sources:

  • OlaWell obtains your Personal Data when you provide it to us (e.g. where you contact us via email or telephone or by other means).  
  • OlaWell may request your Personal Data when such collection is necessary to fulfill the services you have selected.  
  • OlaWell collects your Personal Data in the ordinary course of our relationship with you.  
  • OlaWell collects Personal Data that you manifestly choose to make public, including Social Media.  
  • OlaWell receives Personal Data from third parties who provide it to us (e.g. your doctor, law enforcement agencies)  
  • OlaWell receives Personal Data from third parties when you purchase any of our products or services through such third parties.  
  • OlaWell collects or obtains Personal Data when you visit our Websites or use any features or resources available on or through our Websites. When you visit our Websites, your device and browsers may automatically disclose certain information, such as device type, operating system, browser type, browser settings, IP address, language settings, time and date of connection, and other technical information, some of which may constitute Personal Data.

Creation of Personal Data: OlaWell creates Personal Data about you, such as records of your interactions with us, and details about your account, subject to applicable law. Relevant Personal and Sensitive Personal Data: The categories of Personal and Sensitive Personal Data about you that OlaWell Processes, subject to applicable law, are as follows:

  • Registration Information: Personal Details (name; gender; date of birth; age; nationality)  
  • Authentication data (passwords; security questions & answers)  
  • Contact details (address; telephone number; email address; social media profiles)  
  • Referral Information: Details on people or entities you’d like your data shared with (i.e. Doctor, Family Member)  
  • Views and opinions: any views or opinion that you choose to send to us.  
  • Microbiome Data: As submitted to us for testing in relation to OlaWell Products.  
  • Electronic identifying Data: IP addresses; cookies; activity logs; online identifiers; unique device identifies; geolocation data.  
  • Job application information (references or background check for job applicants, resume, contact information, employment and education history).

Processing your Sensitive Personal Data: OlaWell will seek to collect or otherwise Process your Sensitive Personal Data only when:

  • OlaWell has, in accordance with applicable law, obtained your explicit consent prior to processing your Sensitive Personal Data. (I.E. in relation to ordering a OlaWell product).  
  • The Processing is necessary for the detection or prevention of crime, to the extent permitted by applicable law.  
  • The Processing is necessary for compliance with a legal obligation.  
  • The Processing is necessary for the establishment, exercise or defense of legal rights.  
  • The Processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interest.

Purposes for which OlaWell may Process your Personal Data, and legal basis for Processing: The purposes for which OlaWell may Process Personal Data, subject to applicable law, and the legal basis on which OlaWell may perform such Processing, are:

Processing Purpose
Legal basis for Processing
Microbiome Sequencing: Performing microbiome sequencing for • OlaWell has obtained your express prior consent to the
customers, processing and delivering results. Processing (this legal basis is only used in relation to Processing that is entirely voluntary). • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us.
Customer Contact: To respond to customer inquiries, provide information about our website, communicate with you about transactions, provided technical support. • The Processing is necessary in connection with any contract that you may enter into with us, or take steps prior to entering into a contract with us. • OlaWell has obtained your express prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary).
Legal Compliance: Compliancy with legal and regulatory obligations under applicable law, screening against sanction lists. • The Processing is necessary for compliance with a legal obligation. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).
Legal Proceedings: Establishing, exercising, and defending legal rights. • The Processing is necessary for compliance with a legal obligation. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).
Security: Physical security of our premises (including records of visits to our premises and Security recording) • The Processing is necessary for compliance with a legal obligation. • OlaWell has a legitimate interest in carrying out the
and electronic security (including login records, device details, access details). Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).
Marketing: communications via email, phone, or other means, subject to ensuring that such communications are provided to you in compliance with applicable law. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms). • OlaWell has obtained your express prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary).
Operation of Website: Operation, management, and improvement of our Website, communicating and interacting with you via Our Website. • The Processing is necessary in connection with any contract that you may enter into with us, or take steps prior to entering into a contract with us. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms). • OlaWell has obtained your express prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary)
IT Operations: Management of our communications systems, operation of IT security, Security audits. • The Processing is necessary for compliance with a legal obligation • The Processing is necessary in connection with any contract that you may enter into with us, or take steps
  prior to entering into a contract with us. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).
Investigations: Detecting, investigating and preventing breaches of policy • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).
Improving Products & Services: Identifying issues and planning improvements for existing products and services, creating new products and services. • The Processing is necessary in connection with any contract that you may enter into with us, or take steps prior to entering into a contract with us. • OlaWell has a legitimate interest in carrying out the Processing for the purposes of establishing, exercising, or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms). • OlaWell has obtained your express prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary)

11. Scope: Who this policy applies to.
This GDPR Privacy Policy (the “Policy”) sets forth the privacy principles that OlaWell follows with respect to the processing of personal data where:
a. The processor or controller is located within the European Union (EU);

b. The data subject is located within the EU, by a controller or processor not established in the EU, where the processing relates to:
    I. The offering of goods or services to data subjects in the EU;
    II. The monitoring of data subject’s behavior, as far as it takes places in the EU.

c. The controller is not established in the EU, but in a place where EU Member State law applies by virtue of public international law.

NOTE:
OlaWell intends to provide GDPR protection consistently to individuals, regardless if GDPR applies.


12. Contact Details: How you can contact OlaWell.
If you have comments, questions or concerns about any of the information in this Policy, or any other issues relating to the Processing of Personal Data by OlaWell, please contact OlaWell at: OlaWell Inc. PO 185 Manchester, MA 01944 USA aberbic@olawell.com

13. Changes to this policy: How we’ll contact you if we update this document.
OlaWell may revise this Privacy Statement from time to time. All updates to this statement will be posted on this web page. If we make significant changes, OlaWell will notify you by posting a notice on our Websites. Please check our Websites for the most current version of our Privacy Statement. Your continued use of the website after we have posted a notice on the website constitutes your acceptance of such changes.

14. Definitions: How specific terms are defined

TERM
Definition
Personal Data any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, microbiome, mental, economic, cultural or social identity of that natural person;
Microbiome Data personal data relating to the inherited or acquired microbiome characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
Processing any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data Protection Authority An independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
Sensitive Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of microbiome data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

4. SAFE HARBOR PRIVACY POLICY
OlaWell is committed to upholding the confidentiality of personal information and strives to collect, use and disclose personal information in a manner consistent with the laws and regulations of the countries in which it does business. OlaWell fully intends to follow all applicable regulations promulgated on the topic of transatlantic exchanges of personal data for commercial purposes, including the EU-US Privacy Shield and The Data Protection Act 1998 of the United Kingdom. Further, OlaWell is committed to fully preparing for the upcoming General Data Protection Regulations (GDPR) which are set to come into enforcement on May 25, 2018. This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that OlaWell follows with respect to personal information transferred from the European Economic Area (“EEA”) (which includes the 27-member states of the European Union (EU) plus Iceland, Liechtenstein and Norway) and Switzerland to the United States of America.


1. SAFE HARBOR
The United States Department of Commerce, the European Commission and the Swiss Federal Data Protection and Information Commissioner (FDPIC) have jointly agreed on a set of data protection principles and frequently asked questions (the “Safe Harbor Principles”) to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection is given to personal information transferred from the EU or Switzerland to the United States. The EEA and Switzerland have recognized the U.S. Safe Harbor as providing adequate data protection. OlaWell has established a comprehensive Privacy and Security Compliance program and is committed to protecting personal privacy consistent with the seven Safe Harbor Principles.


2. SCOPE
This Safe Harbor Privacy Policy (the “Policy”) applies to all personal information received by OlaWell in the United States of America from the EEA and Switzerland, in any form including electronic, paper or verbal.

3. DEFINITIONS
For purposes of this Policy, the following definitions shall apply: "Agent" means any third party that collects or uses personal information under the instructions of OlaWell or to which OlaWell discloses personal information for use on OlaWell’s behalf. "OlaWell Inc.” means OlaWell, its successors, affiliates, subsidiaries, divisions and groups in the United States of America. "Personal information" means any information or set of information that identifies or is used by or on behalf of OlaWell to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information. "Sensitive personal information" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or that concerns health or sex life. OlaWell will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.

4. PRIVACY PRINCIPLES
The privacy principles in this Policy are based on the Safe Harbor Principles. Notice: Where OlaWell collects personal information directly from individuals in the EEA or Switzerland, it will inform them about the purposes for which it collects and uses such personal information and the type of Agents to which it discloses such information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to OlaWell, or as soon as practicable thereafter, and in any event before OlaWell uses or discloses the information for a purpose other than that for which it was originally collected. Where OlaWell receives personal information from its subsidiaries, affiliates or other entities in the EEA or Switzerland, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals with respect to their personal information. Choice: OlaWell does not use personal information for purposes other than which it was collected, i.e., the provision of OlaWell laboratory services. Personal information is not disclosed to non-agent third parties. Onward Transfer: OlaWell ensures that any Agent to whom it transfers personal information will safeguard personal information consistent with the terms of this Policy. The majority of Agents to whom OlaWell transfers sensitive personal information are subject to the Health Information Portability and Accountability Act of 1996 (HIPAA) and are bound to protect the privacy and security of patient information. In the event that information is transferred to an Agent who is not subject to the HIPAA Rules, OlaWell will assure that: the Agent is contractually obligated to provide at least the same level of protection as is required by HIPAA; is subject to EU Directive 95/46/EC (the EU Data Protection Directive); has certified to the Safe Harbor, or is subject to another European Commission adequacy finding (e.g., companies located in Switzerland).

Where OlaWell has knowledge that an Agent is using or disclosing personal information in a manner contrary to this Policy, OlaWell will take all reasonable steps to prevent or stop that use or disclosure. Security: OlaWell will take all reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. OlaWell uses a combination of technologies, procedures and organizational measures to safeguard personal information. Data Integrity: OlaWell will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. OlaWell will take all reasonable steps to ensure that personal information is relevant to its intended use and is accurate, complete and current. Access and Correction: Upon request, OlaWell will grant individuals reasonable access to personal information that it holds about them. In addition, OlaWell will take reasonable steps to permit individuals to correct, amend or delete information that is inaccurate or incomplete. OlaWell will take reasonable steps to facilitate amendments to information provided by third parties if an individual raises a query. Enforcement: OlaWell will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that OlaWell determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Dispute Resolution: Any questions or concerns regarding the use or disclosure of personal information should be directed to the OlaWell Privacy Officer at the address given below. OlaWell will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between OlaWell and the complainant, OlaWell has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner to resolve disputes pursuant to the Safe Harbor Principles.

5. LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by OlaWell to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.


6. INTERNET PRIVACY
OlaWell sees the Internet and online technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners and others. OlaWell recognizes the importance of maintaining the privacy of information collected and/or stored online and has created an Internet Privacy Policy governing personal information collected or stored through the websites it operates. With respect to personal information that is transferred from the EEA or Switzerland to the United States of America the Privacy Policy is subordinate to this policy. However, the Privacy Policy also reflects additional legal requirements and evolving standards with respect to Internet privacy.


7. CONTACT INFORMATION
Questions or comments regarding this Policy should be submitted to the OlaWell Privacy Officer by mail as follows: OlaWell Inc. Attention: Privacy Officer PO 185 Manchester, MA 01944 USA aberbic@olawell.com


8. CHANGES TO THIS SAFE HARBOR PRIVACY POLICY
This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. If we make changes to this Policy, we will promptly post a copy of the updated Policy on our website www.olawell.com A notice will be posted on OlaWell's website whenever this Safe Harbor Privacy Policy is changed in a material way.