CONTENTS

(i)     iCare CLINIC service privacy policy for outside of US
(ii)    iCare CLINIC service privacy policy for US

 

ICARE CLINIC SERVICE PRIVACY POLICY FOR OUTSIDE OF US

 

This privacy policy has been updated on 26/03/2021.

1                     CONTROLLER

ICARE FINLAND OY (Business ID 1084502-3) (“iCare”)

Address: Äyritie 22, 01510 VANTAA, Finland

telephone: +358 9 8775 1150

email: [email protected]

The contact details may be amended from time to time and you can find current details in this privacy policy which is available at the address https://www.icare-world.com at all times.

2                     PERSON IN CHARGE OF REGISTER MATTERS

Full name: Vesa Hakkarainen

Contact information: [email protected]

The name and contact details may be amended from time to time and you can find current details in this privacy policy.

3                     NAME OF REGISTER

The name of the register is iCare CLINIC Service register. The iCare CLINIC Service register includes data originating from devices iCare HOME, iCare HOME2, iCare IC200 and iCare PRO and software / software services iCare CLINIC Service, iCare CLOUD, iCare PATIENT2 Application, iCare PATIENT Application and iCare EXPORT Application. All the devices and services are hereinafter referred to as “Services”.

The provision of Personal Data (as defined below in section 5) is voluntary. In case you do not provide the data that is marked as obligatory when the data is requested, iCare is not able to provide you with the Services.

4                     PURPOSE OF USE OF REGISTER AND LEGAL BASIS FOR PROCESSING

The purposes for and the legal grounds for processing of the Personal Data are as follows:

(a)    Performance of the agreements related rights and obligations relating to the Services (“Agreement”) and in order to take steps prior to entering into the Agreement. Agreement related rights and obligations are i) performance of the Agreement, ii) handling of customer service, iii) governing and handling of potential reclamations under the Agreement, iv) customer analyses and marketing research purposes under the Agreement as well as v) further development of iCare’s own products and services.

(b)    Compliance with a legal obligation and exercise of rights related to following types of obligations between iCare and you: obligations and rights related to customer relationships such as providing electronic services related mandatory information to you or replying to queries from you.

(c)    Your consent to the processing of your Personal Data (as defined below in section 6) in certain, following purposes: obligations and rights related to direct marketing and sections 5.1 b and 5.1 c.

(d)    Handling of storage, reporting and request obligations based on law and administrative orders and related guidelines regarding possible patient data matters.

The legal basis for the processing of the Personal Data are as follows:

(e)    You have given your consent to the processing of your Personal Data electronically for the purposes stated in the Section 4.1 c.

(f)     Processing of your Personal Data is necessary for the performance of the Agreement and in order to take steps at your request prior to entering into the Agreement. This relates to the above-mentioned purpose in the Section 4.1 a.

(g)    Processing of Personal Data is necessary for compliance with a legal obligation of the data controller, that is, the Supplier. This relates to the above-mentioned purposes in the Section 4.1 b.

(h)    Processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This relates to processing of possible patient data only.

5                     CONTENT OF REGISTER

The Personal Data is defined as follows:

(a)    your email address; your password; serial number of the iCare HOME, iCare HOME2, iCare IC200 or iCare PRO device (“Device”); your name; the data or other content uploaded from the Device to the Services; information on which eye is measured; point of time of measurement; measurement angle (angle of the Device compared with your eye); intraocular pressure value; intermediate results of the six samples of intraocular pressure measurements; quality rating of the measurement; cookie related information (see section 10 below); IP addresses relating to the Device and the Services; the free-text data written by you in the Services in connection with the measurement; reminders on when to take measurement or medication (medication information that you have voluntarily provided); the free-text data concerning conditions and actions defined by you related to measurement in general (you have voluntarily provided); the free-text messages exchanged between you and a professional health care provider (you have voluntarily provided); the time after which the Device will disable measurement function; the settings of the Device; and

(b)    any data required by Google Inc. and Google Ireland Limited and Google Commerce Limited as stipulated in their contract documentation available in here: https://play.google.com/intl/en-us_us/about/play-terms.html ; and

(c)    any data required by Apple Inc. as stipulated in their contract documentation available in here: https://www.apple.com/legal/internet-services/itunes/us/terms.html

6                     REGULAR SOURCES OF PERSONAL DATA

• enquiry from you

• the Services

• provided by you when you contact iCare’s customer service or when you utilize the Services

7                     REGULAR TRANSFEREES OF DATA

The Personal Data may be transferred to a subcontractor of the Supplier called Taitopilvi Oy (Business ID 2786133-7). The purposes of the transfers are the same as stated in the Section 4.1.

8                     TRANSFER TO COUNTRIES OUTSIDE EEA

iCare does not transfer your Personal Data to countries outside the European Economic Area (EEA) and European Union (EU) except for i) the USA or ii) the United Kingdom (“Third Countries”).

The basis of a transfer outside the EU area is the model clauses of the EU Commission. The text of the model clauses is available on the internet at the address http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm or the adequacy decisions of the EU Commission. The decisions are available on the internet at the address https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

9                     LINKS TO THIRD PARTY WEBSITES

The Services may have hypertext links to third party web sites. Please note that iCare is not liable for personal data processing on such web sites. Such third parties are not personal data controllers or processors towards iCare.

10                 COOKIES

iCare’s cookie policy can be found at the address https://www.icare-world.com. Please read the cookie policy together with this document.

11                 METHODS on HOW REGISTER IS SECURED

The Personal Data is secured by using, for example, the following methods and principles:

(a)    locking systems at iCare’s and its subcontractors’ premises;

(b)    electrical surveillance systems of iCare’s and its subcontractors’ premises and equipment;

(c)    firewall, anti-malware and spam filtering systems of iCare’s and its subcontractors’ communication networks and other software and hardware that protect the security of communication networks;

(d)    detailed user rights in iCare’s IT systems;

(e)    professional knowledge of iCare’s personnel;

(f)     regular training of iCare’s personnel;

(g)    the content of the register is in electronic form only except in temporary special occasions; and

(h)    iCare’s policies and guidelines relating to Personal Data matters.

12                 RIGHT OF ACCESS

After having supplied sufficient search criteria, you have the right to get information on which Personal Data on you is being processed or information that no Personal Data is being processed.

Where such Personal Data are being processed, iCare shall provide the following information:

(a) the purposes of the processing;

(b) the categories of Personal Data concerned;

(c) the recipients or categories of recipients to whom the Personal Data are to be or have been disclosed, in particular to recipient in Third Countries;

(d) the period for which the Personal Data will be stored;

(e) the existence of the right to request from iCare rectification or erasure of your Personal Data or to object to the processing of such Personal Data;

(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

(g) communication of the Personal Data undergoing processing and of any available information as to their source;

(h) the significance and envisaged consequences of such processing, at least in the case of measures which produce legal effects concerning you or significantly affects you and which are based solely on automated processing intended to evaluate certain personal aspects relating to you or to analyze or predict in particular your performance at work, economic situation, location, health, personal preferences, reliability or behavior; and

(i) information on the regular sources of Personal Data.

Where you make the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by you.

iCare shall provide a copy of your Personal Data undergoing processing. For any further copies requested by you, iCare may charge a reasonable fee based on administrative costs.

Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, iCare may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.

If you want to inspect the data concerning yourself as mentioned herein, you must represent the request to iCare in a document hand signed by you or in a document certified in a similar manner or personally by visiting iCare.

13                 RECTIFICATION, PERIOD FOR WHICH PERSONAL DATA WILL BE STORED AND RIGHT TO LODGE COMPLAINT TO SUPERVISORY AUTHORITY

iCare shall, at your request, without undue delay correct, erase or supplement Personal Data contained in its Personal Data register if the data is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing, including by way of supplementing a corrective statement.

If iCare refuses your request of the correction of the data, iCare will give you a written certificate regarding this. The certificate will also include the reasons for the refusal. In such event, you may bring the matter to be handled by the Data Protection Ombudsman.

The Personal Data are processed for the time until the debt relationship directly related to the Personal Data becomes time-barred. Main rule according to law for a debt to become time-barred is three years. When mandatory law provides a longer or shorter time for processing, such limitation is applied.

iCare may also store Personal Data for as long as it is needed for the establishment, exercise or defense of possible legal claims.

You have the right to lodge a complaint to the supervisory authority. The contact details of the supervisory authority:

https://tietosuoja.fi/en/contact-information Office of the Data Protection Ombudsman

P.O. Box 800

FI00531 HELSINKI

FINLAND

Address:

Lintulahdenkuja 4, 00530 HELSINKI, FINLAND

Tel: +358 29 56 66700 (exchange)

Fax: +358 29 56 66735

Email: [email protected]

14                 RIGHT TO PROHIBIT PROCESSING

You have the right to prohibit iCare to process your Personal Data for purposes of direct advertising, distance selling, other direct marketing, market research, opinion polls, catalogues on persons or genealogical research.

You have the right not to be subject to a measure which produces legal effects concerning you or significantly affects you, and which is based solely on automated processing intended to evaluate certain personal aspects relating to you or to analyze or predict in particular your performance at work, economic situation, location, health, personal preferences, reliability or behavior.

You have the right to object, on grounds relating to your particular situation, to the processing of Personal Data which is based on either of the following grounds for processing: (i) when processing has been found necessary for the purposes of the legitimate interests of iCare or (ii) when processing has been found necessary in order to protect your vital interests. You however do not have the right to object, if iCare demonstrates compelling legitimate grounds for the processing which override your interests or fundamental rights and freedoms.

15                 RIGHT TO BE FORGOTTEN AND TO ERASURE

You have the right to obtain from iCare the erasure of Personal Data relating to you and the abstention from further dissemination of such data, where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) you withdraw the consent on which the processing is based, or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(c) you object to the processing of Personal Data pursuant to Section 14.3 of this policy; or

(d) the processing of the data does not comply with lawful requirements for other reasons.

Instead of erasure, iCare shall restrict processing of Personal Data where:

(a) their accuracy is contested by you, for a period enabling iCare to verify the accuracy of the data;

(b) iCare no longer needs the Personal Data for the accomplishment of its task but they have to be maintained for purposes of proof; or

(c) the processing is unlawful and you oppose their erasure and request the restriction of their use instead.

In cases of restriction of processing of Personal Data in cases defined above, the Personal Data may, with the exception of storage, only be processed for purposes of proof, or with your consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.

 

 

 

ICARE CLINIC SERVICE PRIVACY POLICY FOR US

 

This privacy policy has been updated on 26/03/2021.

1                     Introduction

This Privacy Policy (“Policy”) will help you understand how we use, share and protect personal information we collect about you when you use the iCare PATIENT, PATIENT2, EXPORT, CLINIC or CLOUD software.

This Privacy Policy applies only to personal information we collect or maintain on our own behalf. We also may collect personal information on behalf of, or receive personal information from, your medical provider in connection with your use of iCare products. For more information on how your medical provider or other businesses you engage with collect, use, and store your personal information, including sharing with service providers like us, we encourage you to review the relevant business’s privacy policy. We do not sell your personal information, and we prohibit any sale of the personal information we share with our service providers.

As described in more detail below, you may have rights with respect to the personal information we collect about you on our own behalf. We encourage you to read this Policy carefully, and to contact us if you have any questions.

2                     What types of personal information do we collect, where do we get it from, and why?

We collect personal information directly from you, such as through your interactions with our mobile applications and our website (www.icare-world.com/us/), or from your medical provider. In all cases, we collect personal information about you in accordance with the principles outlined in this Policy and applicable law.

As stated above, we may also receive personal information about you in our role as a service provider to your medical provider. This information may include your name; the data or other content uploaded from an iCare device to iCare’s CLINIC service; information on which eye is measured; point of time of measurement; measurement angle (angle of the Device compared with your eye); intraocular pressure value; intermediate results of the six samples of intraocular pressure measurements; quality rating of the measurement; the free-text data written by you in the Services in connection with the measurement; reminders on when to take measurement or medication (medication information that you have voluntarily provided); the free-text data concerning conditions and actions defined by you related to measurement in general (you have voluntarily provided); the free-text messages exchanged between you and a professional health care provider (you have voluntarily provided); the time after which the Device will disable measurement function if rental time has been defined for a Device by your medical provider; the settings of the Device.

For any such information, the privacy policy of your medical provider applies.

The following table provides more detailed information on the personal information we collect on our own behalf and why:

Information we collect

Why we collect it

If you, as a representative of a business, obtain our product or service, we will collect your: name, address, email address, telephone number, payment information, commercial information about your previous interactions with us, and recordings of our calls with you.

This information is necessary for us to provide the product or service you requested or to take steps to obtain those products or services, for us to comply with a legal obligation, or to carry out related business and operational activities.

If you use the iCare CLINIC software, we keep information about your identification in an auth token for the time you use the CLINIC software (i.e., until you log out).

You can find more information about the auth token in the Cookies section of this Policy.

This information is necessary for us to ensure the security and functionality of our CLINIC software, and related technology resources.

If you inquire about our product or service, or otherwise request or agree to receive electronic communications from us, we may collect your name, email address, phone number, or physical address.

You may unsubscribe from any lists you request or agree to be on by clicking the unsubscribe link.

This information is necessary to send you the communications and information you have requested.

 

Additional Information for California Residents

The personal information we collect about you includes information within the categories below. These categories are defined by California law and represent the personal information that we have collected about California residents, and how it has been shared, over the past 12 months. We do not necessarily collect all information listed in a particular category, nor do we collect all categories of information for all individuals. We have shared information in each category with our affiliates and service providers for our business purposes within the last 12 months. We have not necessarily shared all information listed in a category. 

 

Category

Source

Purpose of Collecting Information

Types of Third Parties Shared With

Personal Identifiers. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.  

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

 

- from records we have about you in the course of providing services or products

 

 

A subset of this data is processed in connection with our operational functions, including for us to open your account, call you or send you email, and process delivery of products or services to you. We also use it to send you notifications about your account, including billing statements, and to process/collect payments. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

Information About You. Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

 

- from records we have about you in the course of providing services or products

 

A subset of this data is processed in connection with our operational functions, including for us to open your account, call you or send you email, and process delivery of products or services to you. We also use it to send you notifications about your account, including billing statements, and to process/collect payments. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

Sensitive information protected by federal or state law: familial status, disability, sex, national origin, religion, color, race, sexual orientation, gender identity and gender expression, marital status, veteran status, medical condition, ancestry, source of income, age, or genetic information.

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

 

- from records we have about you in the course of providing services or products

 

A subset of this data is processed in connection with our operational functions, including for us to open your account, call you or send you email, and process delivery of products or services to you. It is also processed to protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

Commercial information: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

 

- from records we have about you in the course of providing services or products

 

A subset of this data is processed in connection with our operational functions, including for us to open your account, call you or send you email, and process delivery of products or services to you. We also use it to send you notifications about your account, including billing statements, and to process/collect payments. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

Internet or other electronic network activity information: browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

 

- from records we have about you in the course of providing services or products

 

A subset of this data is processed in connection with our operational functions, including for us to open your account, and process delivery of products or services to you. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

Sensory information: audio, electronic, visual, thermal, olfactory, or similar information.

This information is collected directly from you.

This data is processed in connection with our operational functions, including for us to process delivery of products or services to you. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

Affiliates and service providers.

Professional or employment-related information: such as your job title and entity affiliation.

We collect information in this category:

 

- directly from you or your interactions with our information technology resources

 

- from records we have about you in the course of providing services or products

 

This data is processed in connection with our operational functions, including for us to open your account, call you or send you email, and process delivery of products or services to you. We also use it to send you notifications about your account, including billing statements, and to process/collect payments. It is also processed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for data analytics.

 

We also use this information to advertise iCare products/services that might be of interest to you.

Affiliates and service providers.

 

Cookies

When you access the iCare CLINIC software through a web page, we use a cookie called auth token to make our service more user-friendly, effective, and secure.

Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the application that the token has been issued for, rather than having to re-enter credentials each time they use the resource protected with that same token.

The user retains access as long as the token remains valid. Once the user logs out or quits an application, the token is invalidated. In other words, the auth token cookie we use is a “session cookie” which is automatically deleted as soon as you log out from iCare CLINIC.

3                     Who do we share your personal information with, and why?

We may disclose personal information about you with our service providers for the purposes described in this Policy where permitted by law.

The third parties we may share your personal information with include:

·      nonaffiliated service providers;

·      regulatory authorities;

·      our auditors and legal advisors;

·      relevant industry self-regulatory bodies; and

·      others, where permitted by law.

 

We do not sell your personal information, and we have contracts with our service providers to prohibit any sale of your personal information and to provide written assurances regarding the security and privacy protections they have in place to protect your personal information. Your information may only be transferred to another country for processing as permitted and in compliance with applicable law.

4                     Where do we keep your personal information and how long do we keep it?

We store personal information about you on computer systems operated by us or our service providers. We will maintain personal information about you for as long as necessary in connection with both our and your legal rights and obligations for the purposes for which it was collected, to defend or advance legal claims, or as otherwise required by applicable laws and regulations.

5                     How is my personal information secured?

We maintain physical, technological and administrative safeguards to protect your personal information and prevent unauthorized or accidental use, access, or loss. We limit access to personal information about you to those who have a business need for such access. We have policies in place that regulate how our employees and contractors handle information about you. We limit access to our premises and to our computer networks and take steps to safeguard against unauthorized access to such premises and networks. We have procedures in place to manage any suspected data security incident and will notify you consistent with applicable legal requirements.

6                     Your Rights

7                     You may have various rights with respect to your personal information depending on where you live, the information we have about you, and the context in which it was obtained. These rights are defined under a variety of privacy laws and regulations, each of which may or may not apply to our relationship with you or your personal information.

We may choose to extend these rights to you even if we are not required to under applicable law.

For residents of California, to the extent we have collected information about you that is not governed by health information privacy laws, you may have rights to your personal information as described below:

 

Right to know – You may be entitled to request that we disclose to you the personal information we have collected about you, the categories of sources from which we collected the information, the purposes of collecting the information, the categories of third parties with whom we have shared the information, and the categories of personal information that we have shared with third parties for a business purpose. In some instances, you may have the right to receive the information about you in a portable and readily usable format. Before providing any of this information, we must be able to verify your identity.

 

Right to opt-out – We currently do not sell personal information to third parties, and therefore do not offer this option. We may share personal information about you with service providers as permitted by law. Please see the “Who do we share your personal information with, and why?” portion of this policy for more information.

 

Right to deletion – Subject to certain conditions, you may be entitled to request that we delete personal information about you. Before deleting information, we must be able to verify your identity. We will not delete personal information about you when the information is required to fulfill a legal obligation, is necessary to exercise or defend legal claims, or where we are required or permitted to retain the information by law. For example, we cannot delete information about you if your personal information is on the contract between us for our services or products.

 

We do not discriminate against you if you choose to exercise any of these rights.

 

Submitting Privacy Requests

 

You can exercise your privacy rights by submitting requests to us to exercise those rights and by taking other steps that will limit how information about you is collected, used, and shared.

 

For residents of California, you may exercise your privacy rights under the CCPA by submitting a Personal Information Request by visiting [ https://www.icare-world.com/us/contact-us/] or by calling this toll-free number – [888-422-7313] – to speak to a customer service representative.

 

We must verify your identity before fulfilling your personal information request. To verify your identity, we will collect information from you, including, to the extent applicable, your name, date of birth, contact information, your account information, or other personal identifying information. We will match this information against information we have previously collected about you or against information available from consumer reports to verify your identity and to respond to your request. Information collected for purposes of verifying your request will only be used for verification and to respond to your personal information request.

 

If you maintain an account with us, we may require you to login to that account as part of submitting your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request.

 

If you would like to appoint an authorized agent to make a request on your behalf, we require you to verify your identity with us directly before we provide any requested information to your approved agent.

 

Unsubscribe from promotional emails

 

If you no longer wish to receive marketing or promotional emails from us, please click the unsubscribe or manage subscriptions link included in the footer of every promotional email we send, or contact us directly as provided in the “Contact Us” section of this policy.

 

 

8                     Children and minors

We do not knowingly collect personal information directly from individuals under 18 years of age. Our services are not intended for individuals under 18 years of age. No one under 18 years of age should submit personal information through our services. We may collect personal information regarding individuals under 18 years of age from their parents or legal guardians, but only as necessary to provide our products and services. 

Linking to Third Parties

When you leave our website or application and go to another linked website, we are not responsible for the content or availability of the linked website. If you enter into a transaction on the third-party website, we do not represent either the third party or you. Further, the privacy and security policies of the linked website may differ from ours.

 

Changes to this Policy

We reserve the right to change this Privacy Policy at any time in our sole discretion. If we make changes, we will post the revised policy here, so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it. By continuing to use our services after notice is provided, you accept and agree to this Privacy Policy as modified.

 

International Users

The mobile application is governed by the laws of the United States and is not directed at users based outside of the United States.

 

Contact Us

If you have any questions about this Policy or your privacy rights, please contact us at:

 

Icare USA Inc.

4700 Falls of Neuse Rd. Ste 245

Raleigh, NC. 27609

Ph. +1 888.422.7313

Fax +1 877.477.5485

[email protected]