Terms of Service | Privacy Policy
Last update December 1, 2016
QAthlete designs products and tools that track everyday health and fitness to empower and inspire users to lead healthier, more active lives. This Privacy Policy applies to our personal health, fitness and electronic body monitoring products (“Devices”), our websites located at www.medeia.com, www.qathlete.com, www.sleepstudy.com, www.qmedical.com, www.biosigns.com, www.qline.com, and www.vitalscan.com (individually a “Site” and collectively “Sites”), the QAthlete Connect software (“Software”) and QAthlete mobile applications (each an “App” and collectively the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “QAthlete Service,” and by proceeding to use the QAthlete Service you consent that we may process the data that we collect from you in accordance with this Privacy Policy.
Because we’re always looking for new and innovative ways to help you achieve your health and fitness goals, this policy may change over time, but any future changes will not affect data that was collected under a previous version of this policy. If any modifications substantially change your rights, we will send an email summarizing the changes to the address associated with your QAthlete account and provide notice on the Site.
And remember, we’re here to help. If something in this policy does not make sense or if you have any questions, please contact us.
Like most website operators, QAthlete collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. QAthlete's purpose in collecting non-personally identifying information is to better understand how QAthlete's visitors use its website. From time to time, QAthlete may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
QAthlete also collects potentially personally-identifying information like Internet Protocol (IP) addresses. QAthlete does not use such information to identify its visitors, however, and does not disclose such information, other than under the same circumstances that it uses and discloses personally-identifying information, as described below.
Gathering of Personally-Identifying Information
Certain visitors to QAthlete's websites choose to interact with QAthlete in ways that require QAthlete to gather personally-identifying information. The amount and type of information that QAthlete gathers depends on the nature of the interaction. For example, we ask visitors who sign up for an account at my.qathlete.com to provide a username and email address. Those who engage in transactions with QAthlete are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, QAthlete collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor's interaction with QAthlete. QAthlete does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
Aggregated Statistics
QAthlete may collect statistics about the behavior of visitors to its websites. QAthlete may display this information publicly or provide it to others. However, QAthlete does not disclose personally-identifying information other than as described below.
Protection of Certain Personally-Identifying Information
QAthlete discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on QAthlete's behalf or to provide services available at QAthlete's websites, and (ii) that have agreed not to disclose it to others. Some of those employees, contractors and affiliated organizations may be located outside of your home country; by using QAthlete's websites, you consent to the transfer of such information to them. QAthlete will not rent or sell potentially personally-identifying and personally-identifying information to anyone. Other than to its employees, contractors and affiliated organizations, as described above, QAthlete discloses potentially personally-identifying and personally-identifying information only when required to do so by law, or when QAthlete believes in good faith that disclosure is reasonably necessary to protect the property or rights of QAthlete, third parties or the public at large. If you are a registered user of an QAthlete website and have supplied your email address, QAthlete may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what's going on with QAthlete and our products. We primarily use our message forums to communicate this type of information, so we expect to keep this type of email to a minimum. If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users. QAthlete takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.
Cookies
A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. QAthlete uses cookies to help QAthlete identify and track visitors, their usage of QAthlete website, and their website access preferences. QAthlete visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using QAthlete's websites, with the drawback that certain features of QAthlete's websites may not function properly without the aid of cookies.
Privacy Policy Changes
Although most changes are likely to be minor, QAthlete may change its Privacy Policy from time to time, and in QAthlete's sole discretion. QAthlete encourages visitors to frequently check this page for any changes to its Privacy Policy. If you have an my.qathlete.com account, you should also check the message forums for alerts to these changes. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of such change.
When You Activate a Device
When activating a QAthlete Device, you will be asked to download the QAthlete App or install Software and enter information about yourself, such as height, weight and gender. We use this information to personalize your health and fitness stats–for example, calories burned and distance traveled. Depending upon the specific Device you use, it can collect data such as the number of steps you take, your weight, measure your sleep quality and transmit this data to QAthlete. To see the full list of data that your Device collects.
When You Create a QAthlete Account
If you want to access data collected by your Device, you must create a QAthlete account. When you create a QAthlete account, we ask for some personal information, including your email address and date of birth. Your email address will be your QAthlete account user name, which you will use to log-into your account. We do not display your email address to other users. Instead, others will see the name or nickname you enter in your profile settings.
You can also create your QAthlete account using a different credential such as a Facebook or Google+ account. We will ask permission to access basic information from that account, such as your name, profile picture, and friend list. You can stop sharing that information with us at any time by removing QAthlete’s access to that account. We will access your phone’s contact list for the purpose of letting you identify contacts who are QAthlete users. We do not store your phone’s contact list, and it is deleted immediately after it is used for this purpose.
When You Add Information to Your Account
You can customize your QAthlete experience by adding other types of information to your account, such as entering a food log or setting an alarm, personalizing your profile with photos, participating in discussion boards, or sending messages to your QAthlete friends. Whenever you add this type of data, we collect it and store it in your QAthlete account.
When You Visit Our Sites
QAthlete collects industry standard data from everyone who visits our Sites—even if you don’t have a QAthlete account. This includes log data that automatically records information about your visit, such as your browser type, operating system, the URL of the page that referred you, the different actions you performed, and the IP address you used to access pages on the Site. We use this type of information to provide you with an experience that’s relevant to your location based on the IP address, to prevent Site misuse, and to ensure the Site is working properly. We also collect data from cookies. To see the full list cookies we use and how we use them, please read our Cookie Policy.
When You Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device about your activity is transferred from your Device to our servers. This data is stored and used to provide the QAthlete Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing.
When You Make Purchases From Our Store
We do not view or store your credit card information. This is handled by our third-party payment processor. We store your shipping address so we can process your order through our fulfillment partner. If you are logged into your QAthlete account when you purchase something on our Site, we associate that order with your QAthlete account.
When You Contact Us For Help
Whenever you contact QAthlete for help, we collect your name and email address along with additional information you provide in your request so that we can provide you with assistance and improve the QAthlete Service. If you contact us when you are already logged in to your account, the web form automatically pre-fills this information, so you don’t have to type it manually. You can also contact QAthlete on public forums such as Twitter or Facebook; however, we cannot maintain the privacy of your communication to us if you contact us through these channels.
When You Add Friends
To help you stay motivated on your health and fitness journey, QAthlete lets you add friends who are already QAthlete users or invite friends who have not yet joined. You can add friends in several ways, such as by providing their email addresses, or by accessing social networking accounts or from the contact list on your phone. When you share your friends’ contact information with us to add them as a friend, we will only use it for this purpose. We do not store your phone’s contact list, and it is deleted immediately after it is used for this purpose.
When You Activate Location Features
The QAthlete Service includes features that require the collection of specific location data, including: GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. We only collect this type of data when you activate a location feature, such as run mapping. We stop collecting this type of data when you deactivate the feature. We store this information in your QAthlete account. If you are using a mapping feature, we will send your location information to our mapping service provider so they can display your location on a map. They are contractually prevented from sharing or using this data for any other purpose.
Information From Other Sources
We do not collect any information about you from other sources outside of your interaction with the QAthlete Service.
QAthlete uses your data to provide you with the best experience possible, to help you make the most of your health and fitness, and to improve and protect the QAthlete Service. Here are some examples:
- Height, weight, gender and age are used to estimate your body profile, for example the number of calories you burn.
- Contact information is used to send you notifications, allow other QAthlete users to add you as a friend, and to inform you about new features or products we think you would be interested in.
- Data and logs are used in research to understand and improve the QAthlete Device and QAthlete Service; to troubleshoot the QAthlete Service; to detect and protect against error, fraud or other criminal activity; and to enforce the QAthlete Terms of Service.
- De-identified data that does not identify you may be used to inform the health community about trends; for marketing and promotional use; or for sale to interested audiences.
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide the QAthlete Service, when the data is de-identified and aggregated, or when you direct us to share it.
Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you. We will only share this data under the following circumstances:
- With companies that are contractually engaged in providing us with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us.
- If we believe that disclosure is reasonably necessary to comply with a law, regulation, valid legal process (e.g., subpoenas or warrants served on us), or governmental or regulatory request, to enforce or apply the Terms of Service or Terms of Sale, to protect the security or integrity of the QAthlete Service, and/or to protect the rights, property, or safety of QAthlete, its employees, users, or others. If we are going to release your data, we will do our best to provide you with notice in advance by email, unless we are prohibited by law from doing so.
- We may disclose or transfer your PII in connection with the sale, merger, bankruptcy, sale of assets or reorganization of our company. We will notify you if a different company will receive your PII and the promises in this Privacy Policy will apply to your data as transferred to the new entity.
Data That Does Not Identify You (De-identified Data)
QAthlete may share or sell aggregated, de-identified data that does not identify you, with partners and the public in a variety of ways, such as by providing research or reports about health and fitness or as part of our Premium membership. When we provide this information, we perform appropriate procedures so that the data does not identify you and we contractually prohibit recipients of the data from re-identifying it back to you.
Data that You Direct Us to Share
You can direct us to share data with other parties. For example, you might authorize us to link your QAthlete account with a third-party app; send status updates to your Facebook or Twitter account; or direct us to share data with your employer as part of a wellness program. Once you direct us to share your data with a third party, that data is governed by the third-party’s privacy policy. You can revoke your consent to share with the third party at any time in your QAthlete account settings.
Default Visibility Settings
The privacy settings on new QAthlete accounts are set to reveal minimal data about you with the purpose of getting you active and involved with the QAthlete Service. To see what is visible to others use the “Profile viewed by” tool in your account settings. You can adjust your account profile privacy settings.
QAthlete Social Tools
QAthlete provides many ways for you to share data with other QAthlete users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the QAthlete community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your QAthlete account settings. Always check specific policies associated with any Challenge to understand what data will be visible to other participants.
Community Posts
To post to QAthlete community message boards, you’ll be asked to create a community username that’s separate from your QAthlete profile name. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your QAthlete account will also be visible on message boards, depending on your QAthlete account settings.
Contests and Giveaways
QAthlete may offer opportunities to participate in contests, giveaways and other promotions. Any data you submit in connection with these activities will be treated in accordance with this Privacy Policy, unless the rules for those offers note otherwise.
Surveys
QAthlete may also ask you to participate in surveys (processed by QAthlete or third parties) that help us understand your use of the QAthlete Service. Any PII you provide to QAthlete (or supplied by you or QAthlete to such third-party survey providers) in connection with these surveys will only be used in relation to that survey and as stated in this policy.
We store your PII for as long as you maintain a QAthlete account.
Data that you provide to QAthlete through the Site can be modified from your dashboard or QAthlete account preferences. If you remove data from your QAthlete account, it will no longer appear to you or others who use the QAthlete Service. Backups of that data will remain associated with your QAthlete account and in our archive servers.
How To Deactivate Your QAthlete Account
You can deactivate your QAthlete account by contacting Customer Support. When you do, data that can identify you will be removed from the QAthlete Service, including but not limited to your email, name, photo(s), friends list and links to sites such as Facebook and Twitter. Backup copies of this data will be removed from our server based upon an automated schedule, which means it may persist in our archive for a short period. QAthlete may continue to use your de-identified data after you deactivate your account.
QAthlete’s Policies For Children
QAthlete is not directed at persons under the age of 13. We do not knowingly collect any PII from children under 13. If you are aware of a user under the age of 13 using QAthlete, please contact us.
Can I Opt-out Of Receiving QAthlete Emails?
Of course! You can opt-out of receiving weekly summaries, achievement notifications, contests, giveaways, surveys and promotional emails by changing the notification preferences in your account settings or by unsubscribing via the “Unsubscribe” link in any QAthlete email. Opting-out of these emails will not end transmission of important service-related emails that are necessary to your use of the QAthlete Service.
QAthlete uses a combination of technical and administrative security controls to maintain the security of your data. If you have a security-related concern, please contact Customer Support.
The QAthlete Service is hosted and operated entirely in the United States and is subject to United States law. Any personal information that you provide to QAthlete is being transferred to QAthlete for use solely in the United States and will be hosted on United States servers. You consent to the transfer of your personal information to the United States. If you are accessing the QAthlete Service from outside the United States, please be advised that United States law may not offer the same privacy protections as the law of your jurisdiction.
QAthlete complies with the U.S. - EU Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. QAthlete has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://www.export.gov/safeharbor/. In compliance with the Safe Harbor Principles, QAthlete commits to resolve complaints about your privacy and our collection or use of your personal information. European Union and Swiss citizens with inquiries or complaints regarding this privacy policy should first contact support.
QAthlete has further committed to refer unresolved privacy complaints under the Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the BBB EU SAFE HARBOR website at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
QAthlete is dedicated to protecting all customer data using industry best standards.
Many of our customers demand the highest levels of data security, and have tested our services to verify that it meets their standards. In each case, we have surpassed expectations and received high praise from large international organizations.
QAthlete’ most important concern is the protection and reliability of customer data. Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. All services have quick failover points and redundant hardware, with complete backups performed nightly.
Most important is our confidential system component design. It uses multiple checks to certify that packets from one subsystem can only be received by a designated subsystem. Access to systems is severely restricted to specific individuals, whose access is monitored and audited for compliance.
Customer data are stored in a specific location; it does not float around in the “cloud.” In addition, all data are processed in that location, and are not moved to another jurisdictional area. In other words, if data are collected in the U.S., all data are processed in the U.S.
QAthlete uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. Our services are hosted by ISO 27001 certified trusted data centers that are independently audited using the industry standard SSAE-16 method.
QAthlete deploys the general requirements set forth by many Federal Acts, including the FISMA Act of 2002. We meet or exceed the minimum requirements as outlined in FIPS Publication 200.
Since our subscribers control their users and their data, it is important for the users to practice sound security practices by using strong account passwords and restricting access to their accounts to authorized persons
Regarding HIPAA, HITECH, and specific data types: QAthlete provides software and other services where all data are processed equally, without regard to how a customer might classify their data. As such, QAthlete cannot declare or represent any data entered into its services. Any processing of specific data types are purely incidental, and not required to use the services.
HITECH (Health Information Technology for Economic and Clinical Health Act) updated HIPAA rules to ensure that data are properly protected and best security practices followed. QAthlete safeguards all customer data, and uses secure data centers to ensure the highest protection as per HITECH requirements.
1.1 Scope Medeia Inc as Data Processor
These Rules address the worldwide Processing of Personal Data of individual customers or employees of Business Customers (Business Customer's Individuals Personal Data or BCI Data) by Medeia Inc in its role as a Data Processor in the course of delivering Customer Services.
1.2 Processing in non- Adequate Country
These Rules apply to BCI Data that are:
(i) subject to Data Transfer Restrictions; and
(ii) Processed by Medeia Inc in a non-Adequate Country.
1.2 Electronic and paper-based Processing
These Rules apply to the Processing of BCI Data by electronic means and in systematically accessible paper-based filing systems.
1.4 Applicability of local law and these Rules
Business Customer's Individuals keep any rights and remedies they may have under applicable local law. Where these Rules provide more protection than applicable local law or provide additional safeguards, rights or remedies for Business Customer's Individuals, these Rules shall apply.
1.5 Sub-policies and notices
Medeia Inc may supplement these Rules through sub-policies and notices that are consistent with these Rules.
1.6 Compliance Responsibility
These Rules are binding on Medeia Inc. The Responsible Executive shall be accountable for her business organization’s compliance with these Rules. Medeia Inc Staff must comply with these Rules.
1.7 Effective date
These Rules enter into force as of 16 July 2015 (Effective Date).
1.8 Rules supersede prior policies
These Rules supersede all Medeia Inc privacy policies that exist on the Effective Date to the extent they address the same issues or conflict with the provisions of these Rules.
1.9 Implementation
These Rules shall be implemented within Medeia Inc based on the timeframes specified in Article 15.
1.10 Role of Medeia Inc
Medeia Inc is tasked with the coordination and implementation of these Rules.
1.11 Privacy Officer Advice
Where there is a question as to the applicability of these Rules, Staff shall seek the advice of the appropriate Privacy Officer prior to the relevant Processing.
2.1 Business Customer Service Contract
Medeia Inc shall Process BCI Data only on the basis of a written contract with a Business Customer (Business Customer Service Contract). The Medeia Inc Contracting Entity uses Sub-Processors, both Medeia Inc Sub-Processors and Third Party Sub-Processors, in the regular performance of Business Customer Service Contracts. The standard Business Customer Service Contract shall authorize the use of such Sub-Processors, provided that the Medeia Inc Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors. If the Business Customer Service Contract explicitly does not authorize the use of Sub-Processors, Article 7 shall not apply.
2.2 Termination Business Customer Service Contract
Upon termination of the Business Customer Service Contract, Medeia Inc shall, at the option of the Business Customer, return the BCI Data and copies thereof to the Business Customer or shall securely destroy such BCI Data and certify to the Business Customer that Medeia Inc has done so, except to the extent the Business Customer Service Contract or applicable law provides otherwise. In that case, Medeia Inc shall no longer Process the BCI Data, except to the extent required by the Business Customer Service Contract or applicable law.
2.3 Audit of termination measures
Medeia Inc shall, at the request of the Business Customer or Relevant Data Protection Authority, allow its Processing facilities to be audited in accordance with Article 10.2 or 10.3 (as applicable) to verify that Medeia Inc has complied with its obligations under Article 2.2.
3.1 Instructions of the Data Con-troller
Medeia Inc shall Process BCI Data only on behalf of the Business Customer and in accordance with any instructions received from the Business Customer.
3.2 Compliance with Applicable Adequate Data Protection Law
Medeia Inc shall Process BCI Data only in accordance with the Applicable Adequate Data Protection Law and shall deal promptly and appropriately with requests for assistance of the Business Customer to ensure compliance of the Processing of the BCI Data with the applicable Adequate Data Protection Law.
3.3 Notification of non-compliance, substantial ad- verse effect
If Medeia Inc:
(i) determines that it is unable for any reason to comply with its obligations under Article 3.1 and 3.2 and Medeia Inc cannot cure this inability to comply; or
(ii) becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on Medeia Inc ability to meet its obligations under Article 3.1, 3.2 or 10.3;
Medeia Inc shall promptly notify the Business Customer thereof,in which case the Business Customer will have the right to temporarily suspend the Processing until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by Medeia Inc.
3.4 Request for disclosure of BCI Data
Medeia Inc shall promptly notify the Business Customer of any legally binding request Medeia Inc receives for disclosure of BCI Data by a law enforcement authority unless otherwise prohibited by law from making such disclosure.
3.5 Inquiries of the Business Customer
Medeia Inc shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Data pursuant to the terms of the Business Customer Service Contract.
4.1 Legitimate Business Purposes
Where Medeia Inc serves as a Data Processor, Personal Data and Sensitive Data may be Processed by Medeia Inc for one or more of the following purposes:
(i) Customer data management information technology services including:
(a) hosting, storage, backup, or archiving;
(b) reporting on the use of data services by a Customer;
(c) security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); or
(d) account management of third-party use of Customer-specific Medeia Inc products or services (e.g., use reporting and billing of a Customer's customer on behalf of the Customer).
(ii) Customer support services including:
(a) providing (local and remote) assistance to Customer in the use or repair of Medeia Inc products or services;
(b) Medeia Inc generation of service level reports or other reports on a Customer's use of Medeia Inc products or services for Customer management information purposes; or
(c) life-cycle management of Medeia Inc products and services (e.g., planning, evaluation, demonstration, installation, calibration, training, maintenance, decommissioning) to facilitate continued and sustained use by a Customer of Medeia Inc products and services.
(iii) Customer-specific custom services including:
(a) device or system tuning for the purpose of adjusting the service or product to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
(b) the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations);
(c) the purchase of goods and services on behalf of a Customer (e.g., contract broadband network service for device placement and data acquisition, third- party hardware integration); or
(d) the provision of training for Customer's staff or third parties (e.g., equipment training, HIPAA training, infection control training, radiation training).
(iv) Medeia Inc internal business process execution and management leading to incidental Processing of Personal Data or Sensitive Data for:
(a) internal auditing of Medeia Inc Processor-related activities;
(b) activities related to compliance with applicable law or regulation (e.g., data processing law, medical device regulation);
(c) data deidentification and aggregation of deidentified data for data minimization; and
(d) use of deidentified, aggregate data to facilitate continuity, sustainability, and improvement of Medeia Inc products and services.
5.1 Data security
Medeia Inc shall take appropriate, commercially reasonable, technical, physical and organizational measures to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. Medeia Inc shall in any event take the measures specified in Annex 2 of these Rules, which Annex shall be revised by Medeia Inc if so required to reflect industry standards, or such stricter measures as instructed by the Business Customer in the Business Customer Service Contract.
5.2 Data access and confidentiality
Medeia Inc shall provide Medeia Inc Staff access to BCI Data only to the extent necessary to perform the Processing. Medeia Inc shall impose confidentiality obligations on Staff that has access to BCI Data.
5.3 Data Security Breach notification requirement
Medeia Inc shall notify the Business Customer of a Data Security Breach as soon as reasonably possible following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. Medeia Inc shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.
6.1 Copy of Data Protection Provisions of Business Customer Service Contract
Medeia Inc shall provide the Business Customer's Individual, at its request, the contact details of the relevant Business Customer. If the Business Customer's Individual is unable to obtain from the Business Customer a copy of the data protection provisions of the relevant Business Customer Service Contract, Medeia Inc shall provide the Business Customer's Individual with a copy of these provisions. Where the disclosure sets forth a description of detailed security measures, Medeia Inc may replace the details with a summary description.
6.2 Other Requests of Business Customer's Individuals
Medeia Inc shall promptly notify the Business Customer of requests (other than requests under Article 6.1) or complaints that are received directly from a Business Customer's Individual without responding to such requests or complaints, unless otherwise instructed by the Business Customer in the Business Customer Service Contract.
If instructed by the Business Customer to respond to requests and complaints of Business Customer's Individuals, Medeia Inc shall ensure that the Business Customer's Individual is provided with all required information (including the point of contact and the procedure) in order for the Business Customer's Individual to be able to effectively make the request or lodge the complaint.
7.1 Third Party Sub-Processing Contracts
Third Party Sub-Processors may Process Business Customer Data only if the Third Party Sub- Processor has a written contract with Medeia Inc. The contract shall impose similar data protection-related Processing terms on the Third Party Sub- Processor as those imposed on the Medeia Inc Contracting Entity by the Business Customer Service Contract and these Rules.
7.2 Publication of Overview of Sub-Processors
Medeia Inc shall publish on the appropriate Medeia Inc website an overview of the categories of Sub-Processors (both Third Parties and Medeia Inc) Medeia Inc involves in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes.
8.1 Chief Privacy Officer
Medeia Inc shall appoint a Chief Privacy Officer who is responsible for:
(i) supervising compliance with these Rules;
(ii) providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues; and
(iii) coordinating, in conjunction with the appropriate staff, official investigations or inquiries into the Processing of BCI Data by a public authority.
8.2 Privacy Council
The Privacy Council, or substituted by board of directors, shall create and maintain a Medeia Inc framework for:
(i) the development of the policies, procedures and system information (as required by Article 9);
(ii) planning training and awareness programs;
(iii) monitoring and reporting on compliance with these Rules;
(iv) collecting, investigating and resolving privacy inquiries, concerns and complaints;
(v) determining and updating appropriate sanctions for violations of these Rules (e.g., disciplinary standards).
8.3 Senior Privacy Officers
Medeia Inc does not have Senior Privacy Officers due to the size of the company.
8.4 Responsible Executive
The Board of Directors is the responsible executive and shall perform at least the following tasks:
(i) ensure that the policies and procedures are implemented and the system information is maintained (as required by Article 9);
(ii) provide such system information to the Senior Privacy Officers necessary as required for her to comply with the task listed in Article 8.3 sub (ii);
(iii) ensure that Personal Data are returned or securely deleted
or destroyed after termination of the Business Customer Service Contract (as required by Article 2.2);
(iv) determine how to comply with the Rules when there is a conflict with applicable law (as required by Article 13.1); and
(v) inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc’s ability to comply with these Rules (as required by Article 13.2).
8.5 Default Privacy Officer
If no Senior Privacy Officer has been designated in a Sector, Country or Region, the Board of Directors is responsible for supervising compliance with these Rules.
8.6 Privacy Officers
Where a Privacy Officer holds her position pursuant to law, she with statutory shall carry out her job responsibilities to the extent they do not position conflict with her statutory position.
9.1 Policies and procedures
Medeia Inc shall develop and implement policies and procedures to comply with these Rules.
9.2 System information
Medeia Inc shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Data (e.g., inventory of systems and processes, privacy impact assessments).
9.3 Staff training
Medeia Inc shall provide training on these Rules and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Data.
10.1 Internal audits
Medeia Inc Internal Audit shall audit business processes and procedures that involve the Processing of BCI Data for compliance with these Rules. The audits shall be carried out in the course of the regular activities of Medeia Inc Internal Audit. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Board of Directors shall be informed of the results of the audits. In case the audit identifies violations of the Rules, these will be reported to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.
10.2 Business Customer audit
Medeia Inc shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the Medeia Inc business processes and procedures that involve the Processing of BCI Data comply with these Rules when requested by Business Customer.
10.3 Audit by Relevant Data Protection Authority
A Relevant Data Protection Authority may request an audit of the facilities used by Medeia Inc for the Processing subject to the same conditions (regarding the existence of the right to audit, scope, subject and other requirements) as would apply to an audit by that Data Protection Authority of the Business Customer itself under the Applicable Data Controller Law.
10.4 Annual Report
The Chief Privacy Officer shall produce an annual BCI Data protection report for Medeia Inc’ Board of Directors on Medeia Inc’ compliance with these Rules and other relevant issues.
10.5 Mitigation
Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address breaches of these Rules identified during the monitoring or auditing of compliance pursuant to this Article 10.
11.1 Specific provision when Data Protection Authorities in EEA have jurisdiction under national law.
If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by a Group Company established in its country, such Data Protection Authority may evaluate these data transfers also against these Rules. The Dutch Data Protection Authority will provide cooperation and assistance where required, including providing audit reports available at the Dutch Data Protection Authority insofar as relevant to evaluate the aforementioned data transfers against these Rules.
11.2 Rights of Business Customer's Individuals
When the Business Customer has factually disappeared or ceased to exist in law or has become insolvent, unless a successor entity has assumed the legal obligations of the Business Customer by contract or by operation of law (in which Jurisdiction for Claims of Business Customer's Individuals case the Business Customer's Individual should enforce its rights against such successor entity), the Business Customer's Individual can enforce against the Medeia Inc Contracting Entity Article 3, 5.1, 5.3, 6, 7.1, 7.2, 10.3, 11.1, 11.2, 11.4, and any claim for direct damages as a result of a breach of these enumerated provisions.
To the extent the Business Customer's Individual may enforce any rights against the Medeia Inc Contracting Entity, the Medeia Inc Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability. Medeia Inc may, however, assert any defenses that would have been available to the Business Customer.
11.3 The Business Customer's Individual
The Business Customer's Individual may, at her choice, submit any claim she has under Article 11.2 against the Medeia Inc Contracting Entity:
(i) to mediation by;
a. an independent person located in the country in which the Business Customer's Individual resides or, if the Business Customer's Individual does not reside in an EEA Country, an independent person located in the Netherlands; or
b. a Relevant Data Protection Authority;
(ii) to the courts in the country of establishment of the Business Customer or, if the Business Customer is not established in an EEA Country, to a court in the Netherlands but in that case only against Medeia Inc; or
(iii) to a Relevant Data Protection Authority or, if the Business Customer is not established in an EEA Country, to the Dutch Data Protection Authority, but in that case only against Medeia Inc.
The courts, the Relevant Data Protection Authority and the Dutch Data Protection Authority shall apply their own substantive and procedural laws to the dispute. Any choice made by the Business Customer's Individual will not prejudice the substantive or procedural rights he may have under applicable law.
11.4 Rights of Business Customers
The Business Customer may enforce these Rules against the Medeia Inc Contracting Entity or, if the Medeia Inc Contracting Entity is not established in an EEA Country, against Medeia Inc. Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address violations of these Rules by the Medeia Inc Contracting Entity or any other Group Company. The Medeia Inc Contracting Entity or Medeia Inc may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.
11.5 Available remedies, limitation of damages, burden of proof re. damages for Business Customer's Individuals
In case of a violation of these Rules, Business Customer's Individuals shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer's Individual resulting from a violation of these Rules.
Regarding the burden of proof in respect of damages, it will be for the Business Customer's Individual to demonstrate that she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of these Rules. It will subsequently be for the Medeia Inc Contracting Entity or Medeia Inc to prove that the damages suffered by the Business Customer's Individual due to a violation of these Rules are not attributable to a Group Company or a Sub-processor.
11.6 Available remedies, limitation of damages, burden of proof re. damages for Business Customers
In case of a violation of these Rules, Business Customers shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer resulting from a violation of these Rules.
11.7 Mutual assistance Group Companies and redress
All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with these Rules, including an audit or inquiry by the Business Customer or a Relevant Data Protection Authority.
The Medeia Inc Group Company upon receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for handling any communication with the Business Customer's Individual regarding her request or claim except where circumstances dictate otherwise and as mutually agreed among Senior Privacy Officers relevant to the specific issue.
The Medeia Inc Group Company that is responsible for the Processing to which the request or claim relates, shall bear all costs involved and reimburse any costs made by other Medeia Inc Group Companies in respect thereof.
11.8 Advice by Relevant Data Authority
Medeia Inc shall abide by the advice of a Relevant Data Protection Authority with regard to the Processing of BCI Data.
12.1 Non-compliance
Non-compliance of Medeia Inc employees with these Rules may result in disciplinary action up to and including termination of employment.
13.1 Conflict between Rules and law
Where there is a conflict between Applicable Data Processor Law and the Rules, the relevant Responsible Executive shall consult with the appropriate Senior Privacy Officers and their legal departments to determine how to comply with these Rules and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.
13.2 New conflicting legal requirements
The relevant Responsible Executive, in consultation with her legal department, shall promptly inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc ability to comply with these Rules.
14.1
Any changes to these Rules require the prior approval of the Chief Legal Officer.
14.2
Any amendment shall enter into force after it has been approved and published on the Medeia Inc General Business Principles Internet site and communicated to the Business Customers.
14.3
Any request or claim of a Business Customer's Individual involving these Rules shall be judged against the version of these Rules that is in force at the time the request, complaint or claim is made.
14.4
The Chief Privacy Officer shall be responsible for informing the relevant government authorities of material changes to these Rules on a yearly basis and coordinating their responses. The Chief Privacy Officer shall inform the Board of Directors of the effect of these responses.
15.1 General Transition Period
Except as otherwise indicated, Medeia Inc shall strive to comply with these Rules as soon as possible after the Effective Date. In any event all Processing of Personal Data that is subject to these Rules shall be conducted in compliance with the Rules within one year of the Effective Date.
15.2 Transition Period for New Group Companies
Any entity that becomes a Group Company after the Effective Date shall comply with the Rules within one year of becoming a Group Company.
15.3 Transition Period for Divested Entities
A Divested Entity will remain covered by these Rules after its divestment for such period as is required by Medeia Inc to disentangle the Processing of BCI Data relating to such Divested Entity.
15.4 Transition Period for Systems
Where implementation of these Rules requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.
15.5 Transition Period for Existing Agreements
Where there are existing agreements with Third Parties that are affected by these Rules, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.
ANNEX 1 - Definitions
QAthlete Privacy Policy
Last update December 1, 2016
QAthlete designs products and tools that track everyday health and fitness to empower and inspire users to lead healthier, more active lives. This Privacy Policy applies to our personal health, fitness and electronic body monitoring products (“Devices”), our websites located at www.medeia.com, www.qathlete.com, www.sleepstudy.com, www.qmedical.com, www.biosigns.com, www.qline.com, and www.vitalscan.com (individually a “Site” and collectively “Sites”), the QAthlete Connect software (“Software”) and QAthlete mobile applications (each an “App” and collectively the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “QAthlete Service,” and by proceeding to use the QAthlete Service you consent that we may process the data that we collect from you in accordance with this Privacy Policy.
Because we’re always looking for new and innovative ways to help you achieve your health and fitness goals, this policy may change over time, but any future changes will not affect data that was collected under a previous version of this policy. If any modifications substantially change your rights, we will send an email summarizing the changes to the address associated with your QAthlete account and provide notice on the Site.
And remember, we’re here to help. If something in this policy does not make sense or if you have any questions, please contact us.
Website Visitors
Like most website operators, QAthlete collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. QAthlete's purpose in collecting non-personally identifying information is to better understand how QAthlete's visitors use its website. From time to time, QAthlete may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
QAthlete also collects potentially personally-identifying information like Internet Protocol (IP) addresses. QAthlete does not use such information to identify its visitors, however, and does not disclose such information, other than under the same circumstances that it uses and discloses personally-identifying information, as described below.
Gathering of Personally-Identifying Information
Certain visitors to QAthlete's websites choose to interact with QAthlete in ways that require QAthlete to gather personally-identifying information. The amount and type of information that QAthlete gathers depends on the nature of the interaction. For example, we ask visitors who sign up for an account at my.qathlete.com to provide a username and email address. Those who engage in transactions with QAthlete are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, QAthlete collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor's interaction with QAthlete. QAthlete does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
Aggregated Statistics
QAthlete may collect statistics about the behavior of visitors to its websites. QAthlete may display this information publicly or provide it to others. However, QAthlete does not disclose personally-identifying information other than as described below.
Protection of Certain Personally-Identifying Information
QAthlete discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on QAthlete's behalf or to provide services available at QAthlete's websites, and (ii) that have agreed not to disclose it to others. Some of those employees, contractors and affiliated organizations may be located outside of your home country; by using QAthlete's websites, you consent to the transfer of such information to them. QAthlete will not rent or sell potentially personally-identifying and personally-identifying information to anyone. Other than to its employees, contractors and affiliated organizations, as described above, QAthlete discloses potentially personally-identifying and personally-identifying information only when required to do so by law, or when QAthlete believes in good faith that disclosure is reasonably necessary to protect the property or rights of QAthlete, third parties or the public at large. If you are a registered user of an QAthlete website and have supplied your email address, QAthlete may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what's going on with QAthlete and our products. We primarily use our message forums to communicate this type of information, so we expect to keep this type of email to a minimum. If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users. QAthlete takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.
Cookies
A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. QAthlete uses cookies to help QAthlete identify and track visitors, their usage of QAthlete website, and their website access preferences. QAthlete visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using QAthlete's websites, with the drawback that certain features of QAthlete's websites may not function properly without the aid of cookies.
Privacy Policy Changes
Although most changes are likely to be minor, QAthlete may change its Privacy Policy from time to time, and in QAthlete's sole discretion. QAthlete encourages visitors to frequently check this page for any changes to its Privacy Policy. If you have an my.qathlete.com account, you should also check the message forums for alerts to these changes. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of such change.
What Data Does QAthlete Collect?
When You Activate a Device
When activating a QAthlete Device, you will be asked to download the QAthlete App or install Software and enter information about yourself, such as height, weight and gender. We use this information to personalize your health and fitness stats–for example, calories burned and distance traveled. Depending upon the specific Device you use, it can collect data such as the number of steps you take, your weight, measure your sleep quality and transmit this data to QAthlete. To see the full list of data that your Device collects.
When You Create a QAthlete Account
If you want to access data collected by your Device, you must create a QAthlete account. When you create a QAthlete account, we ask for some personal information, including your email address and date of birth. Your email address will be your QAthlete account user name, which you will use to log-into your account. We do not display your email address to other users. Instead, others will see the name or nickname you enter in your profile settings.
You can also create your QAthlete account using a different credential such as a Facebook or Google+ account. We will ask permission to access basic information from that account, such as your name, profile picture, and friend list. You can stop sharing that information with us at any time by removing QAthlete’s access to that account. We will access your phone’s contact list for the purpose of letting you identify contacts who are QAthlete users. We do not store your phone’s contact list, and it is deleted immediately after it is used for this purpose.
When You Add Information to Your Account
You can customize your QAthlete experience by adding other types of information to your account, such as entering a food log or setting an alarm, personalizing your profile with photos, participating in discussion boards, or sending messages to your QAthlete friends. Whenever you add this type of data, we collect it and store it in your QAthlete account.
When You Visit Our Sites
QAthlete collects industry standard data from everyone who visits our Sites—even if you don’t have a QAthlete account. This includes log data that automatically records information about your visit, such as your browser type, operating system, the URL of the page that referred you, the different actions you performed, and the IP address you used to access pages on the Site. We use this type of information to provide you with an experience that’s relevant to your location based on the IP address, to prevent Site misuse, and to ensure the Site is working properly. We also collect data from cookies. To see the full list cookies we use and how we use them, please read our Cookie Policy.
When You Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device about your activity is transferred from your Device to our servers. This data is stored and used to provide the QAthlete Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing.
When You Make Purchases From Our Store
We do not view or store your credit card information. This is handled by our third-party payment processor. We store your shipping address so we can process your order through our fulfillment partner. If you are logged into your QAthlete account when you purchase something on our Site, we associate that order with your QAthlete account.
When You Contact Us For Help
Whenever you contact QAthlete for help, we collect your name and email address along with additional information you provide in your request so that we can provide you with assistance and improve the QAthlete Service. If you contact us when you are already logged in to your account, the web form automatically pre-fills this information, so you don’t have to type it manually. You can also contact QAthlete on public forums such as Twitter or Facebook; however, we cannot maintain the privacy of your communication to us if you contact us through these channels.
When You Add Friends
To help you stay motivated on your health and fitness journey, QAthlete lets you add friends who are already QAthlete users or invite friends who have not yet joined. You can add friends in several ways, such as by providing their email addresses, or by accessing social networking accounts or from the contact list on your phone. When you share your friends’ contact information with us to add them as a friend, we will only use it for this purpose. We do not store your phone’s contact list, and it is deleted immediately after it is used for this purpose.
When You Activate Location Features
The QAthlete Service includes features that require the collection of specific location data, including: GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. We only collect this type of data when you activate a location feature, such as run mapping. We stop collecting this type of data when you deactivate the feature. We store this information in your QAthlete account. If you are using a mapping feature, we will send your location information to our mapping service provider so they can display your location on a map. They are contractually prevented from sharing or using this data for any other purpose.
Information From Other Sources
We do not collect any information about you from other sources outside of your interaction with the QAthlete Service.
How We Use Your Data
QAthlete uses your data to provide you with the best experience possible, to help you make the most of your health and fitness, and to improve and protect the QAthlete Service. Here are some examples:
- Height, weight, gender and age are used to estimate your body profile, for example the number of calories you burn.
- Contact information is used to send you notifications, allow other QAthlete users to add you as a friend, and to inform you about new features or products we think you would be interested in.
- Data and logs are used in research to understand and improve the QAthlete Device and QAthlete Service; to troubleshoot the QAthlete Service; to detect and protect against error, fraud or other criminal activity; and to enforce the QAthlete Terms of Service.
- De-identified data that does not identify you may be used to inform the health community about trends; for marketing and promotional use; or for sale to interested audiences.
What Data May be Shared With Third Parties?
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide the QAthlete Service, when the data is de-identified and aggregated, or when you direct us to share it.
Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you. We will only share this data under the following circumstances:
- With companies that are contractually engaged in providing us with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us.
- If we believe that disclosure is reasonably necessary to comply with a law, regulation, valid legal process (e.g., subpoenas or warrants served on us), or governmental or regulatory request, to enforce or apply the Terms of Service or Terms of Sale, to protect the security or integrity of the QAthlete Service, and/or to protect the rights, property, or safety of QAthlete, its employees, users, or others. If we are going to release your data, we will do our best to provide you with notice in advance by email, unless we are prohibited by law from doing so.
- We may disclose or transfer your PII in connection with the sale, merger, bankruptcy, sale of assets or reorganization of our company. We will notify you if a different company will receive your PII and the promises in this Privacy Policy will apply to your data as transferred to the new entity.
Data That Does Not Identify You (De-identified Data)
QAthlete may share or sell aggregated, de-identified data that does not identify you, with partners and the public in a variety of ways, such as by providing research or reports about health and fitness or as part of our Premium membership. When we provide this information, we perform appropriate procedures so that the data does not identify you and we contractually prohibit recipients of the data from re-identifying it back to you.
Data that You Direct Us to Share
You can direct us to share data with other parties. For example, you might authorize us to link your QAthlete account with a third-party app; send status updates to your Facebook or Twitter account; or direct us to share data with your employer as part of a wellness program. Once you direct us to share your data with a third party, that data is governed by the third-party’s privacy policy. You can revoke your consent to share with the third party at any time in your QAthlete account settings.
Other Ways You Might Share Your Data
Default Visibility Settings
The privacy settings on new QAthlete accounts are set to reveal minimal data about you with the purpose of getting you active and involved with the QAthlete Service. To see what is visible to others use the “Profile viewed by” tool in your account settings. You can adjust your account profile privacy settings.
QAthlete Social Tools
QAthlete provides many ways for you to share data with other QAthlete users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the QAthlete community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your QAthlete account settings. Always check specific policies associated with any Challenge to understand what data will be visible to other participants.
Community Posts
To post to QAthlete community message boards, you’ll be asked to create a community username that’s separate from your QAthlete profile name. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your QAthlete account will also be visible on message boards, depending on your QAthlete account settings.
Contests and Giveaways
QAthlete may offer opportunities to participate in contests, giveaways and other promotions. Any data you submit in connection with these activities will be treated in accordance with this Privacy Policy, unless the rules for those offers note otherwise.
Surveys
QAthlete may also ask you to participate in surveys (processed by QAthlete or third parties) that help us understand your use of the QAthlete Service. Any PII you provide to QAthlete (or supplied by you or QAthlete to such third-party survey providers) in connection with these surveys will only be used in relation to that survey and as stated in this policy.
How Long We Save Your Data
We store your PII for as long as you maintain a QAthlete account.
How To Edit or Modify Data
Data that you provide to QAthlete through the Site can be modified from your dashboard or QAthlete account preferences. If you remove data from your QAthlete account, it will no longer appear to you or others who use the QAthlete Service. Backups of that data will remain associated with your QAthlete account and in our archive servers.
How To Deactivate Your QAthlete Account
You can deactivate your QAthlete account by contacting Customer Support. When you do, data that can identify you will be removed from the QAthlete Service, including but not limited to your email, name, photo(s), friends list and links to sites such as Facebook and Twitter. Backup copies of this data will be removed from our server based upon an automated schedule, which means it may persist in our archive for a short period. QAthlete may continue to use your de-identified data after you deactivate your account.
QAthlete’s Policies For Children
QAthlete is not directed at persons under the age of 13. We do not knowingly collect any PII from children under 13. If you are aware of a user under the age of 13 using QAthlete, please contact us.
Can I Opt-out Of Receiving QAthlete Emails?
Of course! You can opt-out of receiving weekly summaries, achievement notifications, contests, giveaways, surveys and promotional emails by changing the notification preferences in your account settings or by unsubscribing via the “Unsubscribe” link in any QAthlete email. Opting-out of these emails will not end transmission of important service-related emails that are necessary to your use of the QAthlete Service.
How Does QAthlete Keep My Data Safe?
QAthlete uses a combination of technical and administrative security controls to maintain the security of your data. If you have a security-related concern, please contact Customer Support.
How Does QAthlete Handle Data From International users?
The QAthlete Service is hosted and operated entirely in the United States and is subject to United States law. Any personal information that you provide to QAthlete is being transferred to QAthlete for use solely in the United States and will be hosted on United States servers. You consent to the transfer of your personal information to the United States. If you are accessing the QAthlete Service from outside the United States, please be advised that United States law may not offer the same privacy protections as the law of your jurisdiction.
QAthlete complies with the U.S. - EU Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. QAthlete has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://www.export.gov/safeharbor/. In compliance with the Safe Harbor Principles, QAthlete commits to resolve complaints about your privacy and our collection or use of your personal information. European Union and Swiss citizens with inquiries or complaints regarding this privacy policy should first contact support.
QAthlete has further committed to refer unresolved privacy complaints under the Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the BBB EU SAFE HARBOR website at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
Data Protection
QAthlete is dedicated to protecting all customer data using industry best standards.
Many of our customers demand the highest levels of data security, and have tested our services to verify that it meets their standards. In each case, we have surpassed expectations and received high praise from large international organizations.
QAthlete’ most important concern is the protection and reliability of customer data. Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. All services have quick failover points and redundant hardware, with complete backups performed nightly.
Most important is our confidential system component design. It uses multiple checks to certify that packets from one subsystem can only be received by a designated subsystem. Access to systems is severely restricted to specific individuals, whose access is monitored and audited for compliance.
Customer data are stored in a specific location; it does not float around in the “cloud.” In addition, all data are processed in that location, and are not moved to another jurisdictional area. In other words, if data are collected in the U.S., all data are processed in the U.S.
QAthlete uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. Our services are hosted by ISO 27001 certified trusted data centers that are independently audited using the industry standard SSAE-16 method.
QAthlete deploys the general requirements set forth by many Federal Acts, including the FISMA Act of 2002. We meet or exceed the minimum requirements as outlined in FIPS Publication 200.
Since our subscribers control their users and their data, it is important for the users to practice sound security practices by using strong account passwords and restricting access to their accounts to authorized persons
Regarding HIPAA, HITECH, and specific data types: QAthlete provides software and other services where all data are processed equally, without regard to how a customer might classify their data. As such, QAthlete cannot declare or represent any data entered into its services. Any processing of specific data types are purely incidental, and not required to use the services.
HITECH (Health Information Technology for Economic and Clinical Health Act) updated HIPAA rules to ensure that data are properly protected and best security practices followed. QAthlete safeguards all customer data, and uses secure data centers to ensure the highest protection as per HITECH requirements.
EU Processor Privacy Rules GDPR Compliant
Article 1 – Scope, Applicability and Implementation
1.1 Scope Medeia Inc as Data Processor
These Rules address the worldwide Processing of Personal Data of individual customers or employees of Business Customers (Business Customer's Individuals Personal Data or BCI Data) by Medeia Inc in its role as a Data Processor in the course of delivering Customer Services.
1.2 Processing in non- Adequate Country
These Rules apply to BCI Data that are:
(i) subject to Data Transfer Restrictions; and
(ii) Processed by Medeia Inc in a non-Adequate Country.
1.2 Electronic and paper-based Processing
These Rules apply to the Processing of BCI Data by electronic means and in systematically accessible paper-based filing systems.
1.4 Applicability of local law and these Rules
Business Customer's Individuals keep any rights and remedies they may have under applicable local law. Where these Rules provide more protection than applicable local law or provide additional safeguards, rights or remedies for Business Customer's Individuals, these Rules shall apply.
1.5 Sub-policies and notices
Medeia Inc may supplement these Rules through sub-policies and notices that are consistent with these Rules.
1.6 Compliance Responsibility
These Rules are binding on Medeia Inc. The Responsible Executive shall be accountable for her business organization’s compliance with these Rules. Medeia Inc Staff must comply with these Rules.
1.7 Effective date
These Rules enter into force as of 16 July 2015 (Effective Date).
1.8 Rules supersede prior policies
These Rules supersede all Medeia Inc privacy policies that exist on the Effective Date to the extent they address the same issues or conflict with the provisions of these Rules.
1.9 Implementation
These Rules shall be implemented within Medeia Inc based on the timeframes specified in Article 15.
1.10 Role of Medeia Inc
Medeia Inc is tasked with the coordination and implementation of these Rules.
1.11 Privacy Officer Advice
Where there is a question as to the applicability of these Rules, Staff shall seek the advice of the appropriate Privacy Officer prior to the relevant Processing.
Article 2 – Business Customer Service Contract
2.1 Business Customer Service Contract
Medeia Inc shall Process BCI Data only on the basis of a written contract with a Business Customer (Business Customer Service Contract). The Medeia Inc Contracting Entity uses Sub-Processors, both Medeia Inc Sub-Processors and Third Party Sub-Processors, in the regular performance of Business Customer Service Contracts. The standard Business Customer Service Contract shall authorize the use of such Sub-Processors, provided that the Medeia Inc Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors. If the Business Customer Service Contract explicitly does not authorize the use of Sub-Processors, Article 7 shall not apply.
2.2 Termination Business Customer Service Contract
Upon termination of the Business Customer Service Contract, Medeia Inc shall, at the option of the Business Customer, return the BCI Data and copies thereof to the Business Customer or shall securely destroy such BCI Data and certify to the Business Customer that Medeia Inc has done so, except to the extent the Business Customer Service Contract or applicable law provides otherwise. In that case, Medeia Inc shall no longer Process the BCI Data, except to the extent required by the Business Customer Service Contract or applicable law.
2.3 Audit of termination measures
Medeia Inc shall, at the request of the Business Customer or Relevant Data Protection Authority, allow its Processing facilities to be audited in accordance with Article 10.2 or 10.3 (as applicable) to verify that Medeia Inc has complied with its obligations under Article 2.2.
Article 3 – Compliance Obligations Philips
3.1 Instructions of the Data Con-troller
Medeia Inc shall Process BCI Data only on behalf of the Business Customer and in accordance with any instructions received from the Business Customer.
3.2 Compliance with Applicable Adequate Data Protection Law
Medeia Inc shall Process BCI Data only in accordance with the Applicable Adequate Data Protection Law and shall deal promptly and appropriately with requests for assistance of the Business Customer to ensure compliance of the Processing of the BCI Data with the applicable Adequate Data Protection Law.
3.3 Notification of non-compliance, substantial ad- verse effect
If Medeia Inc:
(i) determines that it is unable for any reason to comply with its obligations under Article 3.1 and 3.2 and Medeia Inc cannot cure this inability to comply; or
(ii) becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on Medeia Inc ability to meet its obligations under Article 3.1, 3.2 or 10.3;
Medeia Inc shall promptly notify the Business Customer thereof,in which case the Business Customer will have the right to temporarily suspend the Processing until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by Medeia Inc.
3.4 Request for disclosure of BCI Data
Medeia Inc shall promptly notify the Business Customer of any legally binding request Medeia Inc receives for disclosure of BCI Data by a law enforcement authority unless otherwise prohibited by law from making such disclosure.
3.5 Inquiries of the Business Customer
Medeia Inc shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Data pursuant to the terms of the Business Customer Service Contract.
Article 4 – Processor Purposes
4.1 Legitimate Business Purposes
Where Medeia Inc serves as a Data Processor, Personal Data and Sensitive Data may be Processed by Medeia Inc for one or more of the following purposes:
(i) Customer data management information technology services including:
(a) hosting, storage, backup, or archiving;
(b) reporting on the use of data services by a Customer;
(c) security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); or
(d) account management of third-party use of Customer-specific Medeia Inc products or services (e.g., use reporting and billing of a Customer's customer on behalf of the Customer).
(ii) Customer support services including:
(a) providing (local and remote) assistance to Customer in the use or repair of Medeia Inc products or services;
(b) Medeia Inc generation of service level reports or other reports on a Customer's use of Medeia Inc products or services for Customer management information purposes; or
(c) life-cycle management of Medeia Inc products and services (e.g., planning, evaluation, demonstration, installation, calibration, training, maintenance, decommissioning) to facilitate continued and sustained use by a Customer of Medeia Inc products and services.
(iii) Customer-specific custom services including:
(a) device or system tuning for the purpose of adjusting the service or product to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
(b) the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations);
(c) the purchase of goods and services on behalf of a Customer (e.g., contract broadband network service for device placement and data acquisition, third- party hardware integration); or
(d) the provision of training for Customer's staff or third parties (e.g., equipment training, HIPAA training, infection control training, radiation training).
(iv) Medeia Inc internal business process execution and management leading to incidental Processing of Personal Data or Sensitive Data for:
(a) internal auditing of Medeia Inc Processor-related activities;
(b) activities related to compliance with applicable law or regulation (e.g., data processing law, medical device regulation);
(c) data deidentification and aggregation of deidentified data for data minimization; and
(d) use of deidentified, aggregate data to facilitate continuity, sustainability, and improvement of Medeia Inc products and services.
Article 5 – Security Requirements
5.1 Data security
Medeia Inc shall take appropriate, commercially reasonable, technical, physical and organizational measures to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. Medeia Inc shall in any event take the measures specified in Annex 2 of these Rules, which Annex shall be revised by Medeia Inc if so required to reflect industry standards, or such stricter measures as instructed by the Business Customer in the Business Customer Service Contract.
5.2 Data access and confidentiality
Medeia Inc shall provide Medeia Inc Staff access to BCI Data only to the extent necessary to perform the Processing. Medeia Inc shall impose confidentiality obligations on Staff that has access to BCI Data.
5.3 Data Security Breach notification requirement
Medeia Inc shall notify the Business Customer of a Data Security Breach as soon as reasonably possible following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. Medeia Inc shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.
Article 6 – Transparency to Business Customer's Individuals
6.1 Copy of Data Protection Provisions of Business Customer Service Contract
Medeia Inc shall provide the Business Customer's Individual, at its request, the contact details of the relevant Business Customer. If the Business Customer's Individual is unable to obtain from the Business Customer a copy of the data protection provisions of the relevant Business Customer Service Contract, Medeia Inc shall provide the Business Customer's Individual with a copy of these provisions. Where the disclosure sets forth a description of detailed security measures, Medeia Inc may replace the details with a summary description.
6.2 Other Requests of Business Customer's Individuals
Medeia Inc shall promptly notify the Business Customer of requests (other than requests under Article 6.1) or complaints that are received directly from a Business Customer's Individual without responding to such requests or complaints, unless otherwise instructed by the Business Customer in the Business Customer Service Contract.
If instructed by the Business Customer to respond to requests and complaints of Business Customer's Individuals, Medeia Inc shall ensure that the Business Customer's Individual is provided with all required information (including the point of contact and the procedure) in order for the Business Customer's Individual to be able to effectively make the request or lodge the complaint.
Article 7 – Sub-Processors
7.1 Third Party Sub-Processing Contracts
Third Party Sub-Processors may Process Business Customer Data only if the Third Party Sub- Processor has a written contract with Medeia Inc. The contract shall impose similar data protection-related Processing terms on the Third Party Sub- Processor as those imposed on the Medeia Inc Contracting Entity by the Business Customer Service Contract and these Rules.
7.2 Publication of Overview of Sub-Processors
Medeia Inc shall publish on the appropriate Medeia Inc website an overview of the categories of Sub-Processors (both Third Parties and Medeia Inc) Medeia Inc involves in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes.
Article 8 – Supervision and compliance
8.1 Chief Privacy Officer
Medeia Inc shall appoint a Chief Privacy Officer who is responsible for:
(i) supervising compliance with these Rules;
(ii) providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues; and
(iii) coordinating, in conjunction with the appropriate staff, official investigations or inquiries into the Processing of BCI Data by a public authority.
8.2 Privacy Council
The Privacy Council, or substituted by board of directors, shall create and maintain a Medeia Inc framework for:
(i) the development of the policies, procedures and system information (as required by Article 9);
(ii) planning training and awareness programs;
(iii) monitoring and reporting on compliance with these Rules;
(iv) collecting, investigating and resolving privacy inquiries, concerns and complaints;
(v) determining and updating appropriate sanctions for violations of these Rules (e.g., disciplinary standards).
8.3 Senior Privacy Officers
Medeia Inc does not have Senior Privacy Officers due to the size of the company.
8.4 Responsible Executive
The Board of Directors is the responsible executive and shall perform at least the following tasks:
(i) ensure that the policies and procedures are implemented and the system information is maintained (as required by Article 9);
(ii) provide such system information to the Senior Privacy Officers necessary as required for her to comply with the task listed in Article 8.3 sub (ii);
(iii) ensure that Personal Data are returned or securely deleted
or destroyed after termination of the Business Customer Service Contract (as required by Article 2.2);
(iv) determine how to comply with the Rules when there is a conflict with applicable law (as required by Article 13.1); and
(v) inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc’s ability to comply with these Rules (as required by Article 13.2).
8.5 Default Privacy Officer
If no Senior Privacy Officer has been designated in a Sector, Country or Region, the Board of Directors is responsible for supervising compliance with these Rules.
8.6 Privacy Officers
Where a Privacy Officer holds her position pursuant to law, she with statutory shall carry out her job responsibilities to the extent they do not position conflict with her statutory position.
Article 9 – Policies, procedures and training
9.1 Policies and procedures
Medeia Inc shall develop and implement policies and procedures to comply with these Rules.
9.2 System information
Medeia Inc shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Data (e.g., inventory of systems and processes, privacy impact assessments).
9.3 Staff training
Medeia Inc shall provide training on these Rules and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Data.
Article 10 – Monitoring compliance
10.1 Internal audits
Medeia Inc Internal Audit shall audit business processes and procedures that involve the Processing of BCI Data for compliance with these Rules. The audits shall be carried out in the course of the regular activities of Medeia Inc Internal Audit. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Board of Directors shall be informed of the results of the audits. In case the audit identifies violations of the Rules, these will be reported to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.
10.2 Business Customer audit
Medeia Inc shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the Medeia Inc business processes and procedures that involve the Processing of BCI Data comply with these Rules when requested by Business Customer.
10.3 Audit by Relevant Data Protection Authority
A Relevant Data Protection Authority may request an audit of the facilities used by Medeia Inc for the Processing subject to the same conditions (regarding the existence of the right to audit, scope, subject and other requirements) as would apply to an audit by that Data Protection Authority of the Business Customer itself under the Applicable Data Controller Law.
10.4 Annual Report
The Chief Privacy Officer shall produce an annual BCI Data protection report for Medeia Inc’ Board of Directors on Medeia Inc’ compliance with these Rules and other relevant issues.
10.5 Mitigation
Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address breaches of these Rules identified during the monitoring or auditing of compliance pursuant to this Article 10.
Article 11 – Legal issues
11.1 Specific provision when Data Protection Authorities in EEA have jurisdiction under national law.
If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by a Group Company established in its country, such Data Protection Authority may evaluate these data transfers also against these Rules. The Dutch Data Protection Authority will provide cooperation and assistance where required, including providing audit reports available at the Dutch Data Protection Authority insofar as relevant to evaluate the aforementioned data transfers against these Rules.
11.2 Rights of Business Customer's Individuals
When the Business Customer has factually disappeared or ceased to exist in law or has become insolvent, unless a successor entity has assumed the legal obligations of the Business Customer by contract or by operation of law (in which Jurisdiction for Claims of Business Customer's Individuals case the Business Customer's Individual should enforce its rights against such successor entity), the Business Customer's Individual can enforce against the Medeia Inc Contracting Entity Article 3, 5.1, 5.3, 6, 7.1, 7.2, 10.3, 11.1, 11.2, 11.4, and any claim for direct damages as a result of a breach of these enumerated provisions.
To the extent the Business Customer's Individual may enforce any rights against the Medeia Inc Contracting Entity, the Medeia Inc Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability. Medeia Inc may, however, assert any defenses that would have been available to the Business Customer.
11.3 The Business Customer's Individual
The Business Customer's Individual may, at her choice, submit any claim she has under Article 11.2 against the Medeia Inc Contracting Entity:
(i) to mediation by;
a. an independent person located in the country in which the Business Customer's Individual resides or, if the Business Customer's Individual does not reside in an EEA Country, an independent person located in the Netherlands; or
b. a Relevant Data Protection Authority;
(ii) to the courts in the country of establishment of the Business Customer or, if the Business Customer is not established in an EEA Country, to a court in the Netherlands but in that case only against Medeia Inc; or
(iii) to a Relevant Data Protection Authority or, if the Business Customer is not established in an EEA Country, to the Dutch Data Protection Authority, but in that case only against Medeia Inc.
The courts, the Relevant Data Protection Authority and the Dutch Data Protection Authority shall apply their own substantive and procedural laws to the dispute. Any choice made by the Business Customer's Individual will not prejudice the substantive or procedural rights he may have under applicable law.
11.4 Rights of Business Customers
The Business Customer may enforce these Rules against the Medeia Inc Contracting Entity or, if the Medeia Inc Contracting Entity is not established in an EEA Country, against Medeia Inc. Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address violations of these Rules by the Medeia Inc Contracting Entity or any other Group Company. The Medeia Inc Contracting Entity or Medeia Inc may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.
11.5 Available remedies, limitation of damages, burden of proof re. damages for Business Customer's Individuals
In case of a violation of these Rules, Business Customer's Individuals shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer's Individual resulting from a violation of these Rules.
Regarding the burden of proof in respect of damages, it will be for the Business Customer's Individual to demonstrate that she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of these Rules. It will subsequently be for the Medeia Inc Contracting Entity or Medeia Inc to prove that the damages suffered by the Business Customer's Individual due to a violation of these Rules are not attributable to a Group Company or a Sub-processor.
11.6 Available remedies, limitation of damages, burden of proof re. damages for Business Customers
In case of a violation of these Rules, Business Customers shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer resulting from a violation of these Rules.
11.7 Mutual assistance Group Companies and redress
All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with these Rules, including an audit or inquiry by the Business Customer or a Relevant Data Protection Authority.
The Medeia Inc Group Company upon receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for handling any communication with the Business Customer's Individual regarding her request or claim except where circumstances dictate otherwise and as mutually agreed among Senior Privacy Officers relevant to the specific issue.
The Medeia Inc Group Company that is responsible for the Processing to which the request or claim relates, shall bear all costs involved and reimburse any costs made by other Medeia Inc Group Companies in respect thereof.
11.8 Advice by Relevant Data Authority
Medeia Inc shall abide by the advice of a Relevant Data Protection Authority with regard to the Processing of BCI Data.
Article 12 – Sanctions for non-compliance
12.1 Non-compliance
Non-compliance of Medeia Inc employees with these Rules may result in disciplinary action up to and including termination of employment.
Article 13 – Conflicts between the Rules and Applicable Data Processor Law
13.1 Conflict between Rules and law
Where there is a conflict between Applicable Data Processor Law and the Rules, the relevant Responsible Executive shall consult with the appropriate Senior Privacy Officers and their legal departments to determine how to comply with these Rules and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.
13.2 New conflicting legal requirements
The relevant Responsible Executive, in consultation with her legal department, shall promptly inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc ability to comply with these Rules.
Article 14 – Changes to the Rules
14.1
Any changes to these Rules require the prior approval of the Chief Legal Officer.
14.2
Any amendment shall enter into force after it has been approved and published on the Medeia Inc General Business Principles Internet site and communicated to the Business Customers.
14.3
Any request or claim of a Business Customer's Individual involving these Rules shall be judged against the version of these Rules that is in force at the time the request, complaint or claim is made.
14.4
The Chief Privacy Officer shall be responsible for informing the relevant government authorities of material changes to these Rules on a yearly basis and coordinating their responses. The Chief Privacy Officer shall inform the Board of Directors of the effect of these responses.
Article 15 – Transition Periods
15.1 General Transition Period
Except as otherwise indicated, Medeia Inc shall strive to comply with these Rules as soon as possible after the Effective Date. In any event all Processing of Personal Data that is subject to these Rules shall be conducted in compliance with the Rules within one year of the Effective Date.
15.2 Transition Period for New Group Companies
Any entity that becomes a Group Company after the Effective Date shall comply with the Rules within one year of becoming a Group Company.
15.3 Transition Period for Divested Entities
A Divested Entity will remain covered by these Rules after its divestment for such period as is required by Medeia Inc to disentangle the Processing of BCI Data relating to such Divested Entity.
15.4 Transition Period for Systems
Where implementation of these Rules requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.
15.5 Transition Period for Existing Agreements
Where there are existing agreements with Third Parties that are affected by these Rules, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.
