Regen Med Privacy Policy And Agreement

INCYTES™, OWNED BY REGEN MED (THE “COMPANY), IS A PRODUCT-AGNOSTIC, CLOUD-BASED, CLINICAL-GRADE PLATFORM USED TO SUPPORT EVIDENCE-BASED HEALTHCARE DECISIONS.  USERS ENGAGE WITH EACH OTHER WITHIN AND ACROSS INSTITUTIONAL AND NATIONAL BOUNDARIES IN THE CONTEXT OF SPECIFIC TREATMENT PLANS AND OTHER HEALTH AND WELLNESS OBJECTIVES  MORE INFORMATION CAN BE FOUND HERE AND HERE.

PLEASE READ THIS PRIVACY POLICY AND AGREEMENT CAREFULLY.  BY ACCEPTING IT, AND USING INCYTES™, YOU AGREE TO BE BOUND BY ITS TERMS.  

PLEASE CONSULT WITH YOUR HEALTHCARE PROFESSIONAL REGARDING ANY MEDICAL OR OTHER HEALTH-RELATED DECISION.

Table of Contents

1. DEFINITIONS
1.1. AUTHORIZED PARTY
1.2. COMPANY
1.3. COMPANY REPRESENTATIVE
1.4. CONSENT
1.5. DATA CONTROLLER
1.6. DATA PROCESSOR
1.7. DATA PRIVACY OFFICER
1.8. DATA SUBJECT
1.9. DATA SUB-PROCESSOR
1.10. GDPR
1.11. HCP
1.12. HIPAA
1.13. INCYTES™ LICENSE AGREEMENT
1.14. INCYTES™ PLATFORM
1.15. INCYTES™ USER
1.16. NON-PERSONAL DATA
1.17. PERSONAL DATA
1.18. PRIVACY LAWS AND POLICIES
2. HANDLING OF PERSONAL DATA
2.1. GENERAL
2.2. ROLES AND RESPONSIBILITIES
2.3. RIGHTS OF DATA SUBJECTS
2.4. REQUESTS TO RECEIVE OR DELETE PERSONAL DATA.
2.5. NOTIFICATION OF SECURITY BREACH
3. SPECIFICALLY APPLICABLE CLAUSES
3.1. GDPR
3.2. HIPAA
4. OTHER TERMS AND CONDITIONS
4.1. FINAL AGREEMENT
4.2. DISPUTE RESOLUTION
4.3. NON-PERSONAL DATA
4.4. INCYTES™ LICENSE AGREEMENT
4.5. NOTICES AND COMMUNICATIONS
4.6. GOVERNING LANGUAGE

1. Definitions

1.1. Authorized Party

shall mean any individual or entity authorized through a Consent to maintain or review, solely for the purposes specified in such Consent, the Personal Data of a Data Subject.

1.2. Company

shall mean Regenerative Medicine LLC, a limited liability company formed and operating under the laws of the State of Delaware, U.S.A., and/or Regen Med Europe SLU, a limited liability company formed and operating under the laws of Spain, with its registered office at C/ Muntaner, 200, Primera Planta 08036 Barcelona, España.

1.3. Company Representative

shall mean any officer, director, employee, shareholder or other representative of the Company.

1.4. Consent

shall have the meaning attributed to it in GDPR Article IV.

1.5. Data Controller

shall have the meaning attributed to it in GDPR Article IV.

1.6. Data Processor

shall have the meaning attributed to it in GDPR Article IV.

1.7. Data Privacy Officer

Nicolas R. Tierney, ntierney@rgnmed.com.

1.8. Data Subject

shall have the meaning attributed to it in GDPR Article IV.

1.9. Data Sub-Processor

shall have the meaning attributed to it in paragraphs 2 and 4 of Article 28 of the GDPR.

1.10. GDPR

means the European General Data Protection Regulation.

1.11. HCP

shall mean a healthcare professional, and shall include any nurse, physician’s assistant, laboratory technician and other professional authorized by such HCP and the patient pursuant to

1.12. HIPAA

means The U.S. Health Insurance Portability and Privacy Act of 1996

1.13. inCytes™ License Agreement

shall mean the document found here, as amended from time to time and as accepted by each inCytes™ User upon logging onto the inCytes™ Platform.

1.14. inCytes™ Platform

shall mean the software, features, content and other elements described here.

1.15. inCytes™ User

shall mean any natural individual or legal entity which uses the inCytes platform for any purpose.  For voidance of doubt a Data Subject and Authorized party is an inCytes™ User.

1.16. Non-Personal Data

shall mean (i) data derived from Personal Data which is encrypted, de-identified, aggregated and/or otherwise treated in a manner which makes it impossible, or extremely difficult, to associate such data with a particular Data Subject, and (ii) any other data or information not protected under the GDPR, HIPAA or other Privacy Laws and Policies.

1.17. Personal Data

shall have the meaning attributed to it in GDPR Article IV, as well as any data or information specific to an individual which is considered by applicable law, regulations or the policies of an institution to be private or otherwise subject to protection, non-disclosure and/or privacy.

1.18. Privacy Laws and Policies

shall mean the GDPR, HIPAA and other rules, regulations, laws, directives, and/or institutional policies governing the collection, dissemination, protection and other use of Personal Data.

2. Handling Of Personal Data

2.1. General

Authorized Parties will use inCytes™ to collect and record Personal Data, as well as to communicate it to Data Subjects in various formats, including through the inCytes™ platform. The handling of Personal Data will be governed by the specific Privacy Laws and Policies applicable to the specific interaction between a Data Subject and the Authorized Party or Parties.

Personal Data is immediately and automatically encrypted by the inCytes™ platform. No Company representative has access to Personal Data. No Company representative will at any time, for any purpose, seek Personal Data from the Data Subject or an Authorized Party in the absence of an express written consent allowing such access from the Data Subject.

Personal Data will be stored and processed within United States, unless alternative arrangements have been made between the Company and the Data Controller, in which case the Data Controller shall provide the Data Subject the details relating to the location and other relevant terms.  

2.2. Roles and Responsibilities

The Company is a Data Processor. Your HCP and/or other Authorized Party is a Data Controller. Amazon Web Services (“AWS”) is a Data Sub-Processor. AWS policies on the handling of Personal Data for purposes of GDPR and HIPAA can be found here and here respectively.

Neither a Data Subject nor an Authorized Party shall, in the absence of an express writing to the contrary accepted by them, submit Personal Data to the Company.  If the Company comes into possession of what it considers in its sole discretion to be Personal Data, it shall promptly communicate such fact through an Authorized Party to the Data Subject.  

The Company shall not delete any such Personal Data unless and until instructed by the Data Subject or an Authorized Party to do so.  The Company may at any time request instructions from the Data Subject or Authorized Party with respect to handling Personal Data and shall comply with such instructions.  In the event the Data Subject or Authorized Party fails to provide instructions, the Company shall have the right to take such actions as it deems in its best judgment to comply with applicable Privacy Laws and Policies and shall have no liability to the Data Subject or Authorized Party with respect to any such actions.

2.3. Rights of Data Subjects

The relevant Privacy Laws and Policies and other rights of a Data Subject depend on a number of factors, including the jurisdiction in which he/she resides, and the nature of consents given to Authorized Parties.  A Data Subject should, in the event of any doubt regarding its rights with respect to Personal Data, seek clarification from its HCP or other Authorized Party and/or legal counsel.

2.4. Requests To Receive or Delete Personal Data.

Within ten days of receipt of written instructions from the Data Subject or Authorized Party, the Company shall forward to the requesting party an electronic file comprising all Personal Data of such Data Subject, if any, maintained by the Company and shall, upon further written instructions from such Data Subject, permanently delete all such Personal Data.

2.5. Notification of Security Breach

As soon as practicable upon becoming aware of a security breach experienced by the inCytes™ platform, including that involving a Data Sub-Processor, the Company shall notify all inCytes™ Users of such breach and all available details concerning it, including steps taken or to be taken by the Company and/or Data Sub-Processor as applicable to remedy such breach.

3. Specifically Applicable Clauses

3.1. GDPR

With respect only to Data Subjects covered by the GDPR:
a. This Agreement shall be deemed to incorporate by reference the Standard Contractual Clauses notified under document C(2010) 593.
b. The Company shall follow all supplementary measures that the European Union requires from time to time to remain compliant with the GDPR.
c. The Company is prohibited from processing Personal Data without the consent of the Data Subject or an Authorized Party
d. The Company will inform the Data Subject of any inability to comply with the GDPR as it pertains to the Data Subject.

3.2. HIPAA

a. Personal Data includes Protected Health Information.  The Company and Sub-Processor are Business Associates.  An Authorized Party may be a Covered Entity.
b. The Company agrees to:
i. Comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information.
ii. Report to the Data Subject or, as appropriate, an Authorized Party any use or disclosure of Personal Data not provided for by this Agreement and of which it becomes aware, including breaches of unsecured Personal Data as required at 45 CFR 164.410, and any other security incident of which it becomes aware.
iii. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Data Sub-Processor which creates, receives, maintains, or transmits Personal Data agrees to the same restrictions, conditions, and requirements that apply to the Company with respect to Personal Data.
iv. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

4. Other Terms and Conditions

4.1. Final Agreement

This is the final agreement between the Company and any inCytes™ User concerning its content, and supersedes all prior agreements or understandings, written or oral, concerning its subject matter.  No amendment or assignment of this Agreement shall be effective without the express written consent of the Company.

The Company shall make no change to this Agreement which in any way diminishes the rights of a Data Subject without the express written consent of such Data Subject.  The Company may otherwise amend this Agreement from time to time, which amendment shall be notified to all inCytes™ Users, and shall be deemed accepted and binding upon such inCytes™ Users through their continued use of the platform.  

4.2. Dispute Resolution

The agreements shall be governed by the laws of the State of Delaware, U.S.A. The parties hereto submit to the jurisdiction of the courts of the courts of Delaware for the purposes of resolving any dispute arising out of or in connection with this Agreement.  

4.3. Non-Personal Data

HCP’s and Authorized Parties may create aggregated datasets of Non-Personal Data for purposes of developing evidence-based standards of care.

4.4. inCytes™ License Agreement

The inCytes License Agreement shall be incorporated herein by reference, provided that in the event of any conflict between this Agreement and the inCytes License Agreement relating to the privacy rights of a Data Subject, the terms of this Agreement shall prevail.  Otherwise, in the event of conflict between the two agreements, the terms of the inCytes™ License Agreement shall prevail.

4.5. Notices and Communications

Any questions arising in the context of this agreement should be directed to the Company’s Data Privacy Officer, as specified in Section 1, above.

4.6. Governing Language

This Agreement may be translated into various languages.  In the event of any doubt as to the accuracy of any such translation, the English-language version shall prevail.