Last Updated: 2022
Owner and Data Controller
LASARRUS Clinic and Research Center – 1100 Wicomico St, Suite 330 – Baltimore, MD, 21230 (US)
Owner contact email: firstname.lastname@example.org
1) The information we collect, why we need it, and how use it.
2) What choices you can make about how we use your information.
3) The measures we take to protect the security of the information and maintain regulatory compliance for HIPAA, GDPR, and other data regulations.
The personal information we collect and transmit may include healthcare information, including billing, insurance, and medical information. Therefore, our privacy practices are intended to comply with the health insurance portability and accountability act (“HIPAA”), General Data Protection Regulation (“GDPR”), and other global privacy laws where we operate. We will maintain the privacy of your health information as required by HIPAA and the regulations promulgated under that act.
For additional information related to your healthcare information or if you have any questions, please reach out to us at email@example.com.
Access to and use of the Services by a healthcare provider who is an Lasarrus customer (a “Customer”) and such Customer’s authorized users is subject to and governed by the agreement between Lasarrus and the applicable Customer executed by authorized representatives of each party (the “Customer Agreement”). Lasarrus may collect, use and disclose information from a Customer and such Customer’s authorized users as set forth in the Customer Agreement. If you would like more information about the Services or becoming a Customer, please contact us at firstname.lastname@example.org.
The information we collect, why we need it, and how we use it.
We may collect the following types of personal information from users of our Services, and store it on your mobile device, and/or in a secure third-party cloud services provider database:
When you register to use the Service or create an Lasarrus account, we may collect your name and all other information provided to us, such as your email address, password, date of birth or gender. We also collect any information uploaded or otherwise input by you while using the Service, including, but not limited to, information related to medications you are taking and other health-related information about you. You may add information to your profile such as Patient ID, and information about your activity level, medical conditions, and medications. We use this information to create your account and provide you with the Services.
If you are a healthcare provider, we may also collect your National Provider Identifier (NPI).
Physiologic and Usage Data
We collect certain information through your use of the Devices and/or your smartphone connected to the Services, such as but not limited to: heart sound data, lung sound data, ECG data, PCG data, respiration data, temperature data, body kinematics data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, time zone and geographic location of data acquisition. We may collect such information from patients or from providers. We use this information to provide and improve the Services.
Customer Support Inquiries
If you contact us directly, such as when you contact our Customer Support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide. We may also collect technical information about your device, including your IP address or device ID, which we will use to provide you with support and to improve our services. Contact us at email@example.com if you have any questions.
Payment Information (applicable to Providers ONLY).
We use third-party payment processors to process any payments you make to us. When you make payments through the Services, you may need to provide your shipping address and financial account information, such as your credit card number, to our third-party service providers. All of the information you provide in connection with making a payment to us is collected and stored by the third-party service provider, not by Lasarrus. We do not collect or store financial information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.
De-identified, Anonymized and Pseudonymized Data
In an ongoing effort to better understand and serve our Customers, which are other users of the Services and communities of patients with chronic health conditions, Lasarrus conducts research based on data, including the Personal Information we collect from you and the other information provided to us. We compile and analyze any data we collect both on an aggregate basis and on a de-identified and pseudonymized basis to produce research and analyses. De-identified data and pseudonymized data cannot be used to identify you, but may contain markers that permit later reidentification by Lasarrus.
Anonymized data cannot be used to identify you and is unable to be re-identified and is no longer considered Personal Information. While the data Lasarrus uses to create the research and analyses may be de-identified or pseudonymized, the research and analyses products will be anonymized. Lasarrus may share the research and analyses in aggregated and anonymized format with its aﬃliates, agents, Customers, Customers’ affiliates, and other healthcare research and services entities. The research and analyses cannot be used to identify you personally and cannot be re-identified. Lasarrus may disclose aggregated, de-identiﬁed and/or pseudonymized information in order to describe our business and the Services to current and prospective business partners and Customers, and to other third parties for other lawful purposes. Lasarrus retains anonymized files of the PCG, ECG, Respiration, Temperature, and Body Kinematics recordings from Devices. These do not contain any associated Personal Information.
If you are a patient, your healthcare provider(s) may also monitor User Content in order to monitor your progress and overall condition and to follow up with you, as they deem appropriate in their independent judgment as your healthcare providers.
You agree that such monitoring activities, if in compliance with applicable privacy laws, will not entitle you to any cause of action or other right with respect to the manner in which Lasarrus or its affiliates or agents monitor your communications and enforces or fails to enforce the Terms of this agreement. In no event will Lasarrus or any of its affiliates or agents be liable for any costs, damages, expenses, or any other liabilities incurred by you as a result of monitoring activities by Lasarrus or its affiliates or agents.
Device and ISP Data
We use common information-gathering tools, such as log files, cookies and similar technologies to automatically collect information, which may contain Personal Information, from your computer or mobile device as you navigate our websites or interact with emails we have sent you. As is true of most websites, we gather certain information automatically via log files. This collected information may include your Internet Protocol (IP) address (or proxy server), device and application identification numbers, your location, your browser type, your Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. This information is used to analyze overall trends, to help us provide and improve our websites and to guarantee their security and continued proper functioning. We also collect IP addresses from users when they log into the services as part of the Company’s security features.
We use the Information We Collect to provide and improve our services.
Where permitted under applicable law, We use your information to:
provide, evaluate, and improve the Services, including to provide you with heart sound analysis, lung sound analysis, respiration analysis, body kinematic analysis, PCG analysis, and ECG analysis services and reports based on the analysis of your health-related information, including your physiologic data, Health Data, and data from third-party devices and services;
train our algorithms to improve our devices and Services;
analyze our products and their usage to enhance and improve our existing Service; to develop new products and services; manage our communications; and
perform accounting, auditing and other internal functions.
Communication with You
We may send you emails, text messages, and push notifications to your mobile device, if you have them enabled, to verify your account and for informational and operational purposes, such as account management, providing instructions, alerts, reminders, customer service, system maintenance, and other Service-related purposes. We may also permit users, such as your health care providers, to use the Services to send you emails, text messages, and push notifications.
Marketing and Data Analysis
To the extent permitted by applicable law, we may use your information to provide online advertising on the Services and to send you newsletters, offers, surveys, and other promotional information related to Lasarrus products and services. Where required under applicable law, we will obtain appropriate consent to send you marketing communications. You may opt out of email marketing by using the unsubscribe link in a marketing email, or by contacting us at firstname.lastname@example.org.
How We Share the Information We Collect
We consider your information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your Personal Information with certain third parties without further notice to you. Those circumstances are described below:
With Our Customers: If you are a Patient, we will share your Personal Information and Health Data with our Customer(s) that provide healthcare services to you. This will enable your healthcare provider to track your Health Data and combine such Health Data with other information about you that your provider obtains in treating you.
With Patient-Authorized Persons: If you are a Patient, you may have the option of identifying family, friends, or other people in the Lasarrus application to view certain of your information and receive alerts regarding your health and/or activities (“Permissions”). If you designate Permissions, we may make available certain of your Personal Information and Health Data, and related alerts, to the people you designate.
In the Event of a Business Transfer: We might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information may be part of the transferred assets.
With Our Agents, Consultants and Related Third Parties: Lasarrus, like many businesses, sometimes hires other companies to perform certain business-related functions. Examples of such functions include data hosting and billing management. When we employ another entity to perform a function of this nature, we only provide the entity with the information that it needs to perform its speciﬁc function.
To Meet Our Legal Requirements: We may disclose your Personal Information if required to do so by law or if we have a good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of you, us, other users of the Services or the public, or (iv) protect against legal liability.
NOTE: We may, from time to time, rent or sell aggregated data and/or other information that does not contain any personal identifiers (i.e., if the information has been anonymized by stripping out identifiers such as name, address, phone number, etc.). The purpose of this type of disclosure is to allow research institutions to learn more about symptoms associated with your medical condition(s).
Cookies and Analytics Technologies
The information collected in this manner includes IP address, browser characteristics, device IDs and characteristics, operating system version, language preferences, referring URLs, and information about the usage of our Service. We may link this data to your profile. You may be able to change browser settings to block and delete cookies when you access the Sites through a web browser. However, if you do that, the Sites may not work properly. Our ad networks and analytics service providers may also collect information about your use of other websites and online services over time, if those websites and online services also use the same service providers.
We currently use Google Analytics to collect and process certain website usage data. To learn more about Google Analytics and how to opt out, please visit google.com/policies/privacy/partners/.
We use the following “session cookies,” which last for as long as you keep your browser open. We have described the purpose of each, whether each is owned by Lasarrus or a third party, the information each collects, and how to withdraw consent below:
Cookie Name, Who Controls It, and Duration: Authentication Tokens 30 hours for web application.
Purpose: To authenticate you when you sign into the service.
Information Collected: A generated token that allows the server to identify you.
How to Withdraw Consent: Do not use our Service if you do not want to receive this cookie.
Unlimited for mobile.
For Patients: Under HIPAA, your healthcare provider is generally required to provide or make available to you a Notice of Privacy Practices (“NPP”). The NPP is intended to explain to you the ways in which your healthcare provider may use and share your protected health information and inform you about your health privacy rights. For more information about how your healthcare provider uses and shares your information, ask your healthcare provider for a copy of their NPP. LASARRUS IS NOT RESPONSIBLE FOR YOUR HEALTHCARE PROVIDER’S USE OR SHARING OF YOUR INFORMATION.
Lasarrus processes Personal Information both as a Processor and as a Controller, as defined under the GDPR and other global privacy laws. With respect to the data that Lasarrus processes on your behalf, you represent and warrant that you have have established an appropriate legal basis or bases to allow Lasarrus to process such data.
Lasarrus is a US-based company; we do not have locations in international jurisdictions, nor do we store any data outside of the US. If you are located outside of the US, all of your data will be transmitted to Lasarrus in the US and stored on US-based servers in compliance with applicable regulations.
All data collected by Lasarrus will be stored exclusively in secure hosting facilities. Lasarrus has a data processing agreement in place with its provider. All hosting is performed in accordance with the highest security regulations.
Under the GDPR and other global privacy laws, Lasarrus is typically a processor of data for patient data subjects and the medical professionals that purchase and use Lasarrus devices are the controllers of the data. Based on the data that Lasarrus collects and processes, Lasarrus is acting pursuant to Article 6 of the GDPR when processing data of EU medical professionals that create an account with us and use our software dashboard; either you have provided consent to the processing of your Personal Information, such processing is necessary for the performance of a contract, and/or such processing is necessary for the purposes of Lasarrus’s legitimate business interests which include providing these Services. Lasarrus also has appropriate legal bases to process your information in other international jurisdictions.
Your Rights and Choices
We offer you certain choices in connection with the information we collect about you.
Subject to applicable law, you may have the right to request access to and be informed about the information we maintain about you, update and correct inaccuracies in your information, and have the information blocked or deleted, as appropriate. If you wish to request access or an update to the information that we have concerning you, please email us at email@example.com
Additionally, your health or medical information may be subject to special protections under some jurisdictions. We comply with all such applicable requirements.
Your rights to your information may be limited in some circumstances by local legal requirements. You also have the right to withdraw your consent to the collection of your information. Note however that if you exercise your right of blocking or deletion, if you decline to share certain information with us, or if you withdraw your consent, we may not be able to provide to you some of the features and functionalities of the Service.
EU DATA SUBJECT RIGHTS
If you are an EU data subject, the GDPR may apply to the Personal Information we collect from you. If so, you have the following rights under certain circumstances:
to receive communications related to the processing of your Personal Information that are concise, transparent, intelligible and easily accessible;
to be provided with a copy of your Personal Information held by us;
to request the correction or erasure (which may be accomplished by anonymization) of your Personal Information held by us without undue delay;
to request that we restrict the processing of your Personal Information (while we verify or investigate your concerns with this information, for example);
to object to the further processing of your Personal Information, including the right to object to marketing;
to request that your Personal Information be moved to a third party;
to receive your Personal Information in a structured, commonly used and machine-readable format;
to correct inaccurate Personal Information and, taking into account the purpose of processing the Personal Information, ensure it is complete
to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"); and
to lodge a complaint with a supervisory authority.