PRIVACY POLICY
Your privacy is important to us so we have created this privacy policy (this “Privacy Policy”) to explain what Personal Data we collect and why we collect it. This Privacy Policy is solely about HealthMetric, our mobile application (“HealthMetric”).
You acknowledge that this Privacy Policy is part of the HealthMetric Terms of Use, and by accessing or using HealthMetric, you agree to be bound by both this Privacy Policy and the Terms of Use. If you do not agree to abide by both this Privacy Policy and the Terms of Use, please do not use HealthMetric.
This Privacy Policy was written in English. To the extent a translated version conflicts with the English version, the English version controls. Unless otherwise indicated, this Privacy Policy does not apply to third party products or services or the practices of companies we do not own or control.
Who Controls and Owns HealthMetric?
Management Science Associates, Inc. (“MSA”) controls and owns HealthMetric. For more information, contact healthmetric@msa.com.
If you live in the European Economic Area, United Kingdom, Switzerland, Australia , the states of California, Colorado, Connecticut, Utah, or Virginia, Management Science Associates, Inc. controls your personal data and provides you with HealthMetric and related services. If you are seeking to exercise any of your statutory rights relating to HealthMetric, please contact our Data Protection Officer at MSADataProtectionOfficer@msa.com. You may also contact MSA at:
Management Science Associates, Inc. Attn: HealthMetric
400 MSA Drive
Tarentum, PA 15084
If located in the United Kingdom, you may contact the following:
If located in the European Economic Area or Switzerland, you may contact the following:
Management Science Associates, Inc.
Management Science Associates, Inc.
Attn: HealthMetric
MSA Focus International Ltd Neptune Court, Vanguard Way
Ocean Park, Cardiff, United Kingdom CF245PJ
Attn: HealthMetric
What Types of Personal Data Does HealthMetric Collect?
When a User accesses or uses HealthMetric, all data entered by the User, including, but not limited to, the following types of Personal Data, are collected:
• All data manually entered into HealthMetric
• All data that has been authorized to use (read and/or write)
• All data collected to establish your account such as:
• your name
• address
• community where you reside
• email address
• cell phone number
• mobile carrier
• HealthMetric username and password.
• IP addresses
• browser type
• phone type
• internet service provider (ISP)
• Cookie
Information We Receive From Your Use of HealthMetric. Your device collects data to estimate a variety of metrics. The data collected varies depending upon which device you use. When your device syncs with our application or software, data recorded on your device is transferred from your device to our servers.
Location Services. HealthMetric includes features that use and collect location data. We collect this type of data if you grant us access to your location. You can always remove our access to your location using the HealthMetric account settings.
Usage Data. When you access or use our services, we receive certain usage data. This
includes information about your interaction with the HealthMetric, for example, when you view or search content, install applications or software, create or log into your account, pair your device to your account, or otherwise open or interact with HealthMetric. We also collect data about the devices and computers you use to access HealthMetric, including
2
IP addresses, browser type, language, operating system, mobile device information (including device and application identifiers), the referring web page, pages visited, location (depending on the permissions you have granted us), and cookie information.
Information We Receive From Third-Parties. If you choose to connect your account on our services to your account on another service, we may receive information from the other service. For example, we may receive information like your name, profile picture, age range, language, email address, and friend list. You may also choose to grant us access to your exercise or activity data from another service. You can stop sharing the information from the other service with us by removing our access to that other service.
Health and Other Special Categories of Personal Data. To the extent that information we collect is health data or another special category of Personal Data subject to the European Union’s General Data Protection Regulation (“GDPR
”) or the California
Consumer Privacy Act of 2018 (“CCPA”) and as amended and replaced by the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the United Kingdom’s Data Protection Act of 2018 (“DPA”) or Australia’s Privacy Act of 1988 and/or the Australian Privacy Principles
(collectively “APP”),
we ask for your explicit consent to process the data. We obtain this consent separately when you take actions leading to our obtaining the data, for example, when you pair your device to your account or grant us access to your exercise or activity data from another service. You can use your account settings and tools to withdraw your consent at any time, including by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account.
Any use of Cookies – or of other tracking tools – by HealthMetric unless stated otherwise, serves to identify Users and remember their preferences, for the sole purpose of providing the service required by the User.
Failure to provide certain Personal Data may make it impossible for HealthMetric to provide its services.
Some of our pages utilize framing techniques to serve content to and from our partners while preserving the look and feel of our site.
How We Use Information
MSA uses the information it collects from you for the following purposes:
Provide and Maintain HealthMetric. Using the information MSA collects, it is able to deliver and operate HealthMetric and honor its Terms of Use with you. For instance, MSA requires your information to provide you with your HealthMetric score; to enable community features; and to provide customer support. For HealthMetric’s community features, we may use your information to help you find and connect with other users and allow other users to find and connect with you.
3
Improve, Personalize and Develop HealthMetric. MSA uses the information it collects to improve and personalize HealthMetric and to develop additional features. For example, MSA uses the information to troubleshoot and protect against errors, perform data analysis and testing, conduct research and surveys, and develop new features and services.
Communicate With You. MSA uses your information when needed to send you service notifications and respond to you. MSA also uses your information to promote new features and/or products it thinks you would be interested in. You can control marketing communications and most service notifications by using your notification preferences in account settings or via the “unsubscribe” link in an email.
Promote Safety and Security. MSA uses the information it collects to promote the safety and security of HealthMetric, its users, and other parties. For example, it may use information to authenticate users, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce its terms and policies.
Personal Data concerning the User is collected for the following additional purposes:
• Analytics within the HealthMetric app;
• Analytics of Health Information collected and/or entered into other health and
fitness applications;
• Displaying content from external platforms;
• Integrating such Personal Data (in de-identified form) with additional laboratory
and other data for use in analytics and related contexts; and
• Providing third parties with information and services in its sole and absolute
discretion but in any event, MSA shall do so with my Personal Data only: (i) after my Personal Data has been de-identified; and (ii) for the purposes of health management and/or health research, and I hereby grant MSA complete permission to receive, use, and disclose my Personal Data in de-identified form to such third parties as contemplated under this paragraph.
MSA uses cookies and similar technologies for the purposes described above.
For Personal Data subject to the GDPR, the DPA, the APP, the CPRA, the CPA, the CTDPA, the UCPA, and the VCDPA, we rely on several legal bases to process the data. These include when you have given your consent, which you may withdraw at any time using your account settings and other tools; when the processing is necessary to perform a contract with you, like the Terms of Use; and our legitimate business interests, such as in improving, personalizing, and developing the services, marketing new features or products that may be of interest, and promoting safety and security as described above. For more information, please see the “Legal Bases” section below.
How and Where Will Personal Data Be Processed?
4
Method of Processing
MSA processes the Personal Data of Users in a proper manner and takes appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of the Personal Data.
The Personal Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to MSA, in some cases, the Personal Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by MSA. The updated list of these parties may be requested from MSA at any time.
MSA employs and maintains an information security management system, which utilizes certain data protection mechanisms, such as encryption, to prevent unauthorized or unlawful access, destruction, loss, alteration, or disclosure of the Personal Data of Users. HealthMetric undergoes periodic security assessments to ensure the constant protection of the Personal Data of Users.
Place
The Personal Data is processed at MSA’s operating offices and in any other places where the parties involved with the processing are located. For further information, please contact MSA.
Conservation Time
With Whom Will We Share Your Information?
The Personal Data is kept for the time necessary to provide the service requested by the User, or stated by the purposes outlined in this Privacy Policy, and the User can always request MSA for their suspension or removal. In the event that you terminate your HealthMetric account, MSA will continue to adhere to the policies and practices described in this Privacy Policy.
We may disclose aggregated information about our Users, and information that does not identify any individual, without restriction.
We do not sell your Personal Data that you provide freely or that we collect in
connection your use of HealthMetric.
We may disclose Personal Data that you provide freely or that we collect automatically:
5
• To our subsidiaries and affiliates to provide support to you in connection with your use of HealthMetric.
• To contractors, service providers, websites linked to HealthMetric, and other third parties we use to support HealthMetric and who are bound by contractual obligations to keep Personal Data confidential and use it only for the purposes for which we disclose it to them.
• To fulfill the purpose for which you provide it.
• To third parties in our sole and absolute discretion but in any event, MSA shall do so with my Personal Data only: (i) after my Personal Data has been de-identified; (ii) for the purposes of health management and/or health research; and (iii) after express consent is provided by you in the following form, “I hereby grant MSA complete permission to receive, use, and disclose my Personal Data in de- identified form to such third parties as contemplated under this paragraph.”
• For any other purpose disclosed by us when: (i) you provide the information; or (ii) we might subsequently revise the express provisions of this Privacy Policy, our Terms of Use, and/or our Patient Authorization and Opt-In to Use/Disclose Personal Health Information or Personal Data to disclose such other purpose and in such latter case, you shall consent to such other use through your continued use of HealthMetric.
• With your consent.
We may also disclose your Personal Data and information:
• To the extent that it is required to do so by law, in legal proceedings or in the stages leading to possible legal action arising from improper use of HealthMetric or the related services or to establish, exercise or defend its legal rights.
• To enforce or apply our Terms of Use and other agreements.
• If we believe in good faith that disclosure is necessary or appropriate to
protect the rights, property, or safety of MSA, our customers or others, or to investigate fraud.
With Whom Will We NOT Share Your Information?
Any sharing of the Personal Data of Users is limited to those purposes outlined in preceding section. All other transfers, uses or sale of the Personal Data of Users is prohibited, including:
• Transferring or selling the Personal Data of Users to third parties like advertising platforms, data brokers, or any information resellers.
• Transferring, selling, or using the Personal Data of Users for serving ads, including personalized or interest-based advertising.
6
• Transferring, selling or using the Personal Data of Users to determine credit- worthiness or for lending purposes.
• Transferring, selling or using the Personal Data of Users with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic Act if the Personal Data of Users will be used by the medical device to perform its regulated function.
• Transferring, selling or using the Personal Data of Users for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless express written approval is provided.
Data Retention
MSA keeps your account information, including, but not limited to, your name, email address, and password, for as long as your account is in existence because we need it to operate your account. In some cases, when you give us information for a feature of HealthMetric, we delete the data after it is no longer needed for the feature. We keep other information, like your exercise or activity data, until you use your account settings or tools to delete the data or your account because we use this data to provide you with your personal statistics and other aspects of the services. We also keep information about you and your use of the services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the “How We Use Information” section of this Privacy Policy.
The Rights of Users
MSA provides account settings and tools to access and control your Personal Data, as described below, regardless of where you live. If you live in the European Union, European Economic Area, United Kingdom, Switzerland, Australia (“the Designated Countries”), or the states of California, Colorado, Connecticut, Utah, and Virginia you have a number of legal rights with respect to your information, which your account settings and tools allow you to exercise, as outlined below.
HealthMetric
Accessing and Exporting Data. By logging into your account, you can access much of your Personal Data, including your dashboard with your daily exercise and activity statistics. To receive the entirety of your Personal Data collected by HealthMetric in a commonly used file format, please contact MSA’s Data Protection Officer at MSADataProtectionOfficer@msa.com
Right to Opt-Out of the Sale of Personal Data. Under the CPRA, CPA, CTDPA, UCPA, VCDPA, the DPA, the APP and the GDPR, you have the right to opt-out of the sale of your Personal Data by a business. MSA does not sell your Personal
Data that you provide freely or that we collect in connection your use of
been collected by HealthMetric is produced, you will be asked to verify your request and your identity. A request for the production of your Personal Data may be made
7
. Before your Personal Data that has
by your authorized agent if your authorized agent provides your written permission
to MSA.
Editing and Deleting Data. Your account settings let you change, correct and delete your Personal Data. For example, you may edit or delete the profile data you inputted in HealthMetric through your account settings. You may request the entirety of your Personal Data be deleted through the “Help: Privacy Question” section in account settings and submitting a request to MSA.
If you choose to delete your account, please note that while most of your information will be deleted within thirty (30) days, it may take up to ninety (90) days to delete the entirety of your information. We may also preserve data for legal reasons to prevent harm. Please note that deleting and/or removing HealthMetric from your device(s) does not delete,
or request a delete, of your account and Personal Data.
Before your Personal
Data is deleted, you will be asked to verify your request and your identity. A request to delete your Personal Data may be made by your authorized agent if your
authorized agent provides your written permission to MSA.
Objecting to Data Use. We give you account settings and tools to control our data use. For example, through your account settings, you can limit how your information is visible to other users of HealthMetric; using your notification settings, you can limit the notifications you receive from MSA; and under your application settings, you can revoke access of third-party applications that you previously connected to your HealthMetric account.
If you live in a Designated Country, in certain circumstances, you can object to our processing of your information based on our legitimate interests, including as described
in the “How We Use Information” section of this Privacy Policy. You have a general right to object to the use of your information for direct marketing purposes. Please see your notification settings to control our marketing communications to you.
Restricting or Limiting Data Use. In addition to the various controls that we offer, if you reside in a Designated Country, you can seek to restrict our processing of your data in certain circumstances. Please note that you can always delete your account at any time.
If you need further assistance regarding your rights, please contact our Data Protection Officer at MSADataProtectionOfficer@msa.com, and we will consider your request in accordance with applicable laws. If you reside in a Designated Country, you also have a right to lodge a complaint with your local data protection authority.
Users have the right, at any time, to know whether their Personal Data has been stored and can consult MSA to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, canceled, updated or corrected, or for their transformation into anonymous format or to block any Personal Data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to MSA’s Data Protection Officer at MSADataProtectionOfficer@msa.com.
HealthMetric does not support “do not track” requests.
8
To understand if any of the third party services it uses honor the “do not track” requests, please read their privacy policies.
Right to Non-Discrimination. If you choose to exercise your rights as a user of HealthMetric as outlined above, we will not discriminate against you or otherwise treat you
differently than other users.
Information Security.
MSA works hard and takes precautions to keep your data safe. We utilize a combination of technical, administrative, and physical controls to maintain the security of your data. This includes the measures to encrypt much of the data submitted to and collected by HealthMetric. However, no method of transmitting or storing data is completely secure. If you have a security-related concern, please contact MSA’s Data Protection Officer at MSADataProtectionOfficer@msa.com.
In the case of breach of Personal Data, MSA shall without undue delay notify affected Users by describing the nature of the breach, providing contact information of its Data Protection Officer, and advising of the likely consequences of the breach.
In support of MSA’s efforts to keep your data safe, we recommend Users employ their devices’ password features and ensure that the settings on such devices allow Users to encrypt data.
Legal Bases
MSA is committed to providing our members with meaningful information and choices about the information they share through HealthMetric and the services. The GDPR and DPA requires organizations to have legal bases to collect, use, share, and otherwise process information about users residing in the European Union or the United Kingdom, respectively. If you habitually reside in the European Union or the United Kingdom, there are particular rights available to you. While some of these rights apply generally, certain rights only apply depending on the legal bases we rely on to process data. We have explained these legal bases and your rights below.
To provide HealthMetric and the Services
As described in the Terms of Use, HealthMetric cannot be provided, and the Terms of Use cannot be performed, without MSA processing your Personal Data. Since we process data you provide to us which is necessary to perform our contract with you, you have the right to port or transfer that data if you habitually reside in the European Union or the United Kingdom.
9
With your consent
We ask for your permission to process your Personal Data for certain purposes and you have the right to withdraw your consent at any time. We ask for your consent to:
• Collect or infer health information which is used to provide helpful statistics and visualizations.
• Send you marketing communications.
• Collect and process information from third-party products, services, devices, and
apps which are connected to HealthMetric.
When we process data you provide to us based on your consent, you have the right to withdraw your consent at any time via your account settings. You also have the right to port or transfer the data.
Legal obligation or for the establishment, exercise or defense of legal claims
We process data where we have a legal obligation to do so, for example, where we are responding to valid and binding legal process from law enforcement agencies for certain data. In addition, processing may be needed for us to establish, exercise or defend civil or criminal claims in connection with actual or potential litigation including to protect HealthMetric and related services, our property or other legal rights, including those of our members or partners.
To protect vital interests
We process data where it is necessary to protect an interest which is essential to someone’s life or protect any person from serious bodily injury. This includes processing information to combat harmful conduct both on and off of our Services.
Carrying out a task in the public interest
Where set forth by the law of the European Union or a member state thereof or the United Kingdom, we may process users’ data to perform processing in the public interest. This may include protecting against harm and undertaking research for social good. You have the right to object to, and seek restriction of, our processing of your Personal Data when we process data using this legal basis.
In furtherance of legitimate interests
We process your information for our legitimate interests, and those of third parties, while applying appropriate safeguards that protect your privacy, rights and interests. We do this to:
• Market HealthMetric and other commercial products or services. For example, our partners may pay us to promote their products, services, events, gear or devices on HealthMetric. This is one of the ways we are able to provide the Services on a
10
sustainable basis. We provide controls and safeguards for our members, including the ability to object.
• Maintain our business by conducting research and continuously improving the services so as to offer innovative and customized offerings to our members and partners.
• Convert it into aggregated form (by removing certain information, such as your name, and combining the resulting information with similar information from other members) for use by us and our partners. Our partners may use this information to improve infrastructure or for other commercial purposes, including developing useful insights.
• Keep the services safe and secure by using information to prevent or detect violations of our Terms of Use, fraud or abuse, and other harmful or illegal conduct. We may also share information with third parties, including law enforcement agencies for this purpose.
• Promote the services, including email and in-product marketing campaigns to inform members about our services.
• Encourage users to find new ways to interact, including activities, followers, clubs, or events. We rely on our legitimate interest in retaining members when ensuring that we offer new opportunities of interest to our users.
You have the right to object to, and seek restriction of, our processing of your Personal Data based on legitimate interests. Please contact MSA’s Data Protection Officer at MSADataProtectionOfficer@msa.com if you object to us using your information.
Changes to this Privacy Policy
MSA reserves the right to make changes to this Privacy Policy at any time by giving notice to HealthMetric Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. If a User objects to any of the changes to this Privacy Policy, the User must cease using HealthMetric and can request MSA to erase their Personal Data. Unless stated otherwise, the then-current Privacy Policy applies to all Personal Data MSA has about Users.
Information about this Privacy Policy MSA is responsible for this Privacy Policy.
Additional Information
More details concerning the collection or processing of Personal Data may be requested from MSA at any time at its contact information.
11
Definitions
Cookie. Small piece of data stored in the User’s/your device.
Personal Data. Any information regarding a natural person, a legal person, an institution or an association, which is, or can be, identified, even indirectly, by reference to any other information, including a personal identification number when a User/you access or use HealthMetric. MSA will collect and use your Personal Data consistent with applicable law and as more particularly outlined in this Privacy Policy and in the applicable provisions of the Terms of Use of HealthMetric and the Patient Authorization and Opt-In to Use/Disclose Health Information as to HealthMetric, concerning both of which you/the User are simultaneously agreeing to abide by downloading and using HealthMetric.
Usage Data. When you access and use HealthMetric, we may automatically collect certain details of your access to and use of the app or website, including traffic data, logs, and other communication data. We may collect information about your mobile device or computer and internet connection, including the device’s unique device identifier, IP address, operating system, browser type, and phone type.
User. The individual using HealthMetric, which must coincide with or be authorized by the Personal Data subject, to whom the Personal Data refers.
Version 1.3 (Modified 12/15/2022)
______________________________________________________________________
12