Last update: 4/15/2022
The Solutions is operated by Massive Bio, Inc. (“Company”, “we”, “us” or “our”), 90 West St. #12M, New York, NY 10006. Massive Bio is a data analytics firm that provides a medical second opinion and clinical trial matching by evaluating a cancer patient’s existing clinical information, leveraging our proprietary artificial intelligence platform, and providing consulting services to patient’s oncologists by identifying and explaining treatment options that best fit the patient’s medical profile, treatment objectives, and resources (collectively, the “Services”).
THE COMPANY IS NOT A MEDICAL PROVIDER, NOR IS IT A “COVERED ENTITY” SUBJECT TO STATE OR FEDERAL LAWS GOVERNING THE PRIVACY OF MEDICAL RECORDS OR INFORMATION, INCLUDING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, COMMONLY REFERRED TO AS “HIPAA”.
I. INFORMATION WE COLLECT
1. Personally identifiable information
Our Solutions and our Service Providers only collect personally identifiable information (“PII”, also referred to as personal data or personal information in some jurisdictions) for our purposes as set out in the next section II. THE CATEGORIES OF PII WE COLLECT FOR OUR PURPOSES AND THE APPLICABLE LEGAL BASIS FOR OUR DATA PROCESSING. Collection of PII occurs if you register for an appointment on the Solutions, subscribe to a newsletter, tweet to us, or use other features and resources on the Solutions. You may visit our Site anonymously, but that may prevent you from accessing certain features or Services or Solutions.
A. Your patient profile
B. Health provider profiles
C. Service Provider profiles
Medical Information Released to Company:
- Through EMR platforms APIs
- Through the EMR platform, online pages shared by you
- Through EMR platform online pages accessed by Company’s corporate accounts with your authorization to see your PII
- Through emails, SMS, or other means of communication channels
2. Protected Health Information and Sensitive Personal Information
We will collect and store sensitive personal information and data about you.
3. Non-Personally Identifiable Information
Our Website, Solutions, and Service Providers may also collect non-personally identifiable (anonymous) information (“Non-PII”) from visitors, including cancer patients, health care providers, staff, clinical staff, oncology experts, data analysts, and health plan administrators. Non personally identifiable information is any information that cannot be directly or indirectly associated with you.
“Cookies” are short computer codes known as cookies, web beacons, and other technologies that collect and store both PII and Non-PII when you visit our Solutions, or share Website content or solutions through a social media account. The following are examples of information we or third-party service providers collect with cookies:
- Cookies that may uniquely identify your browser session and the other website, solutions you have visited
- Browser type and operating system
- Hardware settings
- Date and time of visit
- Website pages you visited
- Web page that referred you to Company
- Web pages your visit after leaving the website
5. Social Media
We may collect information through our presence on social media and networking platforms. You may use social networks or other online services to sign into the Solutions. When you do so, information from those services may be made available to us. By associating a social network account with the Solutions, we may collect your PII, such as your username and email address.
6. Patient Representatives
A patient can give written, verbal or SMS authorization for a person (for example, a solicitor or relative) to make an application on their behalf. We may withhold access if it is of the view that the patient authorizing the access has not understood the meaning of the authorization. The authorization is only good for 90 days and requires a recording.
Next of kin
Despite the widespread use of the phrase ‘next of kin,’ this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to sharing information on a patient’s behalf. A next of kin had no right of access to medical records.
A person appointed by the court to manage the affairs of a patient who is incapable of managing her experiences may make an application. Access may be denied where the General Practitioner opinion thinks that the patient underwent relevant examinations or investigations to expect the information would not be disclosed to the applicant.
7. Information about You from Other Sources
We collect personal information about you on the Solutions, and from other sources, including data from your oncologists, oncology practice staff, clinical staff, health claims administrators, and patient benefits organizations. We may combine all information we collect about you to provide Services to you, including data analysis for identifying testing and treatment options and, when de-identified, for our research efforts and to improve our Services and Solutions.
II. THE CATEGORIES OF PII WE COLLECT FOR OUR PURPOSES AND THE APPLICABLE LEGAL BASIS FOR OUR DATA PROCESSING
1. Depending on where you live, how you interact with us, and how we may interact with certain Service Providers, we may collect the PII about you as set out in the “personal information” column below. You will also find below the purpose of the processing and (for the EEA and UK only) the legal basis we rely on for each type of PII in that we process about you.
Legal basis (EEA / UK only)
Patient profile data, such as:
We use your patient profile data to:
(i) communicate with you and your oncologist about our Services;
(ii) register you as a patient;
(iii) collect data for patient profile;
(iv) interpretation of genetic profiling data to provide a range of treatment options for difficult or complex cases;
(v) determine patient eligibility for assistance programs for certain out-of-pocket health care costs;
(vi) submitting requests to your health insurer for reimbursement purposes; and
(viii) provide: (a) the Services; (b) guidance and recommendations regarding an array of treatment options ranging from standards of care to experimental treatments; (c) clinical data to support the use of off-label medications; (d) range of various clinical trials appropriate for and convenient to you; and (e) consulting and remote access to bioinformatics and molecular expertise to support your patient presentations at tumor boards.
Necessary for the purpose of our legitimate interests to provide access to the Solutions, provide the Services, maintain an adequate profile administration; and
Insofar it regards health related data: Consent, both as the legal basis (article 6 (UK) GDPR) and as the exemption to process special category data (article 9 (UK) GDPR).
Health provider data, such as:
We use health provider data to:
(i) communicate with health provider;
(ii) register you as health care provider staff, expert oncologist, or practice administrators that assist or support patients.
Necessary for the purpose of our legitimate interests to interact with health providers, to register and to provide the Services to patients.
Service Provider Data, such as:
We use Service Provider data to:
(i) communicate with (potential) Service Provider;
(ii) assess and accept of a (potential) Services Provider;
(iii) conclude and execute an agreement with the Service Provider.
Necessary for the purpose of our legitimate interests to effectively manage our relationships with Service Providers, to interact with (potential) Service Providers.
Please see our cookie notice.
Please see our cookie notice.
Social media data, such as: username, email address.
For providing access to your patent profile via your other (social media) profile(s) / account(s).
Necessary for the legitimate interest of offering you multiple options to access out Solutions and use other (social media) accounts to sign into our Services and Solutions.
Please be aware that:
- Loss, misuse, modification, or unauthorized access of your PII, including in particular Sensitive Personal Information can adversely affect your privacy or welfare depending on the level of sensitivity and nature of the information.
- You may refuse to provide your protected health information to Solutions, but you and your health care providers will not be able to use our Services.
2. SMS/MMS Mobile Messaging
We respect your privacy. We will only use your PII to transmit your mobile messages and respond to you if necessary. This includes, but is not limited to, sharing PII with platform providers, phone companies, and other vendors who assist us in the delivery of mobile messages.
WE DO NOT SELL, RENT, LOAN, TRADE, LEASE, OR OTHERWISE TRANSFER FOR PROFIT ANY PHONE NUMBERS OR CUSTOMER INFORMATION COLLECTED THROUGH THE WEBSITE OR THE SOLUTIONS TO ANY THIRD PARTY.
Nonetheless, we always reserve the right to disclose any information as necessary to satisfy any law, regulation, or governmental request, avoid liability, avoid liability, or protect our rights or property (see Section III of this Privacy Notice) in accordance with applicable data protection laws. When you complete forms online or otherwise provide us PII connected to the Services, you agree to provide accurate, complete, and true PII. You agree not to use a false or misleading name or a name that you are not authorized to use. Suppose, in our sole discretion; we believe that any such information is untrue, inaccurate, or incomplete, or you have opted into the program for an ulterior purpose. In that case, we may refuse you access to the program and pursue any appropriate legal remedies.
We, Service Providers and any third-party agency acting on our behalf may communicate with you and record calls or any communication at such number(s) by phone call, voice message, internet-to-phone message, SMS text message, interactive voice recordings using auto-dial systems, or prerecorded artificial or voice messages (“Communications”) regarding orders, delivery updates, requests for transactional feedback, and other informational purposes.
Standard message, data, voice, or other rates may apply from your landline, mobile service, or wireless device carrier for communications you receive.
You may also call 1-844-627-7246 to get help at any time.
You may send any of the following messages in response to an SMS text message to opt-out of receiving further SMS text messages from Company: Stop” or “Unsubscribe.” After sending one of these messages, you might receive one final SMS text message as confirmation of your opt-out request.
Additional terms and conditions may be provided to you in the future (e.g., as part of an opt-in confirmation text message), and such terms and conditions will supplement and not replace these terms.
You further represent and warrant that you are the subscriber for the phone number(s) provided, and you possess the phone(s) associated with such number(s). You agree to notify us if your phone number(s) changes or you no longer possess the phone(s) associated with such number(s).
BY PROVIDING YOUR TELEPHONE OR CELL PHONE INFORMATION, YOU KNOWINGLY AND VOLUNTARILY AGREE TO INDEMNIFY, DEFEND, AND COMPANY, ITS PARENTS, SUBSIDIARIES, AFFILIATES, PREDECESSORS, SUCCESSORS, AND ASSIGNS, AND EACH OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AND AGENTS, HARMLESS FROM AND AGAINST ANY AND ALL LOSSES, COMPLAINTS, DEMANDS, CLAIMS, CAUSES OF ACTION, LIABILITIES, COSTS, JUDGMENTS, DAMAGES, FINES, PENALTIES, COMPENSATION, ATTORNEY’S FEES, AND EXPENSES OF ANY KIND, INCLUDING ANY AND ALL TYPES OF INJURIES OR DAMAGES SUFFERED BY YOU, WHICH ARISE AS A RESULT OF (OR ARE RELATED TO) THE COMMUNICATIONS. YOU KNOWINGLY AND VOLUNTARILY AGREE NOT TO USE OR CAUSE ANY LAWSUIT, COMPLAINT, CLAIM, OR CHARGE TO BE FILED ON YOUR BEHALF AGAINST COMPANY OR ITS VENDORS TO CONCERNING ANY SUCH DAMAGES.
Wireless carriers are not responsible for delayed or undelivered messages, which may occur due to factors outside carriers’ control.
3. Links to Other Websites
The Website includes links (the “Linked Sites”) to other websites. In providing access to these Linked Sites, the Company is by no means endorsing the products or services on these Linked Sites. The Company is not responsible for the privacy practices or the content of the Linked Sites at this moment. It, at this moment, expressly disclaims all responsibility and liability associated with the use of the Linked Sites. We recommend that you review the privacy statements posted on those sites to understand their procedures for using and disclosing personal information.
III. WHEN DOES WE SHARE INFORMATION?
1. Service Providers
We may transfer personal information to Service Providers such as outside contractors, auditors, consultants, or others hired by the Company to assist in providing financial or operational activities on the Company’s behalf, including technical and processing Services and analysis of Website performance.
2. Legal Requirements
Under certain circumstances, to comply with laws, regulations, judicial or other government subpoenas, warrants, or orders, we may disclose your personal information to respond to any government or regulatory request.
We may transfer PII to other third parties if we receive your permission or we are required to do so by law, or we have a good faith belief that such disclosure is necessary to comply with a current judicial proceeding, a court order, a legal process served on the Company or to resolve any potential fraud or perceived irregularity in any audits of the accuracy of any documentation or information submitted to the Company by you or on your behalf, as deemed appropriate by the Company.
3. Transfers of Business Assets
Suppose the Company goes through a transaction, such as a merger, being acquired by another entity, bankruptcy, or selling all or a portion of its assets. In that case, your PII may be part of the business assets transferred. We cannot assure that you will be notified in advance of the transfer, if any, of your PII in connection with any such transition or transfer.
4. Protection of Company and Others
We reserve the right to access, read, preserve, and disclose any information that we reasonably believe is necessary to comply with law or court order; enforce or apply our conditions of use and other agreements; or protect the rights, property, or safety of our Company, employees, users, or others. This includes exchanging information with other companies and organizations for fraud protection and data breach risk reduction.
5. Aggregate or Anonymous Information
We may share your PII and user data in aggregate or anonymously: to improve our Services, communicate with Service Providers and other third parties, and in our annual report and marketing materials.
6. With Consent
Except as set forth above, you will be notified when PII may need to be shared with third parties and will be able to prevent the sharing of this information.
7. How we use Non-Personally Identifiable Information (Non-PII)
We also use Non-PII to monitor and improve our Services and Website quality to tour Services and Website quality, data research and statistical purposes. We use Non-Personally Identifiable Information in consulting Services to other users, for research, and to share, lease, or sell our data and analysis to patient assistance programs, clinical laboratories, cancer screening providers, pharmaceutical manufacturers, and oncologists for improvement of their professional services, screening, and treatment products, and to educate the public about the Services we provide.
IV. HOW DO WE MANAGE CHILDREN’S DATA?
Children of 16 years or over
Subject to local laws, if a mentally competent child is 16 years or over, they are entitled to request or refuse access to their records. If any other individual requests access to these Company, should first check with the patient that he or she is happy for them to be released.
Children Under 16 Years
Unless otherwise provided by local laws, individuals with parental responsibility for an under 16-year-old will have a right to request access to those medical records. A person with parental responsibility is either:
- the birth mother, or
- the birth father (if married to the mother at the time of child’s birth, or subsequently) or,
- an individual parental responsibility by a court.
Suppose the appropriate health professional considers that a child patient is Gillick competent (i.e., has sufficient maturity and understanding to make decisions about disclosure of their records). The child should be asked for their consent before disclosure is given to someone with parental responsibility.
If the child is not Gillick competent and there is more than one person with parental responsibility, each may independently exercise their right of access. Technically, if a child lives with, for example, its mother and the father apply for access to the child’s records, there is no “obligation” to inform the mother. However, this may not be possible in practical terms, and both parents should be aware of access requests unless there is a good reason not to do so.
In all circumstances, good practice dictates that a Gillick competent child should be encouraged to involve parents or other legal guardians in any treatment/disclosure decisions.
V. HOW WE PROTECT AND RETAIN YOUR INFORMATION
We take security measures to protect against unauthorized access to or unauthorized alteration, disclosure, or data destruction. These include secure socket layers, firewalls and encryption, internal reviews of our data collection, storage and processing practices, security measures, and physical security measures to guard against unauthorized system access. However, because the internet and mobile web are inherently insecure, no information system is 100% secure, and even the most secure system can be compromised; we cannot guarantee security. Suppose we retain PII on our systems or the cloud. In that case, we restrict access to PII to employees, contractors, and agents who need to know that information to operate, develop, or improve our website, solutions, and services. If they fail to meet these obligations, these individuals are bound by confidentiality obligations and may be subject to discipline, including termination.
We do not keep your PII any longer than necessary for the processing purposes. We delete and destroy individual records of PII and all Non-PII according to the Schedule below.
|Patient profile data||Retention Period|
|Eight years after collection.|
|Health provider data||Two years after the end of the relationship.|
|Service Provider data||Two years after the end of the relationship.|
|Cookies||Please see our Cookie Notice|
|Social Media data||Eight years after collection.|
We may retain your PII for the establishment, exercise or defense of legal claims. Also, we may retain your PII to make it available to the supervisory authority, investigative authority, courts, or other governmental body for the period specified by the law.
We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including:
SSL, access controls, password policy, encryptions, pseudonymization, practices, restriction, IT, authentication, VPN, firewalls, token management.
VI. HOW TO CONTROL AND CORRECT YOUR INFORMATION
1. Correcting Your Personal Information
To gain access to the personal information you collected online and keep it accurate, complete, and current, or to request deletion, you may contact us at email@example.com. In some cases, where we are required to retain information by law or regulation to continue to manage a service you have requested, to ensure that we honor your preferences, or for other necessary business purposes, we may not be able to delete certain personal information about you.
2. Control: Your Choices
You have several options to control how your data is shared and used after you have provided it.
- To store or discard the records you provide to us, and the reports returned to you based on the results of your documents.
- Clinical Trials Matching report(s) you view or opt-in to view.
- When and with whom do you share your information, including your caregivers, family members, approved family members, health care professionals, or others outside our Services.
- To delete your Massive Bio Clinical Trial Matching account and data at any time.
- Everyone has the rights below by applying to Company;
- a) Learning whether PII is processed or not,
- b) If PII has been processed, requesting information about it,
- c) The purpose of processing PII and whether the purpose of learning uses them,
- d) To know the third parties to whom PII is transferred in the country or abroad,
- e) To want to correction of their data in case of incomplete or incorrect processing of PII,
- f) Deletion or destruction of PII within the framework of the applicable laws,
- g) To request notification of the transactions made under subparagraphs (d) and (e) to third parties to whom PII has been transferred,
- h) Object to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- i) Request the compensation of the damage in case of loss due to unlawful processing of PII.
3. Accountability for Onward Transfers
We will not disclose your PII to unaffiliated third parties without first receiving your permission unless it is required by national security or law enforcement authorities. In cases of onward transfer to third parties of data of EU individuals, we are liable for appropriate onward transfers of PII to third parties.
Company has further committed to refer unresolved Privacy Shield complaints to USCIB (United States Council for International Business), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.uscib.org/privacy-shield/ for more information or to file a complaint. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Binding Nature of Decisions at https://www.privacyshield.gov/article?id=D-Binding-Nature-of-Decisions.
Company has an ongoing process to review how we’re meeting the Privacy Shield promises, and we provide an independent way to resolve complaints about our privacy practices. Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In light of the judgement of the Court of Justice of the EU in Case C-311/18 (Schrems II), Company no longer relies on the EU-U.S. Privacy Shield Framework as a legal basis for transfers or safeguard of PII from the European Union to the United States of America.
5. Learn More about Cookies, Web Beacons, and Other Technologies
- All About Cookies: www.allaboutcookies.org/cookies/
- Google: www.google.com/analytics/learn/privacy.html
- Google Chrome: http://www.google.com/chrome/intl/en/more/privacy.html
- Microsoft Internet Explorer: www.microsoft.com/info/cookies.htm
- Mozilla Firefox: http://support.mozilla.com/en-US/kb/Options+window+-+Privacy+panel
- Flash: www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
6. Limitation of Liability
7. Unavailability of Solution or Services
The Company reserves the right to alter, suspend or discontinue the Solutions or Services for any reason without notice or cause. The Solutions or Services may be temporarily unavailable due to computer equipment maintenance or malfunction.
VII. LOCAL PROVISIONS
1. Local provisions: California
- Your California Privacy Rights. Under California Civil Code Section 1798.83, California residents who have an established business relationship with us have the right to request that we provide specific information regarding disclosing their personal information to third parties for their direct marketing purposes during the immediately preceding calendar year. You may send your request for such information to firstname.lastname@example.org. Requests shall only be accepted via this email address. We are not responsible for requests made over the telephone or any other means.
- California Online Personal Privacy Act Disclosures
- When you visit our Solutions, our Service Providers may drop a cookie on your browser to remember your preferences and collect analytical data about your visit. The Solutions does not employ technology to track you across multiple Solutions, or override the privacy settings in your web browser or Services.
- Our Service Providers do not track Website visitors across multiple Websites or override the privacy settings in your web browser. If you access our social media sites from the Website or the Solutions, be aware that the social media platforms may track you across multiple Websites and disregard the privacy settings in your web browsers.
2. Local provisions: European Union
- GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- If we share your personal data with our group companies or third parties located outside the European Economic Area, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, particularly by signing the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR). You can find more information about the Standard Contractual Clauses here.
- Below, we set out your data protection rights under the GDPR in more detail and give information on how you can exercise them. Most of these rights are not absolute and are subject to exemptions in the law. We will respond to your exercise of right request within one month but have the right to extend this period in certain circumstances. If we extend the response period, we will let you know within one month from your request. If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply with it in such circumstances.
- Access your personal data. You are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you.
- Request the transfer of your personal data. We will provide to you or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note, this right applies to the personal data you have provided to us and only if we use your personal data on the basis of consent or where we used your personal data to perform a contract with you.
- Request erasure (deletion) of your personal data. You are entitled to ask us to delete or remove personal data in certain circumstances. There are certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with legal claims. When we need to rely on an exemption, we will inform you about this.
- Request correction or updating of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
- Object to our processing of your personal data where we are relying on legitimate interest. You also have a right to object where we are processing your personal data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
- Withdraw your consent. Where you have provided your consent to our processing of your personal data you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
- Lodge a complaint at a supervisory authority. We will do our best to resolve any complaint. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work or where an alleged infringement of the applicable data protection law took place. A list of EU supervisory authorities and their contact details is available here.
- If you exercise the rights above and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
- You can exercise the rights above by sending an email to email@example.com.
- Contact information of the Data Protection Officer: Cagatay M. Culcuoglu, firstname.lastname@example.org