Updated January 9, 2020

1. Introduction

This Privacy Policy explains the  online information practices of ArborMetrix, Inc. (“ArborMetrix”, “we” or “us”) and your choices regarding Personal Data that you submit to us or we collect:

• Through our Websites, email sent to us, phone calls and mobile applications;
• Offline in connection with sales, marketing, and customer engagements; and
• From third party sources, such as lead brokers.

This Privacy Policy describes how your Personal Data (defined below) is collected, processed, and shared.  We also describe how your information will be secured, and your rights regarding this information.  Finally, we outline how you can reach us to update your information, remove your information from our systems, or inquire about any of our privacy policies.

We may update or modify this Privacy Policy at any time at our discretion in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. If we make changes that affect how we use your Personal Data that we have previously gathered, we will provide you with information about those changes and obtain your consent either through posting on our Website or an email to your registered email address.

It is important that you read this Privacy Policy together with any other notice or statement we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your information. This Privacy Policy supplements other notices and statements that we may provide and is not intended to override them.

THIS PRIVACY POLICY DOES NOT APPLY TO YOUR PROTECTED HEALTH INFORMATION. “Protected Health Information” is information that is protected by the U.S. Health Insurance Portability and Accountability Act of 1996 and related laws and regulations (“HIPAA”). We may receive your Protected Health Information (including “ePHI” or electronic personal health information) when we, for example, perform services on behalf of health care providers in the course of our business. Protected Health Information is not handled in accordance with this Privacy Policy and is governed by HIPAA together with any Notice of Privacy Practices for Protected Health Information of your health care provider.

We are not responsible for any information collected by social networks on which we maintain a social media presence. These include, but are not limited to, Facebook, Google, Twitter, and LinkedIn. Each social network has its own privacy policy and it should be read before creating an account on the network. We are not responsible for any marketing or retargeting performed by a social network after you have visited our pages.

2. Definitions

The following terms as used in this Privacy Policy have the meanings set forth in this Section:

“Cookies” means small files stored on your computer or mobile device.

“Data Controller” means the natural or legal person who (alone or jointly) determines the purposes for which and the manner in which any Personal Data is, will be, or may be processed.  For purposes of this Privacy Policy, we are a Data Controller of your Personal Data.

“Data Processors” (or “Service Providers”) means any natural or legal person who processes data on behalf of the Data Controller.  We may use the services of various Data Processors to process your data more effectively.

“Data Subject” (or “User”) means any living individual who is using our Website and who is the subject of Personal Data.

“GDPR” or “European Law” means the European General Data Protection Regulation 2016/679.

“Personal Data” means data about a living individual who can be identified from the data we collect or from other information or data likely to come into our possession.  For purposes of our Privacy Policy, “Personal Data” includes “Personally Identifiable Information” or “PII” as described in US privacy and information security laws.

“Usage Data” means data that is generated or collected automatically by the use of our Website or from the Website infrastructure itself (such as the duration of a page visit).

“Website” means the www.arbormetrix.com Website operated by us and all of our web pages accessed through such Website.

3. Types of Personal Data and other Information We Collect:

Personal Data and other information we collect includes:

• Contact Information which you provide when corresponding with us by phone, e-mail or otherwise, or when requesting information on our Website. Contact information includes information that allows us to communicate with you, such as your name, username, mailing address, telephone number, email address or other addresses that allow us to send you messages.
• Relationship Information including information that helps us do business with you, such as the types of products and services that may interest you, information on your company’s size, geographic locations, and demographics.

We also collect other information including Usage Data as follows:

• We use Cookies and similar tools to automatically collect information about you when you use our Website or applications.
• When you use our Website, we collect technical information about your device such as electronic communication protocols, IP addresses, the hardware model of your device, operating system version, unique device identifiers, browser type and language preferences.
• We may also collect information about your use of our Website, such as pages visited, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any contact details used to correspond with us by post, email or telephone.
• For more information about cookies and other technologies, please see the section on Cookies below.

4. Children and Privacy

Our products and services are not designed for use by children and we do not specifically market to children under the age of 13 years old or knowingly collect personally identifiable information from anyone under the age of 18.  If you are a parent or guardian and know that a person under age 18 has provided us with Personal Data, please contact us.  If we become aware that we have collected Personal Data from children without verification or parental consent, we will take steps to remove that information from our servers.

5. How We Use Personal Data

We use the collected data for various purposes:

• To provide and maintain our Website and services;
• To notify you about changes to our Website or services;
• To allow you to participate in interactive features or our Website when you choose to do so;
• To provide customer support;
• To gather analysis or other information to improve our Website and services;
• To monitor the usage of our Website;
• To detect, prevent and address technical issues;
• To undertake surveys;
• To provide you with newsletters, marketing or promotional materials or other information that may be of interest to you;
• To manage our everyday business needs, such as payment processing and financial account management, product development, contract management, Website administration, forum management, fulfillment, analytics, security and fraud prevention, corporate governance, reporting and legal compliance and business continuity;
• To enforce our terms and conditions and other usage policies; and
• To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others, and to allow us to pursue available remedies or limit any damages that we may sustain.

If you are based in Europe, we will only process your Personal Data for a purpose described in this Privacy Policy if: (1) (2) the processing is necessary for the performance of a contract we are about to enter into or have entered into with you; (3) we are required by law to do so; or (4) the processing is necessary for the purposes of our legitimate commercial interests (except where such interests are overridden by your rights and interests).

7. How Long We Retain Personal Data

We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.  We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example if we are required to retain your data to comply with applicable law), resolve disputes and enforce our legal agreements and policies.

We will also retain your Usage Data for internal analysis purposes.  Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security of our Website or to improve our Website, or we are legally obligated to retain this data for longer periods.

8. Disclosure of Personal Data

We may share your Personal Data with the parties set out below:

• Our affiliates, which may only use your Personal Data for the purposes set out in this Privacy Policy
• Our service providers, who are bound by law and contract to protect your Personal Data and only use your Personal Data in accordance with our instructions
• Our business partners, if you have purchased products or services from such partner, interacted with such partner, or otherwise indicated interest in that partner’s products or services. For example, if you are referred to ArborMetrix from a business partner Website, we may provide that partner with your Contact Information to validate the referral. We may also provide your contact information to companies that offer complementary products and services if you request information about these solutions
• We may also disclose Personal Data where needed to affect the sale or transfer of business assets, to enforce our rights, protect our property or protect the rights, or safety of ArborMetrix and others or to support external auditing, compliance and corporate governance functions
• We will disclose Personal Data when required to do so by law, such as in response to a subpoena or other request, including to law enforcement agencies and courts in the United States and other countries where we operate

Where we process personal health information on behalf of heath care providers as a Business Associate (and/or a Data Processor), we use and disclose Personal Data, including electronic personal health information (or “ePHI”), for the purposes of providing our services and for carrying out health information processing operations in accordance with the Business Associate agreements we hold with these health care providers.

ArborMetrix strictly prohibits the selling of Personal Data we obtain through our Website, except when mandated by our legal, regulatory or contractual obligations.

We will only transfer your Personal Data to trusted third parties who provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and who can demonstrate a commitment to compliance with those measures.

We do not share Personal Data with our affiliates or third parties for their direct marketing use.

Please note that we may use and disclose information about you that is not personally identifiable. For example, we may publish reports that contain aggregated and statistical data about our clients. These reports do not contain any information that would enable the recipient to contact, locate or identify you. These reports do not contain any identifiable company information.

9. Cookies

Our Use of Cookies:

When you visit our Website, use our mobile applications or correspond with us via email, we collect certain information, including Personal Data, by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons.

Cookies are small text files that Websites send to your computer or other internet-connected device to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud.

Pixel tags and web beacons are tiny graphic images placed on Website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.

You do not have to accept cookies and your consent can be withdrawn at any time (see How to Control Cookies, below).

In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without any reference to Personal Data. For example, we use the information we collect about all Website users to optimize our Website and to understand Website traffic patterns.

In some cases, we do associate the information we collect using cookies and other technology with your Personal Data. This Privacy Policy applies to the information we collect using cookies when we associate it with your Personal Data

Third-Party Cookies:

Cookies set by a Website owner (in this case, ArborMetrix) are called “first party cookies”. Cookies set by parties other than the Website owner are called “third-party cookies”. Third-party cookies enable us to provide third-party features or functionality through our Website (i.e. advertising, social media functions and analytics).

ArborMetrix has relationships with third-party advertising companies to place advertisements on our Website and to perform tracking and reporting functions for our Website. These third-party advertising companies may place cookies on your device when you visit our Website so they can display targeted advertisements to you. This Privacy Policy does not cover the collection methods or use of the information collected by these vendors.

A third-party vendor used by ArborMetrix is Google Analytics. For information on how Google Analytics uses data, please visit “How Google uses information from sites or apps that use our services”, located here.

How to Control Cookies:

In many cases, you can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser.

Please follow the links below to access helpful information for the most popular browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
• Apple Safari: https://support.apple.com/en-gb/guide/safari/manage-cookies-and-Website-data-sfri11471/mac

We do not support “do not track” signals (“DNT”). If you have DNT enabled on your web browser, we do not currently respond or take any action with respect to web browser DNT signals.

In some cases, we do associate the information we collect using cookies and other technology with your Personal Data. This Privacy Policy applies to the information when we associate it with your Personal Data.

In addition, you can opt-out of being targeted by many third-party advertising companies by visiting:

• http://optout.aboutads.info/?c=2&lang=EN
• http://optout.networkadvertising.org/?c=1
• http://www.youronlinechoices.com/
• http://preferences-mgr.truste.com/

10. California Privacy Rights

If you are a California resident, the California Civil Code permits you to request information relating to the sharing of certain categories of your Personal Data with third parties. If you reside in California and have provided your Personal Data to ArborMetrix, you may request information about our disclosures of certain categories of Personal Data to third parties for direct marketing purposes. Such requests can be submitted to us by email to info@arbormetrix.com, or using the contact details provided above.

11. Your Choices

Your marketing preferences:

We may send you marketing emails regarding our Services, upcoming promotions and other information that may be of interest to you, provided you have given your consent, if required by the applicable law. If you do not wish to receive such marketing emails from us, you may use the “unsubscribe” option at the bottom of our emails to opt-out.

If you need any assistance with opting-out, please contact us using the contact details provided above.

Your rights:

In certain circumstances, you may have the right to request access to your Personal Data, to object to or restrict the use of your Personal Data and/or to request that incomplete, incorrect, unnecessary or outdated Personal Data is deleted or updated.

If you would like to exercise your rights or have any questions about your choices, please contact us using the contact details provided below. If you send us a letter, please provide your name, address, email address and detailed information about the Personal Data you would like to update, modify or delete or any other changes you would like to make.

We may request further information to verify your identity as part of this process.

We may deny a request for access to Personal Data if we believe that releasing such information may endanger the life or physical safety of an individual or may otherwise cause substantial harm. We will report all such requests to the appropriate law enforcement agencies.

Information we process on behalf of Health Providers:

We will not update, modify or delete any information that we process on behalf of health care providers as a Business Associate (and/or a Data Processor). Such requests should be directed to the relevant health provider as Data Controller).

Any request to access Personal Data, including ePHI, processed by ArborMetrix on behalf of a health care provider must be directed to the relevant health care provider to whom you disclosed your Personal Data including protected health information. Under no circumstances shall ArborMetrix share any Personal Data that it has received from a health care provider for processing with anyone else unless required by applicable law.

12. European Privacy Rights

If you are a European resident, in certain circumstances you have rights under the GDPR in relation to Personal Data we hold about you—specifically the right to:

• Request access to your Personal Data
• Request correction of your Personal Data
• Request erasure of your Personal Data
• Object to the processing of your Personal Data
• Request restriction of processing your Personal Data and
• Request transfer of your Personal Data to a third party

To exercise your rights, please contact us using the contact details provided above. If you send us a letter, please provide your name, address, email address and detailed information about the Personal Data you would like to update, modify or delete or any other changes you would like to make, or right you would like to exercise.

We aim to respond to requests made by you within one month but may extend that period by two further months where necessary.

We will not charge a fee for you to exercise any of the rights listed above, but reserve our right to charge a reasonable fee, or to refuse to act on requests which are manifestly unfounded or excessive.

Where you believe that we have not complied with our obligation under this Privacy Policy or European data protection law, you have the right to make a complaint to an EU Data Protection Authority, such as the UK’s Information Commissioner’s Office.

13. Information Security

We have implemented an information security program that contains administrative, technical, network and physical controls that are designed to safeguard your Personal Data. For example, we use industry-standard encryption technology to secure sensitive Personal Data when it is being collected and transmitted over the internet as well as firewalls, site monitoring and intrusion detection software. Please note that you should also take steps to protect yourself, especially online.

14. Notice to Residents of Countries Outside the USA

ArborMetrix is headquartered in the United States of America. Your Personal Data will be accessed by or transferred to the United States or to our affiliates and data processors within the United States. By providing your Personal Data, you consent to this transfer. We will protect the privacy and security of your Personal Data, regardless of where it is processed or stored.

15. Third-Party Links

Our Website may include links to third-party Websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party Websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy policy of every Website you visit.

16. Contacting Us

If there are any questions regarding this privacy policy, you may contact us using the information below:

ArborMetrix, Inc.

200 E Liberty #7969

Ann Arbor, MI 48107

734-661-7944

info@arbormetrix.com

REVISION DATE: January 9, 2020