EFFECTIVE DATE: January 9, 2020
By visiting the Site, using or downloading the Apps, or otherwise using any of our Services, you agree that your personal information will be handled as described in this Policy. Your use of our Site or Services, and any dispute over privacy, is subject to this Policy and our Terms of Service, including its applicable limitations on damages and the resolution of disputes. The Level Ex Terms of Service are incorporated by reference into this Policy.
We continuously revise this Policy to reflect changes in Level Ex’s personal data collection and handling practices. The latest version of the Policy is provided here with an effective date as set forth above.
If you are a California resident, please be sure to review the section “Additional Information for California Residents” below for important information, as required by California privacy laws, about the categories of personal information we collect and disclose, as well as your rights under California privacy laws.
The Information We Collect About You We collect information about you directly from you and from third parties, as well as automatically, through your use of our Site or Services.
Information We Collect Directly from You. Certain areas and features of our Services require registration. To register you must provide your email address, name, occupation, medical specialty, graduation year, ZIP Code (for healthcare providers), and password. In certain cases, we also collect National Provider Identifier (NPI) numbers and Drug Enforcement Administration (DEA) registration numbers. We also may collect additional optional information from you; however, you are not required to provide us with this information. It is important that the personal data (personal data, or personal information, means any information about you through which you can be identified; it does not include data where the identity has been removed such as anonymous data) we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Information We Collect Automatically. We may automatically collect information about your use of our Services (including our Apps) through cookies, web beacons, log files, and other technologies including: your domain name; your browser type and operating system; page views; links you click; IP address; location information; the length of time you visit our Site and/or use our Services; referring URL; access date and time; mobile device ID; advertising ID (IDFA, IDFV, or GAID); location and language information; device name and model; operating system type, name, and version; your activities within the Services; and the length of time that you are logged into our Services. We may combine this information with other information that we have collected about you, including, where applicable, your user name, name, and other personal information. Please see the section “Cookies and Other Tracking Mechanisms” below for more information.
Information We Don’t Collect. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How We Use Your Information We will only use your personal data when the law allows us to. Most commonly, we will use your information, including your personal information, for the following purposes:
- To provide our Services to you, to communicate with you about your use of our Services, to respond to your inquiries, to fulfill your requests, and for other customer service purposes.
- To tailor the content and information that we may send or display to you, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Site or our Services.
- For marketing and promotional purposes. For example, we may send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you via email, in-app notices and ads, and push notifications. We also may use the information that we learn about you to assist us in advertising our Services on third party websites.
- To better understand how users access and use our Site and Services, both on an aggregated and individualized basis, in order to improve our Site and Services and respond to user desires and preferences, and for other research and analytical purposes.
Where we need to collect personal data by law, or under the Terms of Service or any other contract we have with you and you fail to provide that data when requested, we may not be able to register you to provide the Services or perform the contract we have or are trying to enter into with you. In this case, you may not be able to use our Services or we may have to cancel Services with you.
How We Store and Share Your Information We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We store and share your information, including personal information, as follows:
- Level Ex Users. Your user name and any information that you post to our Site, including, without limitation, reviews, comments, and text will be available to, and searchable by, all users of the Site and Services.
- Service Providers and Partners. We may disclose the information we collect from you to third party business and technology partners, vendors, service providers, contractors or agents who perform functions on our behalf. All information provided will be protected to align with data privacy concepts, and the partner or service provider must agree to the GDPR requirements if any personal data will be originating from or processed in the EU. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers and partners to use personal data of EU data subjects for their own purposes and only permit them to process personal data originating from or processed in the EU for specified purposes and in accordance with our instructions.
- Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer the information we have collected from you to the other company.
- In Response to Legal Process. We also store and may disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
- Aggregate and De-Identified Information. We may share aggregate or de-identified information about users with third parties for marketing, advertising, research or similar purposes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Do-Not-Track. Currently, our Site and Services do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies or opting out of ad networks).
Clear GIFs. Clear GIFs (a.k.a. web beacons, web bugs or pixel tags) are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, though, clear GIFs are embedded invisibly on web pages, not stored on your hard drive. We might use clear GIFs to track the activities of Site visitors and Apps users, help us manage content, and compile statistics about usage. We and our third-party service providers also might use clear GIFs in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
You may opt-out of many third-party ad networks, including those operated by members of the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”). For more information regarding this practice by NAI members and DAA members, and your choices regarding having this information used by these companies, including how to opt-out of third-party ad networks operated by NAI and DAA members, please visit their respective websites: www.networkadvertising.org/optout_nonppii.asp (NAI) and www.aboutads.info/choices (DAA).
Opting out of one or more NAI member or DAA member networks (many of which will be the same) only means that those members no longer will deliver targeted content or ads to you. It does not mean you will no longer receive any targeted content or ads on our Site or other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing. Also, if your browsers are configured to reject cookies when you visit this opt-out page, or you subsequently erase your cookies, use a different computer or change web browsers, your NAI or DAA opt-out may no longer be effective. Additional information is available on NAI’s and DAA’s websites accessible by the above links.
User Generated Content We invite you to post content on our Apps and Sites, including your comments, pictures, and any other information that you would like to be available on our Site. If you post content to our Site, all of the information that you post will be available to all users on our Services. If you post your own content on our Site or Services, your posting may become public and Level Ex cannot prevent such information from being used in a manner that may violate this Policy, the law, or your personal privacy.
Third-Party Links Our Site and Services may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those third-party websites. We do not control and are not responsible for the information practices of such third-party websites. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Access to My Personal Information You may access, correct, erase, withdraw, or modify personal information that you have submitted by logging into your account and updating your profile information. Please note that copies of information that you have updated, modified or deleted may remain viewable in cached and archived pages of the Site or Apps for a period of time.
What Choices Do I Have Regarding Use of My Personal Information? You have the rights of access, correction, erasure, restriction, withdraw, objection, and data portability of your personal information. For example, we may send periodic promotional or informational emails to you. You may opt-out of such communications by following the opt-out instructions contained in the email. Please note that it may take up to 10 business days for us to process opt-out requests. If you opt-out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about your account or any Services you have requested or received from us. You also have the right to withdraw consent for us to use your personal information. To withdraw your consent or erase your personal information, please go to your personal profile, to confirm the withdrawal or erasure.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Children Under 13 Our Services are not designed for children under 13 and we do not knowingly collect data relating to children. If we discover that a child under 13 has provided us with personal information, we will delete such information from our systems.
Additional information for certain jurisdictions. We are committed to respecting the privacy rights of individuals under all privacy laws applicable to us. Some privacy and data protection laws require that we provide specific information about individual rights to applicable consumers, which we have set forth at the end of this privacy notice:
__ EU/EEA:__* if you are in the European Union / European Economic Area, we provide further details about your rights under the GDPR below.
Contact Us You have the right to make a complaint at any time to your respective supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.
If you have questions about the privacy aspects of our Services or would like to make a complaint, please contact us at 180 N. LaSalle, Suite 500, Chicago, IL 60601 or at firstname.lastname@example.org.
Changes to this Policy This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Site, at https://www.level-ex.com/privacy-policy/. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Site, or email@example.com.
Additional Information for California Residents California residents may request a list of certain third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make one request per calendar year. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by contacting us at firstname.lastname@example.org. Please allow up to thirty (30) days for a response.
European Union (EU) General Data Protection Regulation (GDPR) Level Ex may at times be subject to GDPR, which is the European Union’s General Data Protection Regulation, as a controller or processor, of personal data as described below:
- The GDPR considers data protection as a fundamental human right of an individual, which includes a “right to the protection” of their personal data. Any data subjects (i.e. anyone) based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect such personal data.
- The GDPR applies to a controller or a processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders in the EU or who monitors the behavior of personal data in the EU.
- To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the EU to follow the requirements set forth in the GDPR.
In compliance with GDPR, Level Ex has implemented data security processes set forth below to ensure the following are properly identified and processed:
Data Subject: A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a National Provider Identifier (NPI) number, a user name, or a web cookie.
Personal Data: Any personal information, including sensitive personal information, relating to a Data Subject. For example, email address, occupation, graduation year, and ZIP Code (for healthcare providers).
Controller: A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization that works with Level Ex and determines the processing of personal data provided to Level Ex. Level Ex is a controller for its third-party partners when Level Ex determines the processing of personal data provided to the third-party.
Processor: A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
Recipient: A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, attorney, an insurance agent, or an agency.
Enterprise: Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU.
Third party: Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
Supervisory Authority: An independent public authority established by an EU member state (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency. Key GDPR Data Security Requirements: Level Ex’s key GDPR data security requirements can be broadly classified into three categories:
- Prevention, and
The GDPR also requires compliance with the data protection principles to enhance the quality and rigor of protection of the data. This section summarizes key data security requirements discussed in the GDPR and adopted by Level Ex.
Specifically, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. More on these security measures, limitations, and procedures is described below.
Assess Security Risks: Data protection impact assessments lay a foundation for preventing breaches by evaluating the gaps and risks. The GDPR mandates that Controllers perform Data Protection Impact Assessments when certain types of processing of Personal Data are likely to present a “high risk” to the data subject. Level Ex’s assessment includes a systematic and extensive evaluation of processes, profiles, and how these tools safeguard the Personal Data, and when applicable a data processing agreement with Controllers and Processors.
Prevent Attacks: At various places in the regulation, the GDPR reiterates the importance of preventing security breaches. The GDPR recommends several techniques to prevent an attack from succeeding:
- Encryption: The GDPR considers encryption as one of the core techniques to render the data unintelligible to any person who is not authorized to access the personal data. When applicable, Level Ex encrypts personal data it collects to render it unintelligible if accessed without authorization, and as applicable when processing or transferring the data to a Processor.
The GDPR provides that in the event of a data breach, the Controller does “not” need to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it.
- Anonymization and Pseudonymization: Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity. Where applicable, Level Ex anonymizes and pseudonyms the personal data it processes. This includes aggregating the data to be personally unidentifiable, such that the Personal Data is rendered anonymous and unlinkable to the original identity of a data subject.
- Privileged User Access Control: The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts. Level Ex limits access to Personal Data to specific individuals within the organizations, and with instructions as to the sensitivity of the Personal Data to prevent attacks and compromises of the Personal Data.
- Fine-grained Access Control: In addition to privileged user control, the GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorized access to Personal Data. Level Ex selectively uses Personal Data for the specific purpose for which it is required.
- Data Minimization: The GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. While collecting, processing, or sharing Person Data, Controllers and Processors must be frugal and limit the amount of information to the necessities of a specific activity. Level Ex minimizes the Personal Data it collects by considering what is adequate and relevant to what is necessary in relation to the purposes for which they are processed.
Monitor to Detect Breaches: While preventive security measures help Level Ex minimize the risk of attack, they cannot eliminate the possibility that a data breach may occur. Thereby Level Ex monitors and alerts to detect such breaches through recording or auditing of the activities on the Personal Data and maintaining it so that processors and third parties must not be able to tamper or destroy the audit records. In the case of a Personal Data breach, Level Ex shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of any Personal Data breach.
The three broad categories of security guidelines (assessment, prevention, and detection) help Level Ex address threats from multiple angles and secure the data from unauthorized access.
In addition, Level Ex mandates making data protection a core part of the system. Considering security during the initial design phase of our features in the technology life cycle increases the security worthiness of Level Ex’s system and ensures that technical security controls will perform as expected. As part of this, Level Ex has implemented centralized administration when dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralized controls also enforce uniformity across multiple targets, reduce the chances of errors on individual targets, and leverage the best practices across the enterprise. Since threats and attacks can come from multiple sources Level Ex, works to be prepared from all directions, and mandates protection of Personal Data in all stages of the data lifecycle such as data at-rest and in-transit.
Transfer of EU data subjects personal data to third parties outside the EU: Many of our external third parties are based outside the European Economic Area (EEA) so their processing of EU data subjects’ personal data will involve a transfer of data outside the EEA. Whenever we transfer an EU data subject’s personal data to external third parties based outside of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer EU data subjects personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the EU and the US. For further details, see European Commission: EU-US Privacy Shield.