Reciprocal Labs Corporation, d/b/a Propeller Health (“Propeller Health,” “we,” “our,” or “us”) complies with the EU-U.S Privacy Shield Framework and Swiss-US. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Privacy Shield Personal Data (as defined below) from European Economic Area countries and Switzerland. Propeller Health has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/
When individuals and family members share information with Propeller, they expect that their data will be treated with respect. Our commitment to patient privacy goes beyond treating patient data as if it were our own; we strive to give each person autonomy and control over how their information is used and shared. Propeller is honored to walk with patients on their journey to better health. Our goal is to live up to this position of high trust and use that health information to improve every person’s quality of life.
“Data Subject” means the individual to whom any given Privacy Shield Personal Data refers.
“Personal Data” means any information relating to an individual residing in the European Economic Area or Switzerland that can be used to identify that individual either on its own or in combination with other readily available data.
“Privacy Shield Personal Data” means Personal Data received by Propeller Health in the U.S. from European Economic Area member countries and Switzerland in reliance on the Privacy Shield.
“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, sexual life, or criminal record.
Scope and Responsibility
This Privacy Shield Policy applies only to Privacy Shield Personal Data.
All employees of Propeller Health that have access in the U.S. to Privacy Shield Personal Data are responsible for conducting themselves in accordance with this Privacy Shield Policy. Adherence by Propeller Health to this Privacy Shield Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations.
Propeller Health employees responsible for engaging third parties to which Privacy Shield Personal Data will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Shield Principles, including any applicable contractual assurances required by Privacy Shield.
Privacy Shield Principles
Propeller Health commits to subject to the Privacy Shield Principles all Privacy Shield Personal Data (i.e., all Personal Data received by Propeller Health in the U.S. from European Economic Area member countries in reliance on the Privacy Shield).
Propeller Health notifies Data Subjects about its data practices regarding Privacy Shield Personal Data, including: (i) the types of Privacy Shield Personal Data it collects about them; (ii) the purposes for which it collects and uses such Privacy Shield Personal Data; (iii) the types of third parties to which it discloses such Privacy Shield Personal Data and the purposes for which it does so; (iv) the rights of Data Subjects to access Privacy Shield Personal Data about them; (v) the choices and means that Propeller Health offers for limiting its use and disclosure of Privacy Shield Personal Data; (vi) how Data Subjects can contact Propeller Health with any inquiries or complaints; and (vii) other information about Propeller Health’s compliance with the Privacy Shield as required by the Notice principle. Notice is provided in clear and conspicuous language—including through this Privacy Shield Policy—when Data Subjects are first asked to provide Privacy Shield Personal Data to Propeller Health or as soon thereafter as is practicable, but in any event before Propeller Health uses such Privacy Shield Personal Data for a purpose other than that for which it was originally collected or processed by the transferring organization located in the European Economic Area or discloses it for the first time to a third party.
The Privacy Shield Personal Data that Propeller Health collects includes patient data, customer data, clinical trial participant data, caregiver data, and health care provider data. Propeller Health collects sensitive personal information such as medication lists and other clinical data specific to the individual’s situation. Data collected may include: Name, Email address, Mailing address, Date of Birth, Medical Condition and Phone number. We may collect Privacy Shield Personal Data when you create a Propeller account, use our mobile apps or websites, use our products, participate in a clinical trial, or otherwise contact us with a question, comment, or request.
The purposes for which Propeller Health collects and uses such Privacy Shield Personal Data include:
- Providing you with products and services, including customization and development of those products and services;
- Responding to your questions and comments and otherwise providing information that you request;
- Coordinating your care with your health care providers and health plans;
- Obtaining payment for our products and services;
- Handling complaints;
- Analyzing and improving the products and the services we provide;
- Delivering marketing communications, promotional materials, or advertisements that may be of interest to you;
- Conducting research, including through clinical trials;
- Performing our legitimate everyday business operations; and
- Other purposes as required or permitted by law.
In addition, we may use de-identified health information to contribute to public health efforts regarding respiratory disease and for other uses.
Propeller Health may disclose such Privacy Shield Personal Data to the following types of third parties:
- agents (e.g., third party service providers) that need the information to perform services on our behalf;
- your health care providers and health plans, in connection with coordinating your care, improving your treatment, and/or obtaining payment for our products and services;
- third parties designated by you and with whom you elect to share your information through our mobile apps or websites (e.g., friends, family, and health care providers);
- third parties in association with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets;
- third parties as required by law or regulation and when we have a good faith belief that it is necessary to protect the legal rights, safety, and security of us or others; and
- law enforcement or other government entities to comply with or respond to law enforcement or legal process or a request for cooperation, such as complying with legal requirements to disclose Privacy Shield Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If Privacy Shield Personal Data is to be used for a new purpose that is materially different from that for which the Privacy Shield Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, Propeller Health will provide Data Subjects with an opportunity to choose whether to have their Privacy Shield Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Privacy Shield Personal Data should be sent to: [email protected]
If Privacy Shield Personal Data that qualifies as Sensitive Personal Data is to be used for a new purpose that is different from that for which the Privacy Shield Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party, Propeller Health will obtain the Data Subject’s explicit consent prior to such use or disclosure, except if the use or disclosure is:
- In the vital interests of the Data Subject or another person;
- Necessary for the establishment of legal claims or defenses;
- Required to provide medical care or diagnosis;
- Necessary to carry out Propeller Health’s obligations in the field of employment law; or
- Related to data that are manifestly made public by the Data Subject.
3. Accountability for Onward Transfer
In the event we transfer Privacy Shield Personal Data to non-agent third parties, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Privacy Shield Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection to that Privacy Shield Personal Data as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Privacy Shield Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Propeller Health has knowledge that a non-agent third party is processing Privacy Shield Personal Data in a way that is contrary to the Privacy Shield Principles, Propeller Health will take reasonable steps to prevent or stop such processing.
With respect to our agents, we will transfer only the Privacy Shield Personal Data needed for an agent to deliver to Propeller Health the requested service. Furthermore, we will (i) permit the agent to process such Privacy Shield Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection to that Privacy Shield Personal Data as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Privacy Shield Personal Data transferred in a manner consistent with Propeller Health’s obligations under the Privacy Shield Principles; and (iv) require the agent to notify Propeller Health if it makes a determination that it can no longer meet its obligation to provide the same level of protection to the Privacy Shield Personal Data as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, Propeller Health will take reasonable and appropriate steps to stop and remediate unauthorized processing.
Propeller Health remains liable under the Privacy Shield Principles if an agent processes Privacy Shield Personal Data in a manner inconsistent with the Privacy Shield Principles, except where Propeller Health is not responsible for the event giving rise to the damage.
Propeller Health takes reasonable and appropriate measures to protect Privacy Shield Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Privacy Shield Personal Data.
5. Data Integrity and Purpose Limitation
Propeller Health limits the collection of Privacy Shield Personal Data to information that is relevant for the purposes of processing. Propeller Health does not process such Privacy Shield Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject. Propeller Health takes reasonable steps to ensure that such Privacy Shield Personal Data is reliable for its intended use, accurate, complete, and current.
Propeller Health retains Privacy Shield Personal Data in identifiable form only for as long as it serves a purpose of processing, unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such Privacy Shield Personal Data.
Data Subjects have the right to access Privacy Shield Personal Data about them and to correct, amend, or delete such Privacy Shield Personal Data if they can demonstrate that it is inaccurate. However, this right may be restricted in limited circumstances, such as when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated. Requests for access, correction, amendment, or deletion should be sent to: [email protected]
7. Recourse, Enforcement, and Liability
Propeller Health’s participation in the Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission.
Propeller Health agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Propeller Health acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
In compliance with the Privacy Shield Principles, Propeller Health commits to resolve complaints about your privacy and our collection or use of your Privacy Shield Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact Propeller Health at:
1 S. Pinckney Street, Suite 610 Madison, WI 53703
Propeller Health has further committed to refer unresolved privacy complaints under the EU-U.S and Swiss-US. Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. The services of BBB EU PRIVACY SHIELD are provided at no cost to you.
Please note that if your complaint is not resolved through these channels, under certain conditions, you may be able to invoke binding arbitration before a Privacy Shield Panel, as described in Annex I of the Privacy Shield (available at https://www.privacyshield.gov/article?id=ANNEX-l-introduction).
Changes to this Privacy Shield Policy
This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Appropriate notice regarding such amendments will be given.
Effective Date: May 29, 2019