PRIVACY NOTICE
The Ori Diagnostic Instruments General Privacy Policy is found on this page, and contains a description of personal data processing in the Ori Diagnostic Instruments Metabolic Health Monitoring system, ORI FIT-MET™ (“Service”), produced by Ori Diagnostic Instruments, LLC.
DATA CONTROLLER
Ori Diagnostic Instruments, LLC, address 3407 Middlebrook Dr., Durham, NC, 27705 (“ODI” or “Controller”). This document contains information about the personal data processing and complies with the EU General Data Protection Regulation (GDPR).
TERMS “Subject” is the person whose measured data is used by ODI to produce the Service.
CONTACT PERSON FOR THE DATA CONTROLLER
The data Controller (ODI) can be contacted by e-mail at ori.zsolt@oridiagnosticinstruments.com or by telephone at +1 919-864-8140.
THE PURPOSE AND LEGAL BASIS OF PROCESSING THE PERSONAL DATA
The purposes of processing the personal data are for use in the basic operation of the Service, including user support operations, collecting statistics regarding Service usage, and conducting scientific and market research.
The basic operation and purpose of the Service is to provide individualized calculations and predictions of the data listed in the “THE TYPE OF PERSONAL DATA” section below. The Service provides direct feedback to each individual Subject. The details of the Service are described, in detail, in the contract between ODI and Subject. Typical support operations include, for example, delivering user account information or the private web link to the Subject.
Personal data may be used to inform of ODI services, such as sending a newsletter or other ways of maintaining the customer relationship. The personal data of the Subject may be used to market a personal follow-up analysis following the applicable personal data legislation. Log data of the service use is additionally saved in order to protect the legitimate interests of ODI and the Subjects, for example in order to investigate possible security breaches or for example in order to be able to prove, that invoiced services have been delivered. Personal data may be processed individually or together with ODI’s other personal data files. ODI will keep an anonymized copy of data saved in the service for statistical and scientific research, such as for performing data simulations. Such statistical or scientific use of data is done using automated processes in such a way that data from an individual Subject cannot be identified during any stage of the process.
The legal justification for handling personal data is that it necessary for the performance of a contract between ODI and the Subject or to take steps at the request of the Subject prior to entering into a contract with ODI.
THE PERSONAL DATA RETENTION PERIOD
Unless otherwise agreed, the personal data related to the measurement will be kept for 18 months after the last measurement to the Subject and subsequently erased. If the Subject has given a separate consent for a longer term retention, the personal data may be kept longer accordingly.
DESCRIPTION OF THE GROUP OF DATA SUBJECTS
The personal data from participating Subjects is processed in the Service.
DATA SOURCES
The Subject provides ODI his/her email address. Each Subject is then emailed a personal web link to activate the Service. The other personal data is provided by the Subjects themselves via the web interface and through the use of measuring devices. A representative of ODI may additionally gather information from the Subjects when providing the Service. Information will be also created analytically through ODI’s own activities.
THE TYPE OF PERSONAL DATA
The database contains the following information (partial or complete) about the Subjects:
• Full name (first and last)
• Date of birth, gender, height, weight
• Activity class, maximum and resting heart rate, maximal oxygen consumption • Information about chronic diseases and medication provided by the Subject
• Diary entries created by the Subject during the measurement period, e.g. alcohol consumption, current and recent illnesses and medications, self-documented events noteworthy of interest to the Subject.
• Step count
• Sleep related data
• Burnt calories related data
• Heart rate and heart rate variability data
• Stress level related data
• Body composition related data
• Pulse oximetry related data
• Exercise intensity related data
• Exercise activity details
• Body battery (heart rate variability, stress, and activity level to estimate the user’s energy reserves) related data
• Ingested food calorie related data
• Resting metabolic rate related data
• Physical energy expenditure related data
• Hydration status related data
• The results report created for the Subject based on the data analysis
• Contact information, e.g. email address
• Information about the use of the service
• Information about the consents of processing data in the service
The Subject may opt to use the Service anonymously with an unidentifiable user name. The e-mail address will be always saved.
PRINCIPLES OF DATA PROTECTION
ODI follows the best practices for managing data. ODI protects the data so that only the authorized personnel defined by ODI, who are bound by its policy of confidentiality, have access to the file and only for purposes related to their work. These ODI authorized personnel may be ODI owners, employees, or subcontractors. ODI ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and personnel security training. The data is kept in information systems produced or licensed by and controlled by ODI and the data is handled with ODI designed user interfaces. The Internet connection from the Subject web interface to ODI is protected with encryption (SSL). The personal link to the data entry form, which the Subject uses to enter personal data, only works for a limited time and will expire soon after it is started. If ODI uses third parties (subcontractors) for technical maintenance of the data, ODI fulfils the responsibilities required by the data protection law related to subcontractors. In all cases, the data is kept in information systems governed by ODI and neither ODI nor subcontractors will save information in any other systems.
TRANSFER OF PERSONAL DATA
Personal data may not be transferred outside ODI controlled information systems and servers in a manner that the data could be identified, except in the following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of ODI or a third party.
Personal data of the Subjects may be processed by authorized third parties, who process the data on behalf of the Controller for the purposes described in this document (for instance, service providers of technical infrastructure or services). Such service providers may use the personal data only according to the instructions from the Controller, i.e. only for the purpose for which the data has been collected. The Controller requires that the service providers operate according to the applicable law and this privacy policy, ensuring appropriate security for the personal data. ODI is located in the USA and in the course of provision of the Services personal data is transferred outside of the EU or EEA and processed and stored on information systems and servers located in the USA and governed by ODI. The Subject may also use the Service with a device outside the EU or the EEA, and in such cases, the data is visible on that device while using the Service. The risk inherent in such transfers for Subjects is that the USA has not yet received an adequacy decision from the EU that its legislation is at least as stringent as the EU’s GDPR. ODI mitigates this risk by following this Privacy Policy.
The legitimate bases for the transfer of personal data to the USA are that standard data protection clauses adopted by the EU Commission are present in ODI contracts with the Subject and that the processing is necessary for the performance of a contract between ODI and the Subject or to take steps at the request of the Subject prior to entering into a contract with ODI.
THE RIGHTS OF THE DATA SUBJECT
The data Subject has the right to inspect his/her personal information, change or request to change his/her information and the right to request erasure of personal information. Therefore, the Subject has the right to request the Controller to correct inaccurate or incorrect personal information without unnecessary delay. The Subject has the right to request erasure of his/her information without unnecessary delay, for example when the personal data is no longer required for the original purposes or the Subject withdraws consent to the processing and when there is no other legal ground for the processing. The Subject has the right to request the Controller to limit the processing in certain situations, including when the Subject denies the information being accurate. Under some circumstances the Subject also has the right to object to the processing. The Subject may, under some circumstances, have the right to request transferring the personal data from one system to another. Whenever the legal justification for processing the personal data is consent, the Subject also has the right to withdraw the consent at any time. The Controller wishes that any disputes concerning the processing of personal data are primarily resolved in a conciliatory manner between the parties. If such a dispute cannot be resolved in a conciliatory manner, the Subject has the right to lodge a complaint to the authorities responsible for personal data protection. Any requests to inspect, modify or erase the personal data shall be indicated to ODI by a signed letter or similarly verified document, so that ODI can confirm the requestor has the right to make such a request. The request can be made with e-mail, if using the e-mail address registered when using the service. ODI may need to identify the Subject and ask for additional information in order to fulfil this kind of request. This description of the personal data processing has been updated 02.10.19. ODI follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.
Copyright © 2023 Ori Diagnostic Instruments, L.L.C. - All Rights Reserved.