EFFECTIVE DATE This Privacy Notice is effective as of November 7, 2019.
BY INTERACTING WITH THE WEBSITE AT WWW.HONEYBEEHUB.IO (THE “SITE”), ITS WEB APPLICATION (“WEBAPP”) AVAILABLE THROUGH THE SITE AND THE HONEYBEETM MOBILE APPLICATION (THE “MOBILE APP”), EITHER AS A VISITOR OR AS A USER, YOU AGREE TO BE BOUND BY THE TERMS OF THIS PRIVACY NOTICE AND TO OUR TERMS AND CONDITIONS.
This Privacy Notice applies to PII and Personal Health Information that Honeybee Hub Inc. (“Honeybee Hub”), located 100 College St. Suite 250 Toronto Ontario M5G 1L5, Canada, collects through its Site, WebApp, and Mobile App in providing its Services.
Below are highlights of our Personally Identifiable Information and Personal Health Information handling practices.
Privacy Notice Highlights
The terms "we", "our" and "us" mean Honeybee Hub and the terms “you” and “your” mean the visitors or users Site and the users of the WebApp and the Mobile App.
Capitalized words in these Privacy Notice Highlights are defined in the Detailed Privacy Notice.
Information We Collect We collect your Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) from the following sources: ⦁ information you give us when you contact us through the Contact Us Page on our Site, open an Account or subscribe for Services, when you submit customer service inquiries, or when you submit customer feedback or reviews; ⦁ information we collect automatically when you visit our Site, WebApp, and Mobile App such as information about your browser settings, operating system, and other information collected through cookies; ⦁ the information you provide to us during your Account setup; and ⦁ medical information that our service providers collect on our behalf with your consent from your health records or your fitness apps;
How We Use and Disclose Your Information
⦁ We use your PII and PHI that we or our service providers collect from you to provide the Services on our WebApp and to manage our business operations, such as to authenticate you when you sign into your Account, to prevent loss of data and fraud, process your subscription payment, and to monitor and improve the performance of our Site, WebApp and Mobile App; ⦁ We and our service providers may combine or aggregate your de-identified and pseudonymized PII and PHI, so that it will be unlikely to re-identify you from it, to monitor trends and provide and improve our respective products and services; ⦁ We may share with or transfer your PII and PHI that we, or our service providers, collect from you to our service providers or Affiliates who may be located outside of the country from which you access our Services under a Data Collection and Sharing Agreement, but that information and may be subject to privacy laws that different from those of the country from which you access our Services. ⦁ We may also disclose your PII and/or PHI if a court order requires us to do so. ⦁ With your consent, we may use your PII to contact you for marketing, promotional, or other purposes.
Your Choices and Consent
⦁ You can change your communication preferences for marketing and advertising e-mails, participation in surveys, and to provide or withdraw consent for specific requests we or our service providers may make to collect and use your PII and PHI in the Profile section of your Account ⦁ You may withdraw your consent from our further use of your PII or PHI and you may close your Account. If you do so, we may still use your PII and PHI for the purposes to which you consented before you withdrew consent and we may keep information about you and your previous transactions with us for audit purposes, to ensure the integrity of our data, and to fulfill legal requirements.
How to Contact Us If you have a privacy question or concern, please contact us at: firstname.lastname@example.org. Please review our Detailed Privacy Notice for more information about our practices.
DETAILED PRIVACY NOTICE:
1. Background 2. SCOPE 3. ACCOUNTABILITY 4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT? 5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION? 6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS? 7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION? 8. DATA BREACH 9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI? 10. DATA STORAGE AND TRANSFER 11. AGE AND CONSENT 12. THIRD-PARTY SERVICES AND LINKS 13. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION? 14. ACCESS: RIGHT TO YOUR DATA 15. ACCOUNT CLOSURE: DATA DELETION 16. CHALLENGE COMPLIANCE 17. CHANGES TO THIS PRIVACY NOTICE
The website www.honeybeehub.io (the “Site”), its web application (“WebApp”) available through the Site and the HoneybeeTM mobile application (the “Mobile App”) are owned and operated by Honeybee Hub (“Honeybee Hub”).
Honeybee Hub provides a secure research study discovery hub through our Site, WebApp, or Mobile App (the “Platform”) that connects researchers in a variety of research areas with individuals interested in being research study participants (together the “Services”).
As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:
“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site and the WebApp and the Mobile App, if we can associate that PII with you. If you interact with our Site or our WebApp on behalf of an entity, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity.
“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers.
"we", "us" or "our" means Honeybee Hub Inc. and any of our Affiliates.
"you" or "your" means an individual Using the Site, the WebApp, the Mobile App, or the Content as a visitor, a prospective or current Client, or an Account holder.
This Privacy Notice helps our visitors to our Site and Users of the Web App and Mobil App to better understand how we collect, use, and store your PII and PHI.
We take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.
We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. If we are acquired by another company your PII and PHI will be transferred from us to that entity under security safeguards appropriate for the sensitivity of the information. If you do not wish to continue to receive services through that entity, you may close your account. We limit the PII or PHI we share with service providers and limit their use of the data we share with them through Data Protection Agreements. We and our service providers comply with privacy and data security legislation including:
⦁ In Canada: the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), Personal Information Protection Act (“PIPA”) (Alberta and British Columbia), the Health Information Act (“HIA”) (Alberta); E-Health Act (British Columbia); An Act Respecting the Protection of Personal Information in the Private Sector (Quebec); Personal Health Information Privacy and Access Act (New Brunswick); Personal Health Information Act (Newfoundland and Labrador; all including their Regulations and as updated from time to time.
⦁ In the United States: the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its Regulations and the Health Insurance Portability and Accountability Act (“HIPAA”) and its Regulations, including the Security Standards at 45 CFR Part 160 and Part 164 (45 CFR §§ 164.308(b)(1), 164.310, 164.312, 164.314(a)(1)(i) and 164.316) and the Electronic Protected Health Information (Subpart C of 45 CFR Part 164) (together the “Security Rule”), the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164 (45 CFR §§ 164.502(e) and 164.504(e)(1)(ii)) (the “Privacy Rule”); and the Breach Notification Standards under 45 CFR §§ 164.400-414 (“Breach Notification Rule”).
⦁ Any other provincial, state, or federal laws and regulations that govern the security or data and the privacy of individuals, if not pre-empted by HIPAA or PIPEDA and as applicable to the subject matter of this Agreement; and
⦁ Compliance with ISO/IEC 27002:2013 Code of practice for information security controls: 15.1: Information security in supplier relationships for both Canadian and American service providers. We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at email@example.com.
4. Limiting Collection: What Information Do We Collect?
The ways we collect PII and PHI can be broadly categorized into:
Information you provide to us directly: When you visit or use parts of our Site, the WebApp, or the Mobile App we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site.
We collect your PII and PHI when you open an Account and when you interact with a Researcher on our Platform. For example, we will collect identification and contact information, such as your name, mailing address, date of birth, and demographic information to be able to properly identify you, to contact you, and where applicable, to process a credit card payment for your subscription to our Services. We will also collect PHI that you disclose to a Researcher on our Platform, such as your medical conditions, treatment information, surgeries, allergies, blood type, and other information that a Researchers needs to determine if you are eligible for a Research Study.
If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot receive our Services.
Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined.
5. Limiting Use: How Do We Use Your Personal Information?
We collect and use PII, PHI and non-personal information for the following purposes:
⦁ To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the WebApp, the Mobile App, the Content, our Services, and our business.
⦁ To improve our Site, WebApp, and Services and develop new ones: We monitor how you use the Site, the WebApp, the Mobile App, and the Services so we can improve our offerings, user experience, and design new features.
⦁ To detect and prevent any fraudulent or malicious activity and to make sure that our Site, WebApp, Mobile App, Content, and Services are used fairly and according to our Terms of Service.
⦁ With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;
⦁ With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;
⦁ To comply with any laws and regulations.
6. Disclosure: When Do We Disclose Your PII and PHI to Others?
We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who help us with marketing and promotional services. We enter into discrete Data Collection and Sharing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.
We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity.
We may share your PII or PHI, as applicable, without your explicit consent and without notice to you:
⦁ To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.
⦁ To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, this Privacy Notice, or as otherwise required by law.
⦁ To establish or defend our legal rights. Where possible and appropriate, we will notify you.
⦁ To an actual or potential buyer of Honeybee Hub (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.
⦁ To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.
⦁ To protect the security of the Site, the WebApp, and the Mobile App, our Services, and the security of your Account.
7. Safeguards: How Do We Protect Your Personal Information?We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse.
Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, WebApp, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (5) training: we implemented policies, procedures that address and train our staff on the handling of PII and PHI. All our staff members and contractors are legally bound to confidentiality.
We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider. The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards.
We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Collection and Sharing Agreements we have with them.
8. Data Breach
We take precautions against breaches of our security systems, but you acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI to us and our service providers at your own risk.
Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).
IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.
9. Data Retention: How Long Do We Keep your PII and PHI?
We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada.
Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.
PII and PHI collected with your consent by our service providers that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction.
PII collected by our direct payment gateway provider to process a transaction on the WebApp and the Mobile App is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.
We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.
10. Data Storage And Transfer
The PII and PHI we or our service providers collect from our Canadian and United States Clients will be stored in Canada, however their PII and PHI may be used or stored by our service providers outside of Canada
We enter into discrete Data Collection and Sharing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. If your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored, which may differ from and be less protective of PII than the privacy laws of your country.
11. Age and Consent
Only individuals 18 years of age or older may subscribe to our Services and access the WebApp and the Mobile App.
A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor.
When you provide PII or PHI to open and Account, interact with a Researcher to be evaluated for a Research Study, or to provide PII to complete a transaction by credit card, you consent to our collecting your PII and PHI required to complete these activities only.
When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.
YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW.
Please contact visit the Settings tab in your Account or contact us at firstname.lastname@example.org if you wish to withdraw your consent for our use of your PII and/or PHI.
12. Third-Party Services and Links
You may access third-party websites through links available on our Site, the WebApp, or the Mobile App. These links are provided for convenience only. Once you leave our Site, WebApp or Mobile App and you are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms of Service.
We have no control over those third-party websites and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI.
You acknowledge that these links may lead you to third-parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.
13. Accuracy: How Do You Modify Your Information?
We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law.
We use reasonable means to ensure that the information in your Account record is accurate. You may update certain PII directly in your Account and you may also request access to your Account Record.
If you have questions or identify any errors in your Account Record, please contact us at email@example.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.
14. Access: Right to your data
You may access your Account Record and port the information from us to another entity. If you request a copy of your Account Record, we will provide it to you at no charge. You can request access to your Account record by contacting us at firstname.lastname@example.org.
Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws. We will provide you the legends for any special codes, acronyms or other similar information in the disclosed material, so your right of access is meaningful.
15. Account Closure: Data Deletion
To close your Account or to request that the PII or PHI we have about you be deleted, please email us at to email@example.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.
16. Challenge Compliance
If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.
We are not responsible for the PII or PHI handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them.
Please notify our Chief Privacy Officer of your complaint by emailing at firstname.lastname@example.org
You can also reach us at:
Honeybee Hub Inc. 100 College St. Suite 250 Toronto Ontario M5G 1L5 Canada
We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.
If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.
17. Changes to This Privacy Notice
We may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below.
When our Privacy Notice changes, the Site, the WebApp, and the Mobile App will display a notice prompting you to review the changes.
If we make substantive changes to this Privacy Notice, then in addition to displaying a notice on the Site, the WebApp, and the Mobile App we may also notify you by email at the email address associated with your Account.
The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.
By continuing to use the Site, the WebApp and the Mobile App, or the Services after you receive the notice you IMPLICITLY CONSENT TO BE BOUND BY THE PRIVACY NOTICE TERMS IN EFFECT ON THAT DATE ON WHICH YOU VISIT THE SITE, THE WEBAPP, OR THE MOBILE APP.
LAST UPDATED on March 4, 2020.
CHANGE LOG: March 4, 2020 - Added a section in Section 3 that explians what happens with user PII and PHI if Honeybee is acquired by another company.