X-Rite Privacy Policy
Effective Date 07/20/2022 (last updated 11/10/2022)
ABOUT
THIS POLICY
X-Rite values your privacy and the protection of your
personal data. This policy (“Policy”)
explains how X-Rite its affiliates, subsidiaries or
related companies, a full list of which can be located here (together,
“X-Rite,”, “our”, “us,” or “we”), collects, uses, shares,
transfers and processes data collected from or about you.
“Personal Data” is
any information that can be used to directly or indirectly
identify an individual or that can be reasonably expected to link to an
individual. This can include items such
as name, address, telephone number, credit card details, email address, ID
number, Internet Protocol (“IP”)
address of an electronic device used by an individual, or other identifying
code (even absent of other identifying information). Statistical and non-identifiable metric data are not considered Personal
Data.
The X-Rite subsidiary, affiliate, or related company with
which you interact is, where applicable, the data controller (or equivalent
under applicable law) responsible for the processing of your Personal Data. You
can find a list of the relevant legal entities that act as data controllers in
Appendix 1 to this Policy.
SCOPE
This Policy describes the types of Personal Data that
we may collect, process, or disclose about you and how you may govern this
processing by exercising applicable legal rights. This Policy applies to both online and
offline information collection, including your use of websites or subdomains
operated by us, any mobile applications, when we provide products and/or
services to you or notify you about prospective items of interest and in other
situations where you interact with us in-person, by telephone or by mail where
this Policy is posted or referenced.
There may be occasion where you have been provided
with a circumstance-specific privacy notice that is separate from this policy,
such as privacy notices for specific activities such as Recruitment. To the extent you were provided with a
different notice, those notices apply and govern our interactions with you. If you provide Personal Data about parties
other than yourself, you are responsible for ensuring their knowledge of how we
will process their personal data, and, where applicable, obtaining any
necessary consents required in advance.
We are committed to processing Personal Data in
accordance with applicable laws. Please
note that if you do not wish to provide your Personal Data to us, some products
and/or services may become unavailable to you. Your use of any or all these
platforms indicates you have been notified of our collection, use, transfer,
and disclosure of your information as described in this Policy to the extent
permitted by applicable law.
YOUR
INFORMATION
We connect with individuals for many different
reasons. Those interactions may result in us directly or indirectly gaining
access to Personal Data about you. The below
table summarizes how we may collect, process, and use Personal Data, our legal
basis for processing your information, and the potential recipients of your information. Please note, not all instances may be
applicable in all circumstances.
GENERAL
CATEGORIES OF PERSONAL DATA COLLECTED
The below table denotes the categories and sources of
Personal Data that may be processed under this Policy in addition to the
purposes and legal bases for such processing.
Please note that the items contained within this table may be shared, received or processed by X-Rite, our partners that assist us in providing
the products or services or help us improve our marketing or administration,
Healthcare Practitioners (“HCPs”), patients,
persons with
the legal right to access the Personal Data and Parties involved in potential
business transactions.
|
Identity
and Contact Information |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
First
and last name, email address, postal address, phone number, job title,
professional license numbers, account username and password, IP address, and national
provider identifier or state license number |
Directly
from you; from your devices; from our business partners; from publicly
available sources; from your HCP; from your patients; from other
subsidiaries, affiliates or related companies of X-Rite as detailed here; |
To
provide you with our products and services; to communicate with you; to
identify and authenticate you; to customize content for you; to detect
security incidents; to protect against malicious or illegal activity; to
offer or provide our products and services; to ensure the appropriate use of
our products and services; to improve our products and services; for
short-term, transient use; for administrative purposes; for marketing,
internal research, and development; and/or for quality assurance |
For
the purposes of our legitimate interests; in the public interest; to comply
with a legal obligation; to perform a contract; to protect vital interests;
for the purposes of assisting medical treatment and/or diagnosis; promoting
quality and safety of medical products/ services/devices; in circumstances
where we have requested and received consent; and for other purposes that may
be required or allowed by law dependent upon the type of Personal Data |
|
Demographic
Information |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
Age,
gender, marital status, disability, and date of birth |
Directly
from you; from your devices; from our business partners; from publicly
available sources; from your Healthcare Practitioner; from your patients;
from other subsidiaries, affiliates or related companies of X-Rite as
detailed here; |
To
provide you with our products and services; to communicate with you; to
identify and authenticate you; to customize content for you; to detect
security incidents; to protect against malicious or illegal activity; to
ensure the appropriate use of our products and services; to improve our products
and services; for short-term, transient use; for administrative purposes; for
marketing, internal research, and development; and/or for quality assurance |
For
the purposes of our legitimate interests; in the public interest; to comply
with a legal obligation; to perform a contract; to protect vital interests;
for the purposes of assisting medical treatment and/or diagnosis; ensuring
quality and safety of medical products/services/devices; in circumstances
where we have requested and received consent; and for other purposes that may
be required or allowed by law dependent upon the type of Personal Data |
|
Commercial
and Financial |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
Transaction
records, products and services (purchased, obtained,
or considered), requested documentation, customer service records, financial
transaction history, transfers of value, and financial account number |
Directly
from you; from your devices; from our business partners; from publicly
available sources; from your Healthcare Practitioner; from your patients;
from other subsidiaries, affiliates or related companies of X-Rite as
detailed here; |
To
provide you with our products and services; to communicate with you; to
identify and authenticate you; to customize content for you; to detect
security incidents; to protect against malicious or illegal activity; to
ensure the appropriate use of our products and services; to improve our products
and services; for short-term, transient use; for administrative purposes; for
marketing, internal research, and development; and/or for quality assurance |
For
the purposes of our legitimate interests; in the public interest; to comply
with a legal obligation; to perform a contract; in circumstances where we
have requested and received consent; and for other purposes that may be
required or allowed by law dependent upon the type of Personal Data |
|
Professional
and Educational Information |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
Job
title or position, employer, National Provider Identifier number, work
skills, employment history, graduate degree, certification, specialized
training, responses to surveys and questionnaires, and enrollment history for
our education and training events, LinkedIn profile |
Directly
from you; from your devices; from our business partners; from publicly
available sources; from your Healthcare Practitioner; from your patients;
from other subsidiaries, affiliates or related companies of X-Rite as
detailed here; |
To
provide you with our products and services; to communicate with you; to
identify and authenticate you; to customize content for you; to detect
security incidents; to protect against malicious or illegal activity; to
ensure the appropriate use of our products and services; to improve our products
and services; for short-term, transient use; for administrative purposes; for
marketing, internal research, and development; and/or for quality assurance |
For
the purposes of our legitimate interests; in the public interest; to comply
with a legal obligation; to perform a contract; ensuring quality and safety
of medical products/services/devices; in circumstances where we have requested
and received consent; and for other purposes that may be required or allowed
by law dependent upon the type of Personal Data |
|
Technical
Information |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
IP
addresses, browser type, browser language, device type, advertising IDs
associated with your device (such as Apple’s Identifier for Advertising
(IDFA) or Android’s Advertising ID (AAID)), the date and time you use our products
and services, Uniform Resource Locators, or URLs (i.e., website addresses)
visited prior to arriving and after leaving our products and services,
activity on our products and services and referring websites or applications,
data collected from cookies or other similar technologies, and geolocation
information |
Directly
from you; from your devices; from our business partners; from publicly
available sources; from your Healthcare Practitioner; from your patients;
from other subsidiaries, affiliates or related companies of X-Rite as
detailed here; |
To
provide you with our products and services; to communicate with you; to
identify and authenticate you; to customize content for you; to detect
security incidents; to protect against malicious or illegal activity; to
ensure the appropriate use of our products and services; to improve our products
and services; for short-term, transient use; for administrative purposes; for
marketing, internal research, and development; and/or for quality assurance |
For
the purposes of our legitimate interests; in the public interest; to comply
with a legal obligation; to perform a contract; to protect vital interests;
for the purposes of assisting in medical treatment and/or diagnosis;
ensuring quality and safety of medical products/services/devices; in
circumstances where we have requested and received consent; and for other
purposes that may be required or allowed by law dependent upon the type of
Personal Data |
|
Health
Information |
|||
|
Examples of Personal Data Processed |
Sources of Personal Data |
Purpose of Processing the Personal
Data |
Legal Basis for Processing the
Personal Data |
|
Information
regarding your treatment, including your date of birth, sex/gender, treatment
dates, medical history, and treatment information, patient-reported outcome
measures (e.g., responses to questionnaires and surveys), X-rays, magnetic
resonance imaging, medical scans, user activity, pictures and videos of
treatment activities, therapy completion and use details, and communications
with your Healthcare Provider and/or patient, including audio and/or video
from telehealth sessions, allergy information; Medical Insurance Information
and details pertaining thereto. |
Directly from you; from your devices;
from our business partners; from publicly available sources; from your
Healthcare Practitioner; from your patients; from other subsidiaries,
affiliates or related companies of X-Rite as detailed here; |
To provide you with our Products and
Services; to communicate with you; to identify and authenticate you; to
customize content for you; to detect security incidents; to protect against
malicious or illegal activity; to ensure the appropriate use of our Products
and Services; to improve our Products and Services; for short-term, transient
use; for administrative purposes; for marketing, internal research, and
development; and/or for quality assurance |
For the purposes of our legitimate
interests; in the public interest; to comply with a legal obligation; to
perform a contract; to protect vital interests; for the purposes of medical
treatment and/or diagnosis; ensuring quality and safety of medical
products/services/devices; in circumstances where we have requested and
received consent; and for other purposes that may be required or allowed by
law dependent upon the type of Personal Data |
HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
If you
are a patient based in the US, please note that this Policy is distinct from
your Healthcare Practitioner’s HIPAA Notice of Privacy Practices, which
describes how your HCP uses and discloses individually identifiable information
about your health that it collects, as well as any other privacy practices it
applies. Personal Data we receive on behalf of your Healthcare Practitioner is
not subject to this Policy
AGGREGATED, ANONYMIZED AND DE-IDENTIFIED DATA
X-Rite may process anonymized/de-identified data. This is data for which the characteristics
that can identify you, directly or indirectly, have been removed such that you
are no longer identifiable, and this information is no longer considered
Personal Data under data protection laws.
This includes in the United States the removal of identifiers from
protected health information required under HIPAA, 45 CFR § 164.514(b)(2),
for such data to be considered deidentified. We rely on our legitimate business
interest, scientific or historical research and/or statistical purposes,
consent or other purposes that may be required or allowed by law as the legal
basis to anonymize Personal Data.
We may also obtain and use certain types of combined data sets such as
demographic data for any purpose (“Aggregated Data”). Aggregated Data
may be derived from your personal data but does not directly or indirectly
reveal your identity. For example, we may aggregate certain information
technology-related data of yours with others’ data to calculate the percentage
of users accessing a specific feature on our website. We may use Aggregated
Data for any purpose without restriction. However, if we re-combine or
re-connect Aggregated Data with your personal data so that it can directly or
indirectly identify you, we treat the combined data as personal data which will
be used in accordance with this Policy.
COMBINING
INFORMATION
We combine information we collect on the website with
information we receive from you in person, by email, or by other forms of
communication. We also combine information you provide with information we
obtain from third parties, service providers, publicly available sources and
our subsidiaries, affiliates, or related companies.
INFORMATION
COLLECTED FROM CHILDREN
Our sites and apps are meant for
adults. We do not knowingly collect Personal Data from children 17 years old or
younger without permission from a parent or legal guardian. If you are a parent
or legal guardian and think your child has given us information, you can email
or write to us using the details in the ‘Contact Us’ section below.
INFORMATION
STORAGE
We may transfer, process, and store your information
to the US, Canada, India, European Union member states,
the United Kingdom, or other countries. Our affiliates or other third-party
service providers may also transfer, process, or store your information in the
US or other countries. Our sites and businesses may be subject to US laws,
which may not afford the same level of protection as those in your country.
CROSS
BORDER DATA TRANSFERS
We may transfer your Personal Data to
recipients in countries other than the country in which your Personal Data was
originally collected. When we transfer your Personal Data in such a manner, we
take steps for your data to be protected consistent with the laws and
requirements in your country, including the requirements that apply to
cross-border data transfers. We
implement appropriate technical and organizational measures to provide a level
of security appropriate to the risk of protecting your Personal Data against
accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. As is the case with all websites,
applications, products, and services, we unfortunately cannot guarantee
security of the data collected at all times.
SALE
OR TRANSFER OF DATA
If we are involved in a sale or transfer
of all or some of our business assets or operations via a share or asset transaction,
your personal data may be transferred to the acquiring organization who will be
required to take at least the same or higher standards of care in the treatment
of your Personal Data. Should such a sale or transfer occur, if required by
law, you will be informed about this and may withdraw your consent to or, as
applicable, instigate any other legally available rights as detailed in the
“Rights and Choices” section of this Policy with regards to the processing and
use of your Personal Data by the transferee.
COOKIES,
WEB BEACONS AND OTHER TRACKING TOOLS
As outlined in the table above your interaction with our websites is an additional source for collecting your information. We may use “cookies”, web beacons, and other technologies to help us evaluate and improve the content or functions of the products or services we provide. We collect your information through several methods:
· Web beacons
· Pixels
· Tags
· Tracking Cookies
· Marketing Cookies
· Analytic Cookies
· Social Media Cookies
Our Cookie Policy
provides more detailed information about this topic and how we use cookies to enhance
your experience and better serve you.
THIRD
PARTY LINKS AND TOOLS
We may link to other sites or apps on our platforms
that we do not control. If you click on a third-party link, you will be taken
to a platform we do not control. This policy does not apply to the privacy practices
of that website or platform. Read other companies’ privacy policies carefully.
We are not responsible for these third parties. Our site may also serve third
party content that contains their own cookies or tracking technologies. We do
not control the use of those technologies.
DATA
RETENTION
We will retain Personal Data for as long as is
necessary to carry out the purposes the Personal Data was collected for or for
the period prescribed by applicable laws, whichever is longer. In considering how long to retain your
Personal Data the following are considered:
·
The potential
risk of harm if the data was subject to unauthorized use or disclosure;
·
The volume and
sensitivity of the Personal Data;
·
Applicable legal requirements;
and
·
If circumstances
have changed such that the purposes for which the Personal Data was collected
can be achieved by other means.
When the retention of your Personal Data is no longer required,
we will delete or anonymize the data as per the details provided above.
YOUR
RIGHTS AND CHOICES
Some jurisdictions such have provided individuals with rights in
relation to the processing of their Personal Data. These rights are not
available to everyone, and they do not necessarily apply in all contexts.
Depending on the applicable law or the legal basis, you may have the right to:
·
Object to the processing of your Personal Data;
·
Request access to your Personal Data;
·
Request correction of your Personal Data should
your Personal Data be inaccurate, incomplete, or obsolete;
·
Request erasure/deletion of your Personal Data;
·
Withdraw your consent to future processing where
we processed Personal Data on the basis of your consent;
·
Request restrictions on the processing of
your Personal Data, including restricting the sale of or sharing of your
Personal Data;
·
Request the transfer of your Personal Data to
yourself or a third party;
·
Opt-out of certain transfers to third
parties.
To exercise a right that you believe you may be entitled to under applicable law you can contact us directly by email at privacy@xrite.com or in writing at “Contact Us”. We may need to verify your identity before we fulfil your request or, under applicable law, we may refuse to action your submission. We shall notify you in a timely manner of such decisions or requirements, as necessary.
California Residents. Our California Consumer Rights Notice provides an overview of how consumers in California receive certain privacy rights and protections.
Filing a Complaint. If you are not able to resolve a problem directly with us and wish to make a formal complaint, you can contact your local data protection authority or other enforcement authority.
CONTACT
US
If you have any
questions about this Policy or our data practices, you can write to us at:
X-Rite, Incorporated
Attn: Privacy Office – Vicky Schott
4300 44th Street SE
Grand Rapids, MI 49512
Alternatively, you can email us directly at privacy@xrite.com.
POLICY
UPDATES
From time to time we may
change our privacy policies. The most updated copy will be found on our
website. Please check our site periodically for updates.
APPENDIX
1
Click here
for a table of applicable controllers and responsible entities.
