OneMedNet Privacy Policy

Last Updated November 10, 2023

OneMedNet Corporation is headquartered in the State of Minnesota in the United States (“we”, “us”, “our”, and “OneMedNet”) is the creator and provider of BEAM , a service to securely exchange images and data between hospitals, clinics, healthcare providers and patients throughout the world. We take your privacy seriously and we have created this privacy policy to explain how we collect, share and use Personal Data when you visit OneMedNet.com (our “Website”)  and how you can exercise your privacy rights in accordance with Data Protection Laws. Please read this policy in full to ensure that you fully understand how we use your Personal Data. Please note further that this policy does not cover users or subscribers to our BEAM services. BEAM subscribers may access the BEAM privacy policy here.

Key Terms

In this privacy policy, these terms have the following meanings:

“Data Controller” means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller.

“Data Processors” means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Data Processors to process your data more effectively.

“Data Protection Laws” means all applicable laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, US Privacy Laws, the United Kingdom and other parts of the world applicable to the processing of Personal Data.

“Personal Data” means any information that identifies or can be used to identify you or another individual, directly or indirectly. Examples of Personal Data include, but are not limited to, first and last name, email address, phone number and occupation.

“Service Partners” mean third-parties, including Data Processors, with whom we may have a contractual relationship to help service the Website, and whose privacy, safety and security protocols meet the requirements of this Privacy Policy and Data Protection Laws in general.

“Visitor” means any person who visits any of our Websites.

“you” and “your” means a Website Visitor.

“Website(s)” means any website(s) we own and operate.

Lawful Basis of Processing Personal Data

‍In order to process Personal Data of our Website Visitors we rely on the following lawful basis:

  1. Consent of individuals using our website in jurisdictions where it is required ; or
  2. Legitimate Interest for providing continuity of care for healthcare purposes such as urgent or emergency care for a patient.


Personal Data Collection and Processing

‍We collect and process Personal Data applicable to Visitors to our Website, as follows:

1.    Information you provide to us: In the course of engaging with our Website you may provide Personal Data about yourself, such as your name, email address or other contact information when you send us an email, request additional information, or communicate with us in any other way. By giving us this information, you agree to this information being collected, used, and disclosed as described in our Terms of Use and in this Privacy Policy.

  1. Information we collect automatically: When you visit our Website, we may automatically collect certain information about your device and usage of the Website. We use cookies to collect some of this information. Please refer to our separate Cookie Policy.
  2. Information we collect from other sources: From time-to-time, we may obtain information about you from our Service Partners. We take steps to ensure that our Service Partners are legally or contractually permitted to disclose such information to us.


Use of Personal Data

‍We may use Visitors’ Personal Data including name, address, phone number, IP address, and email address for many reasons, including:

  1. To send you notifications and alerts.
  2. To monitor your use of the Website and to allow customer support to intervene if it is not functioning as expected.
  3. To provide you with Website support.
  4. For internal sales and marketing purposes as long as you are not identified as a patient.


We may also use Website Visitors’ Personal Data:

  1. To provide, support and improve the Website. For example, this may include sharing your information or your exchange partner’s information with third parties in order to provide and support our Website or to make certain features of the Website are available to you.
  2. To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
  3. To enforce compliance with our Terms of Use and applicable law, and to protect the rights and safety of Website Visitors, third parties, as well as our own. This may include developing tools and algorithms that help us prevent violations or it can be used in the course of an investigation of a security incident.
  4. To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  5. To prosecute and defend a court, arbitration, or similar legal proceeding.
  6. To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.


Your Consent

Based on the disclosures provided in this Policy, we need your informed, clear and unambiguous consent for us to process your data outside of the European Union or outside of any other jurisdiction that has data transfer restrictions (e.g., EU, UK, Quebec, China). To give us this consent, please click here. Please note that processing your Personal Data outside of your jurisdiction may result in transfer of your data to a country that may not guarantee the same level of protection as your country of residence. That said, we will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this policy. If you do not consent, please do not visit or stay on the Website.

How We Share Information‍

  1. We will not sell or rent your Personal Data.
  2. Data Processors with whom we may share your data include the following categories of vendors, followed by examples of such providers: a platform used for customer relationship management (e.g., Hubspot), a platform used to track sales and marketing activities (e.g., Salesforce), a platform used for sales, marketing and recruiting (e.g., Zoominfo), and a platform used as a design and web development tool (e.g., Webflow).
  3. For Visitors, we may share and disclose your Personal Data to provide you access to our Website.
  4. We may share information we collect from you with a Data Processor for analyzing data, hosting data, managing relationships, engaging technical support, delivering content, securing and monitoring our infrastructure.  
  5. We may share your Personal Data with any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary.
  6. We may share your Personal Data with a potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition.

Your Rights Regarding Your Personal Data

Depending on where you live, and subject to our obligations under applicable laws, you may have certain rights and choices regarding your Personal Data. For example, in addition to choices described elsewhere in this policy, you may have some or all of the following rights and choices in general:

A. General Regional Rights

Access Rights: you may have the right to receive certain information, such as the following (these rights, and the applicable types of data and time periods, will vary depending on the laws applicable to the state or country in which you reside):

1.     The categories of Personal Data we have collected or disclosed about you; the categories of sources of such information; the business or commercial purpose for collecting or selling your Personal Data; and the categories of third parties with whom we shared Personal Data.

2.     Access to and/or a copy of certain Personal Data we hold about you.

3.     In some circumstances, you may have the right to obtain certain Personal Data in a portable format.

Erasure: you may have the right to request that we delete certain Personal Data we have about you. We may either decide to delete your Personal Data entirely, or we may anonymize or aggregate your Personal Data such that it no longer reasonably identifies you. Certain Personal Data may be exempt from such requests under applicable law. For example, we need certain types of information so that we can provide our services to you, we may be required to retain certain information for legal purposes, and there may be other reasons we may need to keep certain Personal Data under various applicable laws.  In addition, if you ask us to delete your Personal Data, you may no longer be able to access or use some of our services.

Correction: you may have the right to request that we correct certain Personal Data we hold about you.

Limitation of Processing: Certain laws may allow you to object to or limit the manner in which we process some of your Personal Data, including the ways in which we use or share it. For example, you may have these rights if the processing was undertaken without your consent in connection with our legitimate business interests (although we may not be required to cease or limit processing in cases where our interests are balanced against your privacy interests).

Regulator Contact: You may have the right to contact or file a complaint with regulators or supervisory authorities about our processing of Personal Data.  To do so, please contact your local data protection or consumer protection authority.

If you believe that you have specific rights under your jurisdiction and you would like to exercise any of these rights, please submit a support request through our website or email us at Privacy@OnemedNet.com. Other than marketing opt-out and do-not-sell requests, you will be required to verify your identity before we fulfill your request. In certain jurisdictions, you may be able to designate an authorized agent to make a request on your behalf, subject to certain requirements of your applicable law. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as an address, phone number, or other data we have on file, in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf, and we may be required to take additional verification measures under applicable law.

B. Important Information for European Union and United Kingdom Users

If you are a user from the European Union or United Kingdom you should be aware that we are the controller of your Personal Data (Data Controller) under the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and such similar laws promulgated in the various EU countries. You may have certain additional rights regarding your Personal Data (as defined in the GDPR and UK GDPR, for instance), including the right to:

  • access your information;
  • rectify your information if it is incorrect or incomplete;
  • have your information erased (“right to be forgotten”) if certain grounds are met;
  • withdraw your consent to our processing of your information at any time, if our processing is based on consent;
  • object to our processing of your information, if our processing is based on legitimate interests;
  • object to our processing of your information for direct marketing purpose;
  • receive your information from us in a structured, commonly used, and machine-readable format; and,
  • the right to transmit your information to another controller without hindrance from us (data portability).

There is no charge for any of these requests. To make a request, please contact us at Privacy-EU@onemednet.com. We try to respond to such requests in a timely manner, but in no event longer than one month. When we collect your Personal Data, we maintain and store it for as long as we determine reasonably necessary to provide our services to you, unless you exercise your right to erasure described above, or to comply with applicable legal requirements.

If you are a resident of the European Union or United Kingdom, when we process your Personal Data, we will only do so in the following situations:

  • Because we are registered under the EU-US Data Privacy Framework;
  • We have a contractual obligation;
  • You have provided your consent. However, you are able to remove your consent at any time, and you may do this by contacting us at Privacy-EU@onemednet.com;
  • We have a legal obligation; or
  • We have a legitimate interest in processing your Personal Data. For example, we may process your Personal Data to send you marketing communications, relevant content, products, or to communicate with you about changes to our services, and to provide, secure, and improve our services.      

You should be aware that Personal Data you provide to us may be transferred out of the country in which you reside to servers in a country that may not guarantee the same level of protection as the one where you reside. Nevertheless, we will take all steps reasonably necessary to ensure that your Personal Data is treated securely in accordance with this privacy policy, and no transfer of your Personal Data will take place to a third party unless there are adequate controls in place to protect your personal information and/or you have provided contractual consent by registering an account with us.

C. U.S. State-Specific Rights

Various U.S. states provide specific rights to residents of the state regarding Personal Data, which includes allowing consumers in these states to opt out of certain sharing of their data or in Colorado where you must consent for us to process your sensitive Personal Data or any Personal Data of a minor.

Depending on where you reside, your state may have enacted privacy laws (e.g., as of the date of this policy California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia) that allow you to request that OneMedNet:

  • Disclose the sources, categories, and specific pieces of Personal Data we have collected about you, how that information is used, and with whom OneMedNet shares it;
  • Disclose the purpose for collecting Personal Data;
  • Disclose the categories of third parties with whom OneMedNet shares Personal Data;
  • Delete/rectify/restrict their Personal Data, subject to certain exceptions (right of rectification not applicable to Iowa and Utah residents)
  • Disclose, for any “sales” of Personal Data, the categories of Personal Data collected and sold and to what categories of third parties it was sold;
  • Opt out of sales of your Personal Data (if any) or subject certain Personal Data to automated decision-making algorithms (not applicable to Iowa or Utah residents);
  • Provide a copy of your Personal Data in a readily usable format that allows the information to be transmitted to others; and,
  • Not discriminate you against for exercising any of the rights described above.

Residents of these states may exercise these rights by emailing us at Privacy@OnemedNet.com.

In general, we, including our Service Partners, collect the following California regulated categories of Personal Data (PI) from you:

Category

Examples

Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.

YES

B. PI categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some PI included in this category may overlap with other categories.

NO

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

NO

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

NO

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer's interaction with our Service or advertisement.

YES

G. Geolocation data.

Physical location or movements.

NO

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

NO

I. Professional or employment-related information.

Current or past job history or performance evaluations.

NO

J. Non-public education information

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

K. Inferences drawn from other PI.

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

NO

How We Have Shared Your Personal Data for a Business Purpose

In the preceding twelve (12) months, we have disclosed the following categories of Personal Data for a business purpose with our Service Partners:

  • Category A: Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address
  • Category F: Internet or other similar network activity

How You Can Exercise Your Privacy Rights

If you wish to exercise any of these rights, you may: (a) email our Data Protection Officer at Privacy@OnemedNet.com; (b) call us at +353 1 631 9460 in the EU or +1 800-918-7189 in the U.S.; or (c) send us a message on our website at www.OneMedNet/contact.

To change information that we collect through this Website, please email Privacy@OnemedNet.com. We allow you to opt out of future communications at any time by clicking the “unsubscribe” link at the bottom of all emails.

If you would like to make a complaint about how we have handled your Personal Data, or to make a complaint about a breach of data protection laws, please email us. We will investigate complaints and will communicate the outcome of the investigation to you after the complaint is made in accordance with applicable law. You may also have a right in some locations to file a complaint with your local data protection authority.

Security

‍We take appropriate and reasonable organizational, administrative, technical, and physical measures to safeguard your Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction such as encrypting data at rest and in transit, security information training for all staff, as well as periodic security risk assessments, vulnerability testing, and penetration testing.


Changes to This Privacy Policy

‍We may at our own discretion update this privacy policy at any time. The most recent version of the privacy policy is reflected by the version date located at the top of this privacy policy. We encourage you to frequently check this page for any changes to stay informed about how we are helping to protect the Personal Data we collect.


How to Contact Us

For residents of the EU or UK that may have a concern about the way in which we have handled any privacy matter, please contact our EU Data Protection Representative by email: Privacy-EU@onemednet.com. Alternatively, they can be reached by post: The DPO Centre Europe, Alexandra House, 3 Ballsbridge Park, Dublin, D04C 7H2; by phone: +353 1 631 9460; by website: www.dpocentre.com. You also have the right to lodge a complaint with your local data protection supervisory authority (list here: https://edpb.europa.eu/about-edpb/board/members_en).

For residents of all other countries or the U.S., please contact OneMedNet directly by contacting us at Privacy@onemednet.com. You may also contact us by post or telephone at:

Attn: Privacy Officer/DPO
OneMedNet Corporation
6385 Old Shady Oak Rd Suite 250
Eden Prairie, MN 55344 USA

Tel +1 800-918-7189