PRIVACY POLICY

Cookies. Casect collects anonymous data from every visitor of the Website. In order to enable login-based features, Casect uses cookies to store session information for the convenience of Subscriber. Subscribers can block or delete cookies and still be able to use the Website and Platform, although Subscribers will then be asked for their username and password every time they log in to the Website. In order to take advantage of certain features of the Website, a Subscriber may also choose to provide Casect with other information, but Subscriber retains discretion to decide whether or not to utilize these features and provide such data.

Account Information. Subscribers are required to create an account and log in to provide certain personal information (such as name, email address, phone number, billing address, and professional information) in order to be able to create Case Records and media, documents, records, and comments associated with it (all of which shall be referred to herein as “Subscriber Information”).

Changes. Subscribes are able to view, change and remove the data associated with their account. If Subscriber chooses to delete its account, Subscriber may do so using the Website or Platform.

No Minors. Minors and children should not use the Website or Platform. By using the Website and Platform, users represent that they have the legal capacity to enter into a binding agreement.

HIPAA Compliance. Certain information held on the Website may be considered “Protected Health Information” as defined in the Health Insurance Portability and Accountability Act of 1996, (Pub. L. 104-191, August 21, 1996, 110 Stat. 1936), 42 U.S.C. § 1320d - 1320d-8, as amended (“HIPAA”). That information is retained, processed and communicated in accordance with the End User License Agreement and HIPAA Business Associate Agreement that have been entered into between Casect and each Subscriber, which provides that Protected Health Information is transmitted and used in full compliance with HIPAA.

No Sharing of PHI. Certain information held on the Website may be considered “Protected Health Information” as defined in the Health Insurance Portability and Accountability Act of 1996, (Pub. L. 104-191, August 21, 1996, 110 Stat. 1936), 42 U.S.C. § 1320d - 1320d-8, as amended (“HIPAA”). That information is retained, processed and communicated in accordance with the End User License Agreement and HIPAA Business Associate Agreement that have been entered into between Casect and each Subscriber, which provides that Protected Health Information is transmitted and used in full compliance with HIPAA.

Deidentified Data. Casect may share information provided by Subscriber which is not Protected Health Information or which has been de-identified in accordance with HIPAA with other third-party organizations.

Limited Use. Casect only uses Subscriber information to provide the Platform services or to communicate with Subscribers about services or the Website. Casect does not share information Subscriber provides unless: (a) doing so is appropriate to carry out a Subscriber's request; (b) it is needed to enforce the Casect Terms of Use; (c) Casect is legally required to share the information; (d) the information is needed to detect, prevent or address fraud, security or technical issues; or (e) otherwise to protect Casect's property, legal rights, or that of third parties.

No Unauthorized Access. With respect to any documents, photos, videos, content or information that a Subscriber may choose to upload to the Platform, Casect takes the privacy and confidentiality of such documents seriously. Casect employs industry-standard techniques to protect against unauthorized access of data of Subscribers that are stored, including personal health information of third parties.

Contact with Subscriber. Casect may contact a Subscriber or user, by email or other means. For example, Casect may send promotional emails relating to Casect or other third-parties, or communicate with Subscriber or users about use of the Website.

Optimization Use. Except as otherwise set forth herein or in the End User License Agreement or Terms of Use, Casect does not share Subscriber information with third parties. Only aggregated, anonymized data is periodically transmitted to external services to help to improve the Website and Platform.

Agents. Casect may contract with people and other entities that perform certain tasks on its behalf (“Agents”). Casect may need to share Subscriber information with its Agents in order to provide products or services to Subscriber. Agents do not have any right to use Subscriber information or other information Casect shares with them beyond what is necessary to assist us. By using the Website and Platform, Subscribers consent to Casect's sharing of Subscriber information with the Agents.

Assignee. Casect may also transfer the Subscriber Information to an assignee in the event of the sale of the assets of Casect or a bankruptcy. Subscriber acknowledges that such transfers may occur, and that any acquirer of Casect or its assets may continue to use the Subscriber Information as set forth in this policy.

Applicability. If Subscriber is located in the European Union (“EU”), United Kingdom, Lichtenstein, Norway, or Iceland, a Subscriber may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to Personal Data, as outlined below.

Personal Data. For this GDPR Privacy Notice, the terms “Personal Data” and “processing” are as defined in the GDPR, but “Personal Data” generally means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data, such as collection, use, storage and disclosure. Casect will be the controller of Personal Data processed in connection with the Platform, except that Casect may also process Personal Data of Subscriber's patients or employees in connection with Casect's provision of services to Subscriber, in which case Casect is the processor of Personal Data and Subscriber is the controller. For more information about data rights and processing activities, please contact Casect at the Notice Address.

Supplement. Where applicable, this GDPR Privacy Notice is intended to supplement, and not replace, Casect's existing privacy policy. If there are any conflicts between this GDPR Privacy Notice and the balance of this Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict.

Processing Personal Data. Casect will only process Personal Data if it has a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and the “legitimate interests” of Casect or others, as further described below. When Casect processes Personal Data based on Subscriber consent, it will be expressly indicated to Subscriber at the point and time of collection. From time to time, Casect may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of Subscriber, or if it is necessary for a task carried out in the public interest.

Collection and Use of Personal Data

• Casect collects Personal Data about Subscriber when Subscriber provides such Personal Data directly to Casect, when third parties such as Casect's business partners or service providers provide Casect with Personal Data about Subscriber, or when Personal Data about Subscriber is automatically collected in connection with Subscriber's use of the Platform.
• Casect receives certain Personal Data directly from Subscriber when Subscriber provides Casect with such Personal Data, including without limitation the following: first and last name; email address; mailing address; telephone number; medical credentials and job title.
• Casect collects and processes these categories of Personal Data as a matter of contractual necessity so that Casect can provide the Services to Subscriber in accordance with Casect's Terms of Use. When Casect processes Personal Data due to contractual necessity, failure to provide such Personal Data will result in Subscriber's inability to use some or all portions of the Services that require such Personal Data.
• Casect may also collect Case Record information from Subscriber when Subscriber provides it to Casect. By sharing this user content in a public forum, Subscriber is choosing to disclose any Personal Data included in such content, and Casect does not have control over the decision of Subscriber. Casect processes user content, including any Personal Data included in any such user content, on the basis of Casect's legitimate business interest in providing Subscriber with the Platform services.
• Casect also uses the Personal Data it collects directly from Subscriber to operate, improve, understand and personalize the Platform based on Casect's legitimate business interest in operating the Platform in a way that benefits Casect and its Subscribers.

Information from third party sources: Some third parties provide Casect with Personal Data about Subscriber, such as the following:

• Account information for third party services. If Subscriber interacts with a third-party service when using the Casect services, such as if Subscriber uses a third party service to log-in to the Casect Platform, or if Subscriber shares content from the Platform through such third party service, the applicable third party service will send Casect certain Personal Data if the third party service and Subscriber's account settings allow such sharing. The Personal Data Casect receives will depend on the policies and account settings with the applicable third-party service.
• Information from advertising partners. Casect receives information about Subscribers from some of its service providers that provide marketing or promotional services to Casect related to how Subscriber interacts with the Website, applications, products, services, advertisements or communications.
• Information automatically collected. Some Personal Data is automatically collected when Subscriber uses the Website or Platform, such as the following: IP address; device identifiers; web browser information; page view statistics; browsing history; usage information; cookies and other tracking technologies; location information; and log data.

Cookies. In collecting the Personal Data, Casect sometimes use “cookies” and other tracking technologies. Cookies allow Casect to recognize a browser or device and “remember” a browser during subsequent visits for purposes of functionality, preferences, and website performance. Most browsers automatically accept cookies but have an option for blocking or deleting cookies, which will prevent a browser from accepting new cookies, as well as allow a user to decide on acceptance of each new cookie in a variety of ways. A user can usually access these options through the “Settings” or similar menu in a browser. Please note that if a Subscriber blocks or deletes cookies, some portions of the Platform may not work properly.

Other uses of Personal Data. Casect may also process the Personal Data collected on the basis of the following legitimate business interests.

• Operation and improvement of Casect's business, products and services
• Marketing of products and services
• Provision of customer support
• Protection from fraud or security threats
• Compliance with legal obligations
• Completion of corporate transactions

Sharing of Data

• Third-Party Vendors. Casect shares Personal Data with vendors, third party service providers and agents who provide Casect with services related to the purposes described in this Privacy Policy or Casect's Terms of Use. Casect also shares Personal Data when necessary to complete a transaction initiated or authorized by Subscriber or to provide Subscriber with a product or service requested.
• Compliance. Casect also shares Personal Data when it is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; protect Casect, its business or its users, for example to enforce the Terms of Use, End User License Agreement, prevent spam or other unwanted communications and investigate or protect against fraud; and to maintain the security of the Casect products and services. Casect also shares Personal Data with third parties when Subscriber gives Casect consent to do so.
• Business Transfer. If Casect chooses to buy or sell assets, user information is typically one of the transferred business assets. Moreover, if Casect, or substantially all of its assets, were acquired, or if Casect goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party, and Casect would share Personal Data with the party that is acquiring the assets. Any acquirer of Casect or its assets may continue to use the Personal Information as set forth in this policy

Retention. Casect retains Personal Data for as long as Subscriber has an open account with Casect or as otherwise necessary to provide the Platform and improve it for all users. In some cases, Casect may retain Personal Data for longer, if doing so is necessary to comply with its legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Afterwards, Casect may retain some information in an aggregated form.

Security. Casect seeks to protect Personal Data by using appropriate technical and organizational measures based on the type of Personal Data and applicable processing activity.

Personal Data of Children. Casect does not knowingly collect or solicit Personal Data from anyone in the EU, United Kingdom, Lichtenstein, Norway, or Iceland under the age of 16. If Casect learns that it has collected Personal Data from a child under age 16, Casect will delete that information as quickly as possible. If a user believes that a child under 16 may have provided Casect with Personal Data, please contact Casect at the Notice Address.

Personal Data Rights. Subscriber may have certain rights with respect to Personal Data, including those set forth below. For more information about these rights, or to submit a request, Subscriber may email Casect at the Notice Address. Please note that in some circumstances, Casect may not be able to fully comply with a Subscriber's request.

• Access
• Rectification
• Erasure
• Withdrawal of Consent
• Portability
• Objection
• Restriction of Processing
• Right to File Complaint