• Automatic Collection

When you visit Mednet’s corporate website and Mednet’s service (iMednet) website we may automatically record information that your browser sends whenever you visit a website. This may include (but is not limited to) the following: the Internet Protocol (“IP”) address of the computer you are using, the name and location of your internet service provider, the type and version of your browser, the length of time that you stay on the site, your user session id, your user preferences, search queries, your click-stream data, the location that referred you to the site and the average number of pages viewed. If you visit another website prior to browsing Mednet’s site, that website might place information within a universal resource locator (URL), such as search queries, which may be logged by us.

Please note that recording and collecting the above information does not provide us with personally identifiable information, but rather non-identifiable information. We use this non-identifiable information to monitor the usage of our sites, personalize your experience with our sites, and create marketing insights that are used to help improve our site, online service, and related technologies. The above information will be retained for the least amount of time necessary to fulfill Mednet’s marketing and service analytic objectives.

The most common mechanisms for collecting this type of information include cookies, service analytics, and pixel tags or clear Graphics Interchange Format files (“GIFs”).

• Cookies: Cookies are small files, often including unique identifiers that web servers send to browsers. These cookies can be sent back to the server each time your browser requests a new page. It is a way for a website to remember your device, your preferences, and your online habits and behaviors. Browsers are typically set to create cookies automatically. You can choose to have your browser notify you when cookies are being written to your computer or accessed, or you can disable cookies entirely. If you disable cookies some features and services on the sites may not function properly.

• Service Analytics: We may utilize third-party service providers to help us better understand how you use our sites, to receive general website traffic statistics, and to use basic analytical tools for search engine optimization (SEO) and marketing purposes. The service provider may place cookies on your computer to collect information. The information that is collected will tell us things like which search engine referred you to the site, how you navigated around the site, and what content you viewed. The third-party service provider(s) will be restricted from using your information to perform services for us, securely and in confidence, except they may be permitted to use the information on an aggregate, non-personally identifiable basis.

• Pixel tags or clear GIFs: To help us understand the effectiveness of certain types of communication, we may use “message format” and “message open” sensing technologies that use pixel tags or clear GIFs (which are also called web beacons). These technologies allow us to identify the type of format communication your email program accepts and to determine if communication from Mednet has been received or opened.

When you access Mednet’s corporate site for the first time, we provide a banner alerting you of the automatic data collection and the use of cookies and offer you an option to either accept, decline, or manage your preferences. Mednet requires consent renewal by redisplaying the consent banner as cookies expire. You may otherwise update your preferences at any time by visiting the ‘Cookie preferences’ link in the footer on our corporate website or by managing your browser settings. For information on cookies and how to remove these technologies by using browser settings, see https://www.allaboutcookies.org/.

• Interested Client(s)

When expressing interest in procuring additional information about Mednet and Mednet’s services by contacting or interacting directly with Mednet (typically with our sales and marketing teams) or when accessing secure areas of the site, Mednet may collect and request you to provide personal data. These requests may include (but are not limited to) the following: interested contact first name, interested contact last name, interested contact email, business affiliate, geographical location, product or service specific interest and timeline, how the interested contact learned about Mednet, and a description of the business question or need. By providing this information directly to Mednet or by voluntarily completing the contact us form, request a demo form, request additional information form, by downloading a whitepaper, or by selecting the ‘opt-in’ option from the site, you agree to let Mednet use the information you submit for the purposes described in this privacy policy or otherwise agreed to by you. We may use this information when providing and customizing services, conducting our business (including for internal business operations, analytics, and to provide, develop, change, market or optimize our services and products), and to communicate and market to you directly or via third parties (refer to the ‘Sharing of Information’ section for additional information). At any time, you can ‘opt-out’ of distinct types of communications by selecting the ‘unsubscribe’ link or ‘manage preferences’ link provided in the footer of the emails. You may also unsubscribe from all communication or exercise your rights to your personal data by contacting Mednet at contact@mednetsolutions.com. We retain interested client information for the least amount of time necessary to successfully respond to your business inquiries or if applicable to transfer your interested client information to business operational information as defined below.

• Business Operations

A contractual relationship is initiated when you use the service. The information collected in a contractual relationship may include (but is not limited to) the following: business name, address, geographical location, website, phone number, billing information, primary contact first name, primary contact last name, primary contact email address, primary contact phone number, etc. We will collect information that is reasonably and minimally necessary to prepare for, enter, and fulfill, the contractual agreement. This information is typically used for contractual management and compliance, identification of the service provisions, payment fulfillment for the service, to grant initial access to the service, to provide support for the service, for the improvement or development of the service, to contact you for customer satisfaction surveys, to provide organizational and service updates, and to generate technical and market insights. We retain business operations information for as long as reasonably necessary for administrative purposes, legal and regulatory retention requirements, defending Mednet’s rights, and/or to manage Mednet’s relationship with you.

• Processing Client Information (“client data”)

Mednet provides an online SaaS platform for clients to operate aspects of their business including the collection, processing, and storage of clinical and operational data for the planning, conduct, and optimization of clinical studies. Please note that while we provide the SaaS, Mednet’s clients or affiliates are responsible for the collection and use of personal data while using our product. Mednet’s clients or their affiliates are responsible for providing appropriate notice to individuals and, when applicable, obtaining any required consents. Mednet’s clients or their affiliates using iMednet are considered data controllers and decide what data to collect, submit, and process within the service. Mednet is considered a data processor. Mednet has no direct relationship with the individuals whose personal data is being processed by our clients or their affiliates. Mednet processes this data as instructed by our clients and does not disclose, control, or own client data. We may access client data only to provide the service, prevent or address service or technical problems, at a client’s request in connection with a client service support request, or as may be required by law. It is the policy of Mednet to host client data indefinitely until written notice is received from the client. Mednet may retain data longer if necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.

• Service Support Requests

When you contact us directly or via support@imednet.com to request service support, we collect your contact information which may include (but is not limited to) the following: contact first name, contact last name, contact email address, contact phone number, business affiliate, business affiliate address, business affiliate phone number, problem description, and possible resolution details. We record the information provided to manage the support request, for administrative purposes, to foster our relationship with you, for staff training, and for quality assurance purposes. The information we collect may include information exchanged during our phone conversation or provided during our client relations management support sessions. We may use this information to inform you of product and service changes and identify training materials specific to your support request. During the management of support cases, we may have incidental access to information that you have provided when opening, managing, and closing the support case. This information may contain information about you, clients, client’s authorized users (including client’s employees) or other relevant parties. The conditions regarding the handling and processing of this information are covered by agreements between Mednet’s client(s) and Mednet. We retain service support requests the least amount of time necessary for administrative purposes, legal and regulatory retention requirements, defend Mednet’s rights, and/or to manage Mednet’s relationship with you.

• Supplier(s) or Provider(s) of Mednet

If you are a supplier or provider to Mednet, we may collect, process, and store information which may include (but is not limited to) the following: supplier or provider name, supplier or provider website, supplier or provider phone number, supplier or provider mailing address, account payable information, primary contact first name, primary contact last name, primary contact email, primary contact phone number, individual or organizational qualifications, description and nature of the work performed by an individual or the employer, and information related to the product(s) or service(s) you provide to Mednet. We may receive this information directly from the individual or from the employer. This information is used for the general planning, fulfilment, and the management of the business relationship, contractual management, processing of payments, supplier or provider classification and rating, auditing and re-qualification, general communication such as inquiry response, product and service updates, and any other general business communication. This information will be retained for the least amount of time necessary to fulfill the business relationship.

• Interested or Hired Employee of Mednet

If you are an interested or hired employee of Mednet, we may collect, process, and store information which may include (but is not limited to) the following: your first name, your last name, your date of birth, your personal identification number(s), your mailing address, your phone number, and your email address. In addition to the above information, we may collect, process, and store data you disclose during the application process, on your curriculum vitae, as well as responses and information shared during the recruitment and interview process. This information may include details specific to your educational history, work history, your appointed reference contact names and phone numbers, competencies, performance, and publicly available information about you.

Your personal data will be processed to determine your qualifications for employment, conduct background and reference checks, and communicate with you about the recruitment process. If hired, this data would be used for general business operations, to calculate and administer payroll, to administer benefits, and provide other services that employees are entitled to under the employment contract. additional relevant personal data obtained during the recruitment and hiring process will be stored in your employee file. When an employee leaves Mednet, we retain basic information from the former employee about their employment at Mednet. We may continue to process necessary information for any remaining business, contractual, employment, legal, and fiscal purposes to the extent managed by Mednet. If you are not offered a position with Mednet, we will store your job application and any additional personal data obtained during the recruitment process for a period following your rejection as required under local applicable law. Mednet does not currently employ individuals from the European Union, United Kingdom, or Switzerland therefore there is no collection, storage, or processing of personal data for employment purposes within these jurisdictions.

• Information Technology (“IT”)

We may collect and use information to protect you and Mednet from IT security threats and to secure the information that we hold from unauthorized access, disclosure, alteration, or destruction. This includes information from our IT access authorization systems, such as log-in information. The security solutions we use to protect your information, our infrastructure, and our networks may collect information such as IP addresses and log files. This collection is necessary for the functionality and utility of security programs to enable the investigation of any potential security incidents and generate insights on security threats. We may use specialized tooling and other technical means to collect information at access points to, and in, IT systems and networks to detect unauthorized access, viruses, and indications of malicious activities. The information we collect may be used to conduct investigations when unauthorized access, malware or malicious activities are suspected, and to remove or isolate malicious code or content. This information will be retained for the least amount of time necessary to investigate, identify, resolve, and/or dismiss potential security threats.

To achieve the above data collection and processing purposes, Mednet may use third-party suppliers or providers to assist in developing the service and/or to provide technical or operational support. Such third parties may include (but is not limited to) provider software tools and services (such as analytics platforms, software development ticket tracking systems, customer resource management tools, quality management systems, human resource management systems, etc.) and information technology services such as data hosting, data transmission, and data storage. Mednet enters into supplier or provider agreements that restrict access, use, and disclosure of personal data or Mednet purchases the software licensing and is responsible for the maintenance, management, and storage of the tool ensuring no supplier or provider access. Mednet may be liable if third-party suppliers or providers handle personal data in a manner inconsistent with this privacy policy or inconsistent with the supplier or provider agreements that are in place with Mednet, unless Mednet can prove that it is not responsible for the event(s) giving rise to the damage(s). Client owned and defined personal data from the iMednet service that may be transferred to these suppliers or providers would be identified and covered by agreements between Mednet’s client(s) and Mednet.

Personal data is not disclosed to a third party without your consent however, Mednet is subject to the investigatory and enforcement powers of the United States (“U.S.”) Federal Trade Commission (FTC) and other authorized U.S. statutory bodies. Mednet may be required to disclose personal information in response to lawful respects by public authorities, including to meet national security or law enforcement requirements. In certain circumstances it may be necessary to disclose your personal data when required in response to subpoenas, warrants, or court orders, in connection with any legal or regulatory process, or to comply with relevant laws. If the compelled disclosure request is related to the service data (client data), Mednet will notify our applicable client of any such requests unless prohibited by law. We may share your personal data as necessary to establish or exercise our rights to defend against a legal claim; to investigate, prevent, or act regarding possible illegal activities; to protect your safety or the safety of others; or to respond to a government request. Lastly, if we engage in a merger, acquisition, or sale of all or a portion of our assets, you will be notified of any change in ownership or use of your personal data, as well as any choices you may have regarding your personal data.

We do not sell or otherwise disclose your personal data except as described in this privacy policy, in a notice provided to individuals at the time of collection, or as individuals explicitly consent.

To protect your information from unauthorized access, use, disclosure, and to ensure the confidentiality, integrity, and availability of information, Mednet implements various supplementary measures and additional safeguards. These safeguards include (but are not limited to) the following: physical and logical access controls, data design and input controls, data storage and transfer controls, data availability and recovery controls, data monitoring and detection controls, and supplier qualification controls.

• Access Controls

Physical access controls to buildings, office suites, and third-party data centers are in place. These physical controls include (but are not limited to) the following: electronic key card access for appropriate and applicable personnel, the presence of security guards, automatic and manual arming of security systems, and audit trail reports logging personnel access and traffic. Logical access controls to the service and other organizational systems are enforced through various tools and applications such as site-user management and role-based security management tools which ensure that only the appropriate personnel with valid authentication credentials can access the suitable layer or level of data with the concept of least privilege applied. Mednet also ensures authentication credential logic such as username and password complexity, forced password changes, failed attempt lockouts, and inactivity lockouts. Lastly, the service and other organizational systems have audit trails that monitor system access traffic.

• Design and Input Controls

Design controls guarantee that changes to the service or other organizational systems are made in a controlled manner following a change control lifecycle process. Mednet has policies and procedures in place that require the service and other organizational system changes to be documented, tracked, assessed, developed, tested, reviewed, and approved prior to implementation. In addition, the service provides tools and applications for clients to configure their own study. Clients configuring their own studies are responsible for documenting, tracking, assessing, testing, and implementing their study specific design and configuration changes following their organizational policies and procedures. Input controls ensure that data access, input, modification, and deletion requests are only allowed based on the permission setting of the application. Mednet also confirms that data interactions are tracked and recorded by various audit trail reports capturing the activity of users.

• Storage and Transfer Controls

We store and process data with a third-party data center (cloud-based services). Our data center resources are spread over geographically isolated areas called regions. Each region is composed of multiple isolated availability zones. Each availability zone is a fully isolated partition of the regional infrastructure eliminating the availability zone as a single point of failure. Data is stored within storage volumes that are fully encrypted using AES-256 algorithm at rest and Secure Socker Layer (“SSL”) 2048-bit encryption when in transit. Mednet utilizes transport layer security (“TLS”) encryption on all data transmissions. Mednet enforces end-to-end encryption transmittal using public/private key, SSL, SFTP, HTTPS for websites and all external data transfers. In addition to the above, Mednet’s internal network is only accessible through a virtual private network (VPN). Mednet also ensures TLS 1.2 encryption of all communications. Mednet’s clients who export or download their permissible data from the iMednet service are responsible for the storage and transfer of data following their organizational security guidances, policies, and procedures.

• Availability and Recovery Controls

Mednet’s clients depend on reliable access to the service. Mednet has specific quality objectives in place that identify uptime service level objectives. These objectives are routinely measured and documented. Mednet ensures availability by having multiple storage redundancies in place. Mednet preserves system availability by continuously monitoring system uptime and downtime detection reports and notifications, conducting routine backups, performing system recovery practices, and managing and maintaining business continuity guidances.

• Monitoring, Detection, and Prevention Controls

Mednet uses monitoring tools to examine the health, performance, vulnerability, exposure, and system uptime of the service and other organizational systems and the supporting infrastructure. Mednet’s monitoring and detection activities may include (but is not limited to) the following: intrusion detection systems that monitor networks and systems for any malicious activity with alerts and notifications, system uptime monitoring reports with alerts and notifications, hardware firewalls, web-application firewalls, software firewalls, virus and malware scanning, routine code scanning on Mednet developed service code, and we utilize a third-party specialist to perform yearly vulnerability and penetration testing on the iMednet service as well as on Mednet’s internal network.

• Supplier Qualification Controls

We have procedures in place to evaluate, classify, qualify, and re-qualify suppliers. We use third-party cloud-based services and other suppliers to assist with our business operations or provide additional services to our clients. We require that these suppliers enter into agreements as appropriate based on the type of service they provide and the type of information they have access to.

Although Mednet strives to protect your information by having the above controls in place, there are always risks involved with electronically collecting, storing, and transferring information. Because of this, Mednet cannot guarantee that a third-party will not gain access to information provided to or collected and processed though the corporate site, the iMednet service, and other organizational systems. Mednet has supplementary measures and additional safeguards in place to help mitigate such risks, but it is also important for you to exercise caution and help prevent unauthorized use and access to your information by following your organizational guidances, policies, and procedures and ensuring confidentiality of your authentication credentials used to access the service provided by Mednet.

Mednet is based in the U.S. and we process and store information via a third-party data center (cloud-based services) also in the U.S. Therefore, if you are outside the U.S. and are interacting with or providing us with information (such as the information identified in the ‘Collection of Information’ section above) from our corporate website, directly with Mednet personnel, or from the iMednet service, please note that your information will be transferred, collected, stored, and processed within the U.S. The data protection laws in the U.S. may not be as comprehensive as those in your country. Because of this Mednet ensures supplementary measures and additional safeguards (as defined above) are applied to the collection, storage, transfer, and processing of your information. By interacting with the corporate website, directly with Mednet personnel, or with the iMednet service you are consenting to the transfer of your information to facilities located in the U.S.

To further develop transatlantic commerce, the U.S. Department of Commerce and the European Commission, the United Kingdom Government, and the Swiss Federal Administration respectively developed the Data Privacy Framework program to provide U.S. organizations with a reliable and adequate mechanism for personal data transfers to the U.S. from the European Union (“EU”), United Kingdom (“UK”), and Switzerland (“Swiss”).

Mednet complies with the EU-U.S. Data Privacy Framework program (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Mednet has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles regarding the processing of personal data received from the EU in reliance on the EU-U.S. DPF and from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Mednet has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles regarding the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF Principles, and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

If your authority does not recognize the U.S. as having adequate data protection laws with no public adequacy decision or transfer mechanism, Mednet as a data processor will enter into data processing agreements with applicable clauses to enable Mednet’s clients to comply with the General Data Protection Regulation (GDPR) or other applicable jurisdictional data protection laws.

If you reside in the European Union, United Kingdom, and/or Switzerland and you are interacting with or providing us with information (such as the information identified in the ‘Collection of Information’ section above) from our corporate website, directly with Mednet personnel, or from the iMednet service, you have certain rights with respect to your personal data. With Mednet’s Data Privacy Framework certification, we have committed to respect those rights. Your rights are identified (but may not be limited to) the below:

• Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation whether we are processing your personal data. If your personal data is being processed, you have the right to obtain a copy of or access your personal data as well as supplementary information relating to the processing. 

• Right to Rectification (Art. 16 GDPR)

If your personal data is inaccurate, you have the right to have that data corrected without undue delay. If your personal data is incomplete, you have the right to complete data.

• Right to Erasure (Art. 17 GDPR)

You have the right to have your personal data erased. Your personal data will be erased without undue delay when one of the following applies: your personal data are no longer necessary in relation to the purposes of processing, you withdraw your consent to the processing of your personal data, you object to the processing of your personal data and there are no overriding legitimate reasons for the processing, if your personal data has been unlawfully processed, your personal data must be erased for compliance with a legal obligation, or if your personal data was processed in relation to the offer of information society services referred to in Art. 8 GDPR.

• Right to Restrict Processing (Art. 18 GDPR)

You have the right to restrict the processing of your personal data when one of the following applies: when the accuracy of your personal data is being contested, when the processing is unlawful, when the processing of your personal data is no longer needed but the retention of your personal data is needed for the establishment, exercise, or defense of legal claims, or if you have objected to the processing of your personal data.

• Right to Data Portability (Art. 20 GDPR)

You have the right to request and obtain your personal data in a structured, commonly readable, or machine-readable format so your personal data can be repurposed by you or transmitted to another affiliate of your choosing without hinderance. 

• Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data. Your right to object depends on the purposes of processing and the lawfulness of processing. You have the absolute right to object to the processing of your personal data if it is being processed for direct marketing purposes. Other objections will be reviewed, and your personal data will no longer be processed unless there are compelling legitimate reasons for the processing of your personal data that would override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

If the laws of your authority are not mentioned above, you may have additional rights to your personal data under your jurisdictional laws. If you wish to exercise your rights, please direct your requests to contact@mednetsolutions.com. For the iMednet service, Mednet is considered a data processor under the direction of our clients and their affiliates who are data controllers. In this situation, Mednet has no direct relationship with the individuals whose personal data may be processed by our clients. If you are a customer of one of our clients and would like to exercise your personal data rights, please contact our client that you interact with directly. In some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law. In these circumstances, we will still respond to you with such a decision.

• General Inquiries or Complaints

If you have any inquiries or complaints regarding this privacy policy or if you would like to exercise your personal data rights, please contact us at: contact@mednetsolutions.com or by postal mail addressed to:

Mednet’s Corporate Headquarters  

MedNet Solutions
601 Carlson Parkway, Suite 250
Minnetonka, MN 55305 USA

Mednet will respond to your inquiry or complaint without undue delay or no later than 45 days from your request. If necessary, we may need to request additional information and personal data to verify your identity and the nature of your request. If your request is related to data processed within the iMednet service, Mednet as a data processor will need to direct you to Mednet’s applicable client or affiliate acting as the data controller of your personal data.

• Data Privacy Framework Inquiries or Complaints

In compliance with the EU-U.S. DPF Principles, Mednet commits to resolve complaints about your privacy and our collection or use of your personal data transferred to the U.S. pursuant to the DPF Principles. Individuals from the European Union, United Kingdom, and Switzerland with DPF inquiries or complaints should first contact us at: contact@mednetsolutions.com.

If you are unsatisfied with our response or if your inquiry or complaint is unresolved, please contact us by one of the below secondary methods:

Mednet’s Corporate Headquarters

MedNet Solutions
601 Carlson Parkway, Suite 250
Minnetonka, MN 55305 USA

Mednet’s Legal Representative

Gunderson Dettmer Stough Villeneuve Franklin & Hachigian LLP
550 Allerton Street
Redwood City, CA 94063
Phone: +1 650 321 2400
Fax: +1 650 321 2800
www.gunder.com

Mednet’s EU and UK Representative

RIVACY (EU): info@rivacy.eu

RIVACY (UK): info@rivacy.co.uk

RIVACY (Swiss): info@rivacy.ch

Mednet has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by Better Business Bureau (“BBB”) National Programs. If you do not receive timely acknowledgment of your inquiry or complaint, or if your complaint is not satisfactorily addressed, please visit: https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.