Privacy Policy
Effective: January 1, 2019
Last Updated: April 11, 2022
Lumistry and its affiliates (collectively referred to herein as “Lumistry”, “we”, “our”, or “us”) recognizes the importance of protecting your personal information. This Privacy Policy explains the information we collect through www.lumistry.com and its subdomains or pages where this privacy policy is posted or linked (collectively, the “Sites” or “Websites”). This Policy also describes the information collected from or on behalf of end users of our software-as-a-service products (the “Services”) accessible on or by any top-level Lumistry domain owned by us (each, a “Site” and collectively the “Sites”). This Policy includes (1) what information we collect; (2) why we collect it; (3) how we use that information; (4) how we may share it; (5) the choices we offer, including how to access and delete information; and (6) the measures we take to keep your information safe. In addition to the United States, Lumistry does conduct business in Canada and this Privacy Policy is intended to comply with Canadian privacy law including the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
This Policy does not apply to the information Lumistry receives from the third-party websites, mobile apps and other digital products that use the Lumistry Services. When our customers use the Services in conjunction with their own websites and products, they remain responsible for their own privacy and security practices, which may differ from ours. You should consult the relevant privacy policies on our customers’ websites and products to find out more about their privacy practices and your related choices.
Additional Terms
General Privacy Policy
Information We Collect
Cookies and Similar Technologies
How We Use Information We Collect
Our Legal Basis for Collecting Personal Information
Your Failure to Provide Personal Information
Our Retention of Your Personal Information
Sharing Personal Information
Sale of Personal Information
How We Protect Personal Information
Our Opt-in/Opt-out Policy
Children
Your Rights and Choices
Direct Marketing and “Do Not Track” Signals
International Transfers
Visitors to Lumistry Websites
When this Section Does Not Apply: Third-Party Websites
Information That Visitors Provide To Us
Additional Information We Collect From Visitors to Our Sites
Subscribers of Lumistry Services
When this Section Does Not Apply: Service Data
Information That You Provide To Us
Subscribers’ Responsibilities
Data Collected from End-Users on the Subscriber’s Behalf
Retention of Data Collected on the Subscriber’s Behalf
How End-Users Exercise Their Data Protection Rights
Accessing, Correcting, Amending and Removing End-User Personal Information
Deactivating an End-User Profile
Request That End-User Information Stop Being Used
Opt-out of Communications
Other Data Protection Rights
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Exercising Your Rights
Visitors and Subscribers Who Are California Residents Can:
Fulfillment of Data Protection Requests
Californians’ Rights With Respect to Personal Information
Information We May Collect On Behalf of our Subscribers per CCPA
HIPAA
Changes to this Privacy Policy
How to Contact Us
Additional Terms
The following additional terms are used throughout this policy.
- Subscriber: Anyone who has purchased Lumistry Services, and their agents
- End-User: Anyone who uses the Services provided to Subscribers
- Visitor: Any other individual or entity who visit the Sites
- User: Any individual or entity (“User”, “you”, or “your”) who interacts with any of the Lumistry Sites or Services including Subscribers, Visitors and End-users
- As a Service Provider: Lumistry providing services to End-Users on behalf of the Subscriber
- As a Business: Lumistry providing services to Subscribers and Visitors
General Privacy Policy
Information We Collect
We collect information, including Personal Information, to provide better services to all our Users. We use the term “Personal Information” to refer to any information that identifies or can be used to identify you. Common examples of Personal Information include: full name, email address, digital identity, such as a login name or handle, information about your device, and certain metadata.
The Personal Information which we collect includes, but is not limited to, the following data elements under the associated circumstances:
- If you express an interest in obtaining additional information about our Services, request customer support, use our “Contact Us” or similar features, register to use our Sites or Services, or download certain content, we may require that you provide to us your contact information, such as your name, organization, phone number, or email address, and in some instances, you may elect to provide us with location and address information;
- If you report a problem or have a question about our Services, you may provide us with contact information, such as a phone number or email address;
- If you desire to pay for bills via our Sites or Services, we may require that you provide to us your financial and billing information, such as billing name and address, credit card number or bank account information;
- If you use and interact with our Sites or emails, we automatically collect information about your device and your usage of our Sites or emails through cookies, web beacons or similar technologies, such as Internet Protocol (IP) addresses or other identifiers, which may qualify as Personal Information;
- If you voluntarily submit certain information to our services, such as filling out a survey about your user experience, we collect the information you have provided as part of that request; and
We collect analytics information when you use the Sites to help us improve them, including through the use of cookies. We may also share aggregated and/or anonymized data about your actions on our Sites with third-party service providers of analytics services. We also use mobile analytics software to allow us to better understand the functionality of our mobile versions of our Services on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.
If you provide us or our service providers with any Personal Information relating to other individuals, you represent that you have the authority to do so and acknowledge that it will be used in accordance with this Privacy Policy. If you believe that your Personal Information has been provided to us improperly, or if you are a Subscriber or Visitor who wishes to otherwise exercise your rights relating to your Personal Information, please contact us by using the information set out in the “How to Contact Us” section below.
Cookies and Similar Technologies
We and our partners use various technologies to collect and store information when you visit one of our services, and this may include using cookies or similar technologies to identify your browser or device. We also use these technologies to collect and store information when you interact with services from our partners, such as advertising services. Our third-party advertising and analytics partners include Google, Facebook, Instagram, Birdeye and similar companies.
The technologies we use for this automatic data collection may include:
- Cookies. A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our services. For more information about our use of cookies, including details on how to opt-out of certain cookies, please see the “Direct Marketing and ‘Do Not Track’ Signals” section below.
- Web Beacons. Pages of our Services or our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count Users who have visited those pages or opened an e-mail and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
- Clickstream Data. Clickstream data is information collected by our computers when you request Web pages from the Sites. Clickstream data may include information such as the page served, the time spent viewing the page, source of the request, type of browser making the request, the preceding page viewed and similar information. Clickstream data permits us to analyze how Visitors arrive at the Sites, what type of content is popular, and what type of Visitors in the aggregate are interested in particular kinds of content on the Sites.
- Mobile Device Identifiers and SDK. A mobile SDK is the mobile application version of a web beacon (see “Web Beacons” above). The SDK is a bit of computer code that application developers can include in their applications to enable advertisements to be shown, data to be collected and related services or analytics to be performed
How We Use Information We Collect
We use your Personal Information in ways that are aligned with the purposes for which it was collected or authorized by you, including the following purposes:
- To present, operate or improve the Site and Services, including analysis of Site activity;
- To inform you about Services and products available from Lumistry;
- To authorize access to our Sites and Services;
- To offer and administer programs;
- To customize or tailor your experience of the Services;
- To administer content, promotion, surveys, or other Site features;
- To communicate about, and administer your participation in, special programs, surveys, contests, online campaigns, online programs, and other offers or promotions, and to deliver pertinent emails;
- To improve our customer service.
- To respond to and support users regarding their use of the Sites and Services.
- To comply with all applicable legal requirements.
- To investigate possible fraud or other violations of our Terms of Use or this Privacy Policy and/or attempts to harm our Users.
- For any other purpose that is disclosed to you at the point of collection of the Personal Information, for any purpose for which you provide your prior consent, or for any other lawful purpose
We use the information we collect from our Sites to provide, maintain, and improve them, to develop new services, and to protect our company and our Users.
We use information collected from cookies and other technologies, to improve your user experience and the overall quality of our Services. We may use your Personal Information to see which pages you visit at our Site, which website you visited before coming to our Site, and where you go after you leave our Site. We can then develop statistics that help us understand how our visitors use our Site and how to improve it. We may also use the information we obtain about you in other ways for which we provide specific notice at the time of collection.
We may use your Personal Information in furtherance of our legitimate interest to provide you with the Services offered by Lumistry. We may also use your information to manage our contractual relationship with you or to comply with our legal obligations. We will treat any information that we combine with your Personal Information as Personal Information pursuant to this Privacy Policy.
We will ask for your consent before using information for a purpose other than those set out in this Privacy Policy.
Our Legal Basis for Collecting Personal Information
Whenever we collect Personal Information from you, we may do so on the following legal bases:
- Your consent to such collection and use;
- Out of necessity for the performance of an agreement between us and you, such as your agreement to use our Services or your request for Services;
- Our legitimate business interest, including but not limited to the following circumstances where collecting or using Personal Information is necessary for:
- Intra-organization transfers for administrative purposes;
- Product development and enhancement, where the processing enables Lumistry to enhance, modify, personalize, or otherwise improve our Services and communications for the benefit of our Users, and to better understand how people interact with our Sites;
- Fraud detection and prevention;
- Enhancement of our cybersecurity, including improving the security of our network and information systems; and
- General business operations and diligence;
Provided that, in each circumstance, we will weigh the necessity of our processing for the purpose against your privacy and confidentiality interests, including taking into account your reasonable expectations, the impact of processing, and any safeguards which are or could be put in place. In all circumstances, we will limit such processing for our legitimate business interest to what is necessary for its purposes.
Your Failure to Provide Personal Information
Your provision of Personal Information is required in order to use certain parts of our Sites and Services. If you fail to provide such Personal Information, you may not be able to access and use our Sites and/or Services, or parts of our Sites and/or Services.
Our Retention of Your Personal Information
We determine the appropriate retention period for Personal Information on the basis of the amount, nature and sensitivity of your Personal Information processed, the potential risk of harm from unauthorized use or disclosure of your Personal Information and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation).
After expiry of the applicable retention periods, your Personal Information will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
Sharing Personal Information
Lumistry may disclose your Personal Information to commercial providers for a business purpose, which include verifying your identity when making a payment or registering access to your accounts. When we disclose Personal Information for these reasons, we enter into a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for the purposes set forth in the contract.
In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for one or more business purposes:
- Identifiers;
- California Customer Records Personal Information categories;
- Protected classification characteristics under California or federal law;
- Commercial Information;
- Internet or other network activity information;
- Geolocation Data;
- Sensory Data;
- Professional or employment-related information.
We disclose your Personal Information for a business purpose to the following categories of third-parties:
- Our affiliates;
- Commercial providers;
- Subscribers and their partners;
- Service providers and other third parties we use to support our business, including without limitation those performing core services (such as billing, credit card processing, customer support services, customer relationship management, accounting, auditing, administering sweepstakes, surveys, advertising and marketing, analytics, email and mailing services, data storage, and security) related to the operation of our business and/or the Services, and making certain functionalities available to our Users;
- Third-parties to whom you or your agents authorize us to disclose your Personal Information in connection with the Services we provide to you.
We may disclose your Personal Information for legal reasons. Specifically, we will share Personal Information with companies, organizations or individuals outside of Lumistry if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Lumistry, our Users or the public as required or permitted by law;
- for any other purpose disclosed when you provide the information; and
- when we obtain your consent to do so.
We attempt to notify Users about legal demands for their personal data when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.
We may disclose your Personal Information in the event of a business transfer. If we establish a new related entity, are acquired by or merged with another organization, or if substantially all of our assets are transferred to another organization, Personal Information about our Users would likely be a transferred business asset. In the event that Lumistry itself or substantially all of our assets are acquired, Personal Information about our users may be one of the transferred assets.
We may also share anonymous information (such as anonymous usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) for other business purposes. For instance, we may share aggregate reports with interested third-parties to help them understand the usage patterns for certain Services or for our Sites or those of our partners.
Sale of Personal Information
In the preceding twelve (12) months, we have not sold any Personal Information.
How We Protect Personal Information
Lumistry maintains administrative, technical and physical safeguards designed to protect Personal Information and other information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. For example, we use commercially reasonable security measures such as encryption, firewalls, and Secure Socket Layer software (SSL) or hypertext transfer protocol secure (HTTPS) to protect Personal Information.
Lumistry collects account information for payment or credit, and Lumistry will use the information only to complete the task for which the account information was offered.
Our Opt-in/Opt-out Policy
By providing an email address on the Lumistry Sites or Services, you agree that we may contact you in the event of a change in this Privacy Policy, to provide you with any Service related notices, or to provide you with information about our events, invitations, or related educational information.
For purposes of this Privacy Policy, “opt-in” is generally defined as any affirmative action by a Visitor to submit or receive information, as the case may be.
We currently provide the following opt-out opportunities:
- At any time, you can follow a link provided in offers, newsletters or other email messages (except for e-commerce confirmation or service notice emails) received from us or a Lumistry Partner to unsubscribe from the service.
- At any time, you can contact us through privacy@lumistry.com or at the telephone number (888) 699-9803 to unsubscribe from the service and opt-out of our right per your consent under the terms of this Privacy Policy to share your Personal Information.
- At any time, you can reply or text “STOP” to 512-714-9656 to opt-out of receiving SMS texts.
Notwithstanding anything else in this Privacy Policy, please note that we always reserve the right to contact you in the event of a change in this Privacy Policy, or to provide you with any service related notices.
Children
Our Sites are not intended for children under 13 years of age. We do not intentionally gather Personal information about visitors who are under the age of 13. If a child has provided us with Personal Information, a parent or guardian of that child may contact us to have the information deleted from our records. If you believe that we might have any information from a child under age 13 in an applicable jurisdiction, please contact us at privacy@lumistry.com. If we learn that we have inadvertently collected the Personal Information of a child under 13, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible.
Your Rights and Choices
You may have certain rights relating to your Personal Information, subject to local data protection law. Whenever you use our services, we aim to provide you with choices about how we use your personal data. We also aim to provide you with access to your Personal Information. Individuals located in Canada have certain rights pursuant to Canadian Privacy Laws, including to PIPEDA. Subject to certain exceptions and limitations Lumistry intends to adhere to PIPEDA’s requirements regarding an individual’s privacy rights. If that information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. Subject to applicable law, you may obtain a copy of Personal Information we maintain about you or you may update or correct inaccuracies in that information by contacting us. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to the information. In addition, if you believe that Personal Information we maintain about you is inaccurate, subject to applicable law, you may have the right to request that we correct or amend the information by contacting us as indicated in the “How to Contact Us” section below.
Direct Marketing and “Do Not Track” Signals
Lumistry does not track its users over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. However, some third-party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser may include controls to block and delete cookies, web beacons and similar technologies, to allow you to opt out of data collection through those technologies.
California residents are entitled to contact us to request information about whether we have disclosed Personal Information to third-parties for the third-parties’ direct marketing purposes. Under the California “Shine the Light” law, California residents may opt-out of our disclosure of Personal Information to third-parties for their direct marketing purposes. You may choose to opt-out of the sharing of your Personal Information with third-parties for marketing purposes at any time by submitting a request to privacy@lumistry.com. California users may request further information about our compliance with this law by contacting us at privacy@lumistry.com or by writing to us at the address listed in the “How to Contact Us” section.
Additional Details Pertaining to Your Rights
For additional information about your specific rights please refer to the following sections:
- Visitor(s), refer to the Visitors to Lumistry’s website section of this policy.
- Subscriber(s), refer to the Subscribers of Lumistry’s Services section of this policy.
- End-User(s), refer to the End-Users of Lumistry’s Services Provided to Subscribers section of this policy.
- California Residents, refer to the California Consumer Protection Act (CCPA) section for exceptions and references per CCPA
- Patients, refer to the Health Insurance Portability and Accountability Act section for rights under HIPAA
International Transfers
We may, directly or indirectly through third-party entities around the world, process, store, and transfer the information you provide, including your Personal Information, as described in this Privacy Policy. Specifically, the information and Personal Information that we collect may be transferred to, and stored at, a location outside of your jurisdiction. It may also be processed by staff operating outside of your jurisdiction who work for us or for one of the organizations outlined in this Privacy Policy in connection with the activities outlined in this Privacy Policy. By submitting your information and Personal Information using the Sites, you agree to this transfer, storing or processing. We will take all steps necessary to ensure that your Personal Information is treated securely and in accordance with this Privacy Policy. We have put in place commercially reasonable technical and organizational procedures to safeguard the information and Personal Information we collect on the Sites. For Canadian customers, information that is transferred outside of Canada is subject to PIPEDA and other applicable Canadian privacy laws.
Visitors to Lumistry Websites
This section details our commitment to protecting the privacy of Visitors to our Websites or individuals who request us to contact them via our online web forms. This section describes how Lumistry collects, uses, shares and secures the Personal Information that you provide. It also describes your choices regarding use, access and correction of your Personal Information.
When this Section Does Not Apply: Third-Party Websites
Our Websites may contain links to other websites. We do not control such websites and are not responsible for their contents or the privacy policies or other practices of such websites. Our inclusion of links to such websites does not imply any endorsement of the material on such websites or any association with their operators. The information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.
Information That Visitors Provide To Us
Beyond the general collection of data described in the general policy we ask for and may collect Personal Information from you when you submit web forms on our Websites or as you use interactive features of the Websites, including: participation in surveys, contests, promotions, sweepstakes, requesting customer support, or otherwise communicating with us. We process your Personal Information to perform our contract with you for the use of our websites and the Service(s) and to fulfill our obligations under the Services Agreement to You; where we have not entered into a Services Agreement with you, we base the processing of your Personal Information on our legitimate interest to operate and administer our websites and to provide you with the content you access and request.
We ask for and may collect Personal Information such as your name, address, phone number and email address when you register for or attend a sponsored event or other events at which Lumistry participates, in order to facilitate your registration or attendance at an event, including sending related communications to you.
Additional Information We Collect From Visitors to Our Sites
As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Sites and Services. This information includes Internet Protocol (IP) addresses as well as browser type, Internet Service Provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information. Occasionally, we connect Personal Information to information gathered in our log files as necessary to improve our Sites and Services. In such a case, we will treat the combined information in accordance with this Policy.
Subscribers of Lumistry Services
This section details additional information regarding our commitment to protecting the privacy of Subscribers of Lumistry Services.
When this Section Does Not Apply: Service Data
With the exception of Account Information (as defined below) and other information we collect in connection with a Subscriber registration or authentication into our services, this section does not apply to our security and privacy practices in connection with your access to and use of the products and services which we market for subscription on our Websites. We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. These security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications or other materials submitted to and stored within the Services by You (“Service Data”), are detailed in and governed by our Terms of Service Agreement, available here, or such other applicable agreement between Subscriber and Lumistry relating to Your access to and Your use of such Services (collectively referred to as the “Agreement”).
Information That You Provide To Us
We ask for and may collect Personal Information about the Subscriber such as name, address, phone number, and email address, as well as certain related information like the Subscriber’s company name and website name (“Subscriber Information”), when a Subscriber registers for an account to access or utilize one or more of our Services (an “Account”). We base the processing of the Subscriber Information on our legitimate interest to provide the Subscriber with the necessary functionality required during your use of our Service(s);
By voluntarily providing us with Subscriber Information, the Subscriber represents that it is the owner of such information or otherwise has the requisite consent to provide it to us.
Subscribers’ Responsibilities
Subscribers to our Services are solely responsible for establishing policies for, and ensuring compliance with all applicable laws and regulations, as well as with any and all privacy policies, agreements or other obligations, relating to the collection of Personal Information in connection with the use of our Services by End-Users with whom our Subscribers interact. If you are an End-User who interacts with a Subscriber using our Services, then you will be directed to contact our Subscriber for assistance with any requests or questions relating to the End-User Personal Information.
Data Collected from End-Users on the Subscriber’s Behalf
Some Lumistry Subscribers engage us to deliver Services to their customers and other users (“End-Users”). This section describes such collection, but End-Users should refer to their pharmacy’s privacy notice (for which we are not responsible) to better understand that pharmacy’s privacy practices, including with respect to information we may collect on such pharmacy’s behalf.
During the last twelve (12) months, we have collected the following categories of Personal Information from End-Users.
Category | Type of Identifiers We Collect | Collected |
Identifiers | First and last name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address. | YES |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | A name, date of birth, physical characteristics or description, address, telephone number, insurance policy number, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. | YES |
Protected Classification Characteristics under California or federal law | Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | YES |
Commercial information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES |
Internet or Other Network Activity | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | YES |
Geolocation data. | Physical location or movements. | YES |
Sensory data | Audio, electronic, visual, thermal, olfactory, or similar information. | YES |
Retention of Data Collected on the Subscriber’s Behalf
We retain the Personal Information we collect on behalf of Subscribers for as long as necessary to fulfill the purpose for which it is being processed, where we have an ongoing legitimate business need to do so (for example, to provide you with our Services, to enable your participation in an event, and to comply with applicable legal, tax or accounting requirements), as well on the basis of applicable legal requirements.
If an End-User’s Personal Information is processed within a Subscriber’s Service Data, we will process the Personal Information for as long as we are instructed to do so by the relevant Subscriber.
How End-Users Exercise Their Data Protection Rights
End-Users have certain choices available to them when it comes to their Personal Information. Below is a summary of those choices, how Subscriber’s may fulfill requests on their behalf and any limitations you may have.
Accessing, Correcting, Amending and Removing End-User Personal Information
An End-User who seeks to exercise their data protection rights with respect to their Personal Information stored or processed by us on behalf of a Subscriber (including to seek access to, or to correct, amend, delete, port or restrict processing of such personal information) should direct the query to the Subscriber.
- Services enable Subscribers to independently access and update certain Personal Information from within the Service once granted access. For example, the Subscriber can request access to an End-User profile and make updates to End-User Personal Information.
- Subscribers may also submit a request to Lumistry to remove the Personal Information of an End-User.
- Subscribers can independently access, correct, amend, and delete certain Personal Information within their third-party systems that integrate with Services, including but not limited to IVR and PMS.
- If Services are configured to automatically receive End-User Personal Information from Subscriber third-party systems, including but not limited to PMS, when there is a request to delete End-User Personal Information, Subscriber should independently remove that End-User Personal Information from their third-party system before requesting that Lumistry remove the Personal Information from Services.
Lumistry will fulfill such requests from a Subscriber within forty five (45) days of receipt of the request. Lumistry will retain Personal Information that we process and store on the Subscriber’s behalf for as long as needed to provide Subscribers with Services, for record keeping purposes, to complete transactions or to comply with our legal obligations.
Deactivating an End-User Profile
If an End-User no longer wishes to use the Services, the Subscriber should request that Lumistry deactivate the End-User account by emailing such a request to privacy@lumistry.com with the full name, date of birth and email address of the End-User.
Request That End-User Information Stop Being Used
Subscribers may request that the Personal Information belonging to an End-User no longer be accessed, stored, used and otherwise processed. Subscribers can also request on behalf of their End-User to opt-out from our use of their Personal Information for marketing purposes by contacting us, as provided below. Lumistry will fulfill such a request from a Subscriber within forty five (45) days.
Opt-out of Communications
End-Users may manage their receipt of marketing and non-transactional communications by clicking on the “unsubscribe” link located on the bottom of marketing emails sent on behalf of Subscribers, or Subscribers may send a request to privacy@lumistry.com on behalf of the End-User to opt out of communications.
Other Data Protection Rights
If an End-User wishes to exercise any other data protection rights that are available to them under their local data protection laws, please review our “General Data Protection Regulation (GDPR)” and “California Consumer Privacy Act (“CCPA”) sections below.
General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (“GDPR”), and corresponding legislation in the United Kingdom and Switzerland, provide European, Switzerland and United Kingdom residents with certain rights in connection with Personal Data you have shared with us. If you are resident in the European Economic Area, you may have the following rights:
- The right to be informed. You are entitled to be informed of the use of your Personal Data. This Privacy Policy provides such information to you.
- The right of access. You have the right to request a copy of your Personal Data which we hold about you.
- The right of correction. You have the right to request correction or changes of your Personal Data if it is found to be inaccurate or out of date.
- The right to withdraw consent. You have the right to withdraw a previously given consent for processing your Personal Data for a specific purpose.
- The right to be forgotten. You have the right to request us, at any time, to delete your Personal Data from our servers and to erase your Personal Data when it is no longer necessary for us to retain such data. Note, however, that deletion of your Personal Data will likely impact your ability to use our services.
- The right to object (opt-out). You have the right to opt-out of certain uses of your Personal Data, such as direct marketing, at any time.
- The right to data portability. You have the right to a “portable” copy of your Personal Data that you have submitted to us. Generally, this means your right to request that we move, copy or transmit your Personal Data stored on our servers or information technology environment to another service provider’s servers or information technology environment.
- The right to refuse to be subjected to automated decision making, including profiling. You have the right not to be subject to a decision and insist on human intervention if the decision is based on automated processing and produces a legal effect or a similarly significant effect on you.
- The right to lodge a complaint with a supervisory authority. You have the right to lodge complaints about our data processing activities by filing a complaint with us or with the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
You may exercise any of the rights described in this section by sending an email to [via email to privacy@lumistry.com or via the online portal]. All customers may update or correct information about yourself by making changes to your profile or submitting a request [via email to privacy@lumistry.com or via the online portal]. Please note that we may ask you to verify your identity and request before taking further action on your request. We may respond to your request by letter, email, telephone or any other suitable method. If you completely delete all such information, then your account may become deactivated. We may retain an archived copy of your records as required by law, to comply with our legal obligations, to resolve disputes, to enforce our agreements or for other legitimate business purposes.
In some cases our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the Services you have requested. Where this is the case, we will inform you of specific details in response to your request.
We endeavor to respond to a verifiable consumer request within 30 days of its receipt consistent with applicable law.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
California Consumer Privacy Act (CCPA)
Under the California Consumer Privacy Act, California residents have specific rights regarding their Personal Information. This section explains how California residents can exercise those rights and describes Californians’ rights.
Exercising Your Rights
Visitors and Subscribers Who Are California Residents Can:
- Submit a request to Lumistry via email at privacy@lumistry.com.
- Call (888) 699-9803 to submit a privacy request.
Fulfillment of Data Protection Requests
Upon receiving a request from a Visitor or Subscriber, we will confirm receipt of a Visitor or Subscribers request by [sending you an email/confirming receipt via our online portal/sending a message to your online account]. To help protect the Visitor’s or Subscriber’s privacy and maintain security, we may take steps to verify the Visitor’s or Subscriber’s identity before granting the Visitor or Subscriber access to the information. In some instances, such as a request to delete Personal Information, we may first separately confirm that the Visitor or Subscriber would like for us to in fact delete their Personal Information before acting on the request.
We will fulfill requests within forty-five (45) days. If we require more time, we will inform the Visitor or Subscriber of the reason and extension period in writing. If the Visitor or Subscriber has an account with us, we will deliver our written response to that account. If the Visitor or Subscriber does not have an account with us, we will deliver our written response by mail or electronically, at the Visitor’s or Subscriber’s option.
In some cases our ability to uphold these rights for a Visitor or Subscriber may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, listed below, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
Californians’ Rights With Respect to Personal Information
Below we further outline specific rights which California residents may have under the California Consumer Privacy Act.
- Right to Access Your Data. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of Personal Information we collected about you.
- The categories of sources for the Personal Information we collected about you.
- Our business or commercial purpose for collecting that Personal Information.
- The specific pieces of Personal Information we collected about you.
- The categories of third-parties with whom we share that Personal Information.
- The specific pieces of Personal Information we’ve disclosed for a business or commercial purpose, identifying the Personal Information categories that each category of recipient obtained about you.
Any disclosures we provide will only cover the 12-month period preceding the receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
- Right to Data Portability. You have the right to a “portable” copy of your Personal Information that you have submitted to us. Generally, this means you have a right to request that we move, copy or transmit your Personal Information stored on our servers or information technology environment to another service provider’s servers or information technology environment.
- Right to Delete Your Data. You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- Comply with a legal obligation; or
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Information We May Collect On Behalf of our Subscribers per CCPA
Category | Type of Identifiers We Collect |
Identifiers. | First and last name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address. |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | A name, date of birth, physical characteristics or description, address, telephone number, insurance policy number, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. |
Protected classification characteristics under California or federal law | Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. |
Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. |
We obtain the categories of Personal Information listed above from the following categories of sources:
- Directly from our Subscribers. For example, from documents that our clients provide to us related to the services for which they engage us.
- Indirectly from our Subscribers. For example, through information we collect from our Subscribers in the course of providing services to them.
- Directly and indirectly from activity on our Websites. For example, from website usage details that are collected automatically. In addition, like many companies, we use “cookies” which are small text files a website can use to recognize repeat Visitors, facilitate the Visitor’s ongoing access to and use of the site and to track usage behavior of, for example, the webpages you visit.
- From third-parties that interact with us in connection with the services we perform.
HIPAA
Lumistry, to the extent it is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has its own privacy and security obligations with respect to protected health information (PHI). We encourage you to contact Lumistry regarding its privacy and security practices (for more information regarding your rights under HIPAA, see http://www.hhs.gov/ocr/privacy).
To the extent we are a “business associate” under HIPAA, we have agreements in place with healthcare providers requiring us to only use and disclose PHI as the healthcare providers are permitted to under HIPAA. This Privacy Policy and the privacy and security practices described therein are designed to comply with these agreements. As such, among other obligations, we will:
- use reasonable and appropriate safeguards to keep your PHI that we collect private and confidential;
- alert you in accordance with the guidelines set forth under HIPAA if we are made aware of any unauthorized access to your PHI that we have collected; and
- provide you access in a reasonable time and manner to your PHI we have collected and make any reasonably requested amendment thereto.
Lumistry may de-identify PHI pursuant to HIPAA and aggregate patient’s de-identified information with other Lumistry patient information, and use such aggregated information for population-based research activities and analytics; treatment, payment, enrollment, or eligibility for benefits are not conditioned upon patient reviewing the privacy policy. When information is used or disclosed, it may be subject to re-disclosure and may no longer be protected by state or federal privacy regulations.
Changes to this Privacy Policy
Our Privacy Policy may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services or programs, email notification of privacy policy changes). We will also keep prior versions of this Privacy Policy in an archive for your review.
How to Contact Us
If you have any specific questions about this Privacy Policy, you can contact us via email or phone or by writing to us at the address below:
Send email to: privacy@lumistry.com
Call us at: (888) 699-9803
Send mail to our address:
Lumistry
Attn: Privacy Policy Inquiry
3800 N. Lamar #320
Austin, TX 78756
Privacy Officer: Scott Brittain is Lumistry’s Privacy Officer and is responsible for the implementation of this policy and monitoring information collection and data security, and ensuring that all employees receive appropriate training on privacy issues and their responsibilities. The Privacy Officer also handles personal information access requests and complaints. The Privacy Officer may be contacted at the following address: privacy@lumistry.com