BY INTERACTING WITH THE WEBSITE WWW.FAWKESBIODATA.COM (THE “SITE”), EITHER AS A VISITOR OR AS A USER, YOU AGREE TO BE BOUND BY THE TERMS OF THIS PRIVACY NOTICE AND TO OUR TERMS AND CONDITIONS.This Privacy Notice applies to PII and Personal Health Information that Fawkes Biodata LLC (“Fawkes”), collects through its Site in providing its Services.Below are highlights of our PII and Personal Health Information handling practices.Privacy Notice HighlightsThe terms "we", "our" and "us" mean Fawkes and the terms “you” and “your” mean the visitors or users Site and the users of the WebApp.Capitalized words in these Privacy Notice Highlights are defined in the Detailed Privacy Notice.1. Information We CollectWe collect your Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) from the following sources:1. information you give us when you contact us through the Contact Us Page, open an Account or subscribe for Services, when you submit customer service inquiries, or when you submit customer feedback or reviews;2. information we collect automatically when you visit our Site and WebApp, such as information about your browser settings, operating system, and other information collected through cookies;3. the information you provide to us during your Account setup; and4. medical information that our service providers collect on our behalf with your consent from your health records or your fitness apps;2. How We Use and Disclose Your Information1. We use your PII and PHI that we or our service providers collect from you to provide the Services on our WebApp and to manage our business operations, such as to authenticate you when you sign into your Account, to prevent loss of data and fraud, process your subscription payment, and to monitor and improve the performance of our Site and WebApp;2. We and our service providers may combine or aggregate your de-identified and pseudonymized PII and PHI, so that it will be unlikely to re-identify you from it, to monitor trends and provide and improve our respective products and services;3. We may share or transfer your PII and PHI that we or our service providers collect from you to our service providers or Affiliates who may be outside of the country from which you access or Services under a Data Collection and Sharing Agreement, but that information and may be subject to privacy laws that different from those of the country from which you access our Services.4. We may also disclose your PII and/or PHI if a court order requires us to do so.5. With your consent, we may use your PII to contact you for marketing, promotional, or other purposes.3. Your Choices and Consent1. You can change your communication preferences for marketing and advertising e-mails, participation in surveys, and to provide or withdraw consent for specific requests we or our service providers may make to collect and use your PII and PHI in the Consent Center in your Account.2. You may withdraw your consent from our further use of your PII or PHI and you may close your Account. In that event, we may use your PII and PHI for the purposes to which you consented before you withdrew consent and we may keep information about you and your previous transactions with us for audit purposes, to ensure the integrity of our data, and to fulfill legal requirements.3. If your consent to one of our service provider’s collection or use of your PII or PHI that they will share with us, you will be bound by their privacy policies and terms of service/use.4. How to Contact UsIf you have a privacy question or concern, please contact us at: privacy@FawkesBiodata.com.Please review our Detailed Privacy Notice for more information about our practices.DETAILED PRIVACY NOTICE:1. BACKGROUND2. SCOPE3. ACCOUNTABILITY4. LIMITING COLLECTION: WHAT INFORMATION DO WE COLLECT?5. LIMITING USE: HOW DO WE USE YOUR PERSONAL INFORMATION?6. DISCLOSURE: WHEN DO WE DISCLOSE YOUR PII AND PHI TO OTHERS?7. SAFEGUARDS: HOW DO WE PROTECT YOUR PERSONAL INFORMATION?8. DATA BREACH9. DATA RETENTION: HOW LONG DO WE KEEP YOUR PII AND PHI?10. DATA STORAGE AND TRANSFER11. RESIDENTS OF THE EUROPEAN ECONOMIC AREA (“EEA”)12. AGE AND CONSENT13. THIRD-PARTY SERVICES AND LINKS14. ACCURACY: HOW DO YOU MODIFY YOUR INFORMATION?15. ACCESS: RIGHT TO YOUR DATA16. ACCOUNT CLOSURE: DATA DELETION17. CHALLENGE COMPLIANCE18. CHANGES TO THIS PRIVACY NOTICE1. BackgroundThe website www.FawkesBiodata.com (the “Site”) are owned by Fawkes Biodata LLC (“Fawkes”).Fawkes empowers individuals to engage in their health journey by securely acquiring their health records from their current and former healthcare providers, and allow them to grant access to their records, at their discretion, to their caregivers and the healthcare professionals involved in their care (the “Services”).As used in this Policy Notice capitalized terms not otherwise defined here have the meaning assigned to them in the Terms and Conditions, otherwise the following terms have the following meaning:“Data Concerning Health” means, as related to a person in the European Union, personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.“Personal Data” means, as related to a person in the European Union, any information which is related to an identified or identifiable natural person.“Personally-Identifiable Information” or “PII” means information that identifies you or could be combined by us or our service providers and Affiliates with other information to identify you. This information includes your personal date of birth, birth certificate information, social insurance number, social security number, the number of any government issued identification, medical record number, health card number, e-mail address, home mailing address, home telephone number, personal cellphone number, your internet provider (IP) address and other similar information when associated with you. PII may also include information about how you have used our Site and the WebApp, if we can associate that PII with you. If you interact with our Site or our WebApp on behalf of a business, PII does not include your title, your business e-mail and mailing address, or your business telephone number when we use that information to contact you in your business capacity. For EU residents, your business contact information is considered “Personal Data”. Reference in this Notice to PII shall include Personal Data, where applicable.“Personal Health Information” or “PHI” means information about you, while living or deceased, that relates to: your physical or mental health; any health or medical services you received; your medical examinations, tests, and surgeries; whether you donated any organs or fluids; and information collected in the course of, or related to, providing health services to you. PHI may be found in your medical records, treatment and examination notes, and communications between you and your healthcare providers. Reference in this Notice to PHI shall include Personal Data, where applicable."we", "us" or "our" means Fawkes Biodata LLC. (“Fawkes”) and any of our Affiliates. "you" or "your" means an individual Using the Site, the WebApp, or the Content as a visitor, a prospective or current Client, a Caregiver, and any Person who has been granted temporary access health records under an Account.2. ScopeThis Privacy Notice helps our visitors to our Site and Users of the Web App and our Services to better understand how we collect, use and store your PII and PHI.3. AccountabilityWe take the privacy of your PII and PHI seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect PII and PHI and we train our staff in our PII and PHI handling practices.We commit not to rent or sell any of your PII or PHI we collect directly from you or as part of our Services. We and our service providers comply with privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Health Information Protection Act (Ontario) (“PHIPA”), the Health Insurance Portability and Accountability Act (“HIPAA”) and the European Union’s General Data Protection Regulation (“GDPR”), as applicable.We have appointed a Chief Privacy Officer accountable for our PII and PHI handling practices. If you have a question or complaint about our information handling practices, please contact us at privacy@fawkesbiodata.com.4. Limiting Collection: What Information Do We Collect?The ways we collect PII and PHI can be broadly categorized into:Information you provide to us directly: When you visit or use parts of our Site, the WebApp or our Services, we might ask you to provide PII to us. For example, we may ask for your name and email address on our Contact Us page so we can reply to a message you post there. We may also receive your contact information when you contact us directly at the contact email provided on the Site.We collect your PII and PHI when you open an Account and Onboard to subscribe to our Services. For example, we will collect identification and contact information, such as your name, mailing address, date of birth, your health insurance number, and demographic information to be able to properly identify you, to contact you, to process a credit card payment for your subscription to our Services, and to collect PHI from your health records. We will also collect PII and PHI at Onboarding, such as your medical conditions, treatment information, surgeries, allergies, blood type, and your family doctor’s contact information.If you do not wish to provide us with all or some of the PII or PHI required to open an Account and to receive the Services you do not have to, but it might mean you cannot use parts of our Site, WebApp, or receive our Services.Information from other Sources: We may receive PII and PHI about you from other sources. For example, we will receive PII from credit card processors regarding whether the credit card details you entered have been accepted or declined. We also receive PHI from the service providers we engage to collect, with your consent, your medical records and fitness application information from your current and former healthcare providers and the fitness applications that you designate so that we can provide our Services to you.Information we collect automatically: We may automatically collect some technical information when you visit our Site or the WebApp that platforms like Google Analytics may collect about your interaction with our Site. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, language preferences, and cookie data. We use this information to detect problems, improve the navigation of our Site and WebApp so they are easier to use and to determine which aspects of our Services may interest you. If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails. whether you sought information about a particular topic or service, or to make inferences about other products and services in which you might be interested. For details about our cookie practices, please refer to our Cookie Policy.5. Limiting Use: How Do We Use Your Personal Information?We collect and use PII, PHI and non-personal information for the following purposes:a) To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or your subscription to our Services; (iii) changes to our Site or WebApp, or changes to this Privacy Notice, our Terms of Service or our Cookie Policy; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.b) To provide Services. We use your PII and PHI to provide the Services and to manage our business operations such as to register your Account, to authenticate you when you log into your Account, to deliver the Services, and to protect the security or integrity of our Site, the WebApp, the Content, our Services, and our business.c) To improve our Site, WebApp, and Services and develop new ones: We monitor how you use the Site, the WebApp, and the Services so we can improve our offerings, user experience, and design new features.d) To detect and prevent any fraudulent or malicious activity and to make sure that our Site, WebApp, Content, and Services re used fairly and according to our Terms of Service.e) With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us;f) With your consent, to use aggregated de-identified and pseudonymized PII and PHI and non-Personal Information, which we or our business partners may use to monitor trends, to improve our respective products and services;g) To comply with any laws and regulations.6. Disclosure: When Do We Disclose Your PII and PHI to Others?With your consent, our service providers collect and store your PHI and the required PII to access your PHI from your health records held by your current and former healthcare providers, so we can provide you the Services.We may share your PII and PHI with our service providers and our Affiliates that help us with our business operations. If you consented to receive marketing and promotional emails from us, we may share select PII with service providers who provide us with marketing and promotional services. We enter into Data Collection and Sharing Agreements with our service providers and Affiliates that impose standards for data protection and confidentiality, and prohibit disclosure or use of your information for any other purpose than the one for which we engaged them.We may share with selected third-parties certain demographic and contact information about you, including name, date of birth and any email addresses or phone numbers to verify your identity.Through your Account, you may grant temporary access to your health records to the healthcare professionals involved in managing your care such as physicians, specialists, pharmacists, nutritionists or physical therapists.We may share your PII or PHI, as applicable, without your explicit consent or notice to you:1. To collect a debt from you or to prevent or investigate fraudulent or illegal activity on your Account.2. To comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction to compel disclosure of your PII or PHI, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, this Privacy Notice, or as otherwise required by law.3. To establish or defend our legal rights. Where possible and appropriate, we will notify you.4. To an actual or potential buyer of Fawkes (and its agents and advisers) in connection with an actual or proposed purchase, merger or acquisition of any part of our business. In such case, your PII and PHI will be protected by security safeguards appropriate for the sensitivity of the information.5. To other companies who assist us to process your payment for your Service subscription or any service providers on whom we rely to conduct our business with you.6. To protect the security of the Site, and WebApp, the Services, or the security of your Account.We are responsible for all onward transfers of Personal Data and Data Concerning Health of any EU clients to third parties and we make such transfers under Data Collection and Sharing Agreements or by relying on their self-certification under the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.7. Safeguards: How Do We Protect Your Personal Information?We take administrative, technical and physical measures to safeguard your PII and PHI against unauthorized access, unauthorized disclosure, theft and misuse.Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring access to your PII and PHI through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your PII and PHI over which we have custody and control in Canada in data centers that are ISO 27001 certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, WebApp, and our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (5) training: we implemented policies, procedures that address and train our staff on the handling of PII and PHI. All our staff members and contractors are legally bound to confidentiality.We do not store your credit card information. Payments are handled by Stripe, a reputable direct payment gateway provider. The data they collect is encrypted according to the Payment Card Industry Data Security Standard (PCI-DSS) and implement additional generally accepted industry standards.We expect our Affiliates and service providers to protect your PII and PHI that they collect from you directly or that we shared with them, as provided in the Data Collection and Sharing Agreements we have with them.8. Data BreachWe take precautions against breaches of our security systems, but your acknowledge and agree that no company can eliminate the risks of unauthorized access to your PII and PHI and no transmission over the internet is 100% secure. Therefore, you provide your PII and PHI it to us and our service providers at your own risk.Despite our rigorous precautions against data breaches, the risk of a breach remains. We have a well-developed data breach procedure and if a breach of your PII or PHI in our custody or control occurs we will comply with the stringent breach notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).IF A BREACH OF YOUR PII OR PHI THAT IS IN THE CUSTODY OR CONTROL OF ONE OF OUR SERVICE PROVIDERS TO WHOM YOU PROVIDED CONSENT TO COLLECT THAT INFORMATION, THEN THAT SERVICE PROVIDER’S BREACH POLICIES APPLY.9. Data Retention: How Long Do We Keep your PII and PHI?We keep your PII and PHI that is in our custody and control if we have a legal or legitimate business need to keep it, for example, to provide you the Services to which you subscribe or to comply with information retention requirements in Ontario or Canada.Once our relationship ends, we generally will continue to store archived copies of your PII and PHI in our custody and control for legitimate business purposes, such as to defend a contractual claim, for audit, and to comply with the law. We maintain a records retention and destruction policy to destroy information when we no longer have a business need for it and are not required by law to keep it.PII and PHI collected with your consent by our service providers that is under their custody and control is subject to the their data destruction policies and the data retention laws applicable in that provider’s jurisdiction.PII collected by our direct payment gateway provider to process a transaction on the WebApp is stored only as long as it is necessary to complete your transaction, then it is deleted. We do not collect or store any information related to your payment transactions.We and our service providers may continue to store and use aggregated de-identified PII and PHI to improve our respective products and services.10. Data Storage And TransferThe PII and PHI we or our service providers collect from our Canadian clients will be stored in Canada by default, however their PII and PHI may be used or stored by our service providers outside of Canada.The PII and PHI that our service providers collect from our American clients will be stored in the United States by default, but will be transferred to us and will be stored, along with the PII and PHI we collect from them in Canada during Onboarding and as otherwise provided in this Privacy Notice, and we and our service providers may use it in Canada and the United States.The PII and PHI we or our service providers collect from our European clients will be stored in the European Union by default, but will be transferred to us and will be stored and used along with PII and PHI we collect from them in Canada during Onboarding and as otherwise provided in this Privacy Notice, and our service providers may use it and store it in the United States.We enter into Data Collection and Sharing Agreements with our service providers that require them, among other things, to safeguard your PII and PHI. However, if your PII and PHI is used or stored outside your home country, these data will be subject to the laws of the country in which they are used or stored, which may differ from and be less protective of PII than the privacy laws of your country.11. Residents of the European Economic Area (“EEA”)If you (a “Data Subject”) are located in the EEA, the Personal Data and Data Concerning Health you provide to us in Canada may be transferred to other regions, including to the United States. To ensure that your Personal Data and Data Concerning Health is protected when transferred out of the EEA, we rely on Canada’s PIPEDA requirements, which are deemed equivalent to those of the GDPR. If we, or our service providers, transfer your Personal Data and Data Concerning Health to service providers in the United States, we do so under a Data Collection and Sharing Agreement or pursuant to their self-certified compliance with the EU-U.S. Privacy Shield Framework, regarding the collection, use, and retention of Personal Data and Data Concerning Health from data subjects in the EEA, and with the Swiss-U.S. Privacy Shield Framework regarding the collection, use and retention of Personal Information from data subjects in Switzerland.Additionally, if you are in the EEA, we note we are generally processing your information to fulfill contracts we might have with you (for example to prove you our Services), or otherwise to pursue our legitimate business interests as outlined in Section 6, unless we are required by law to obtain your consent for a particular processing operation. When we process your Personal Data and Data Concerning Health to pursue these legitimate interests, we do so where the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that information can help mitigate the risks to you, the Data Subject.If you are in the EEA or in Switzerland and believe that your Personal Data has been used contrary to this Privacy Notice, please contact us using the information in Section 17.If your complaint or dispute is about the use of your Personal Data and Data Concerning Health by one of our service providers in the United States, you may also contact the International Centre for Dispute Resolution. This organization provides independent dispute resolution services, at no charge to you. ICDR can be contacted at go.adr.org/privacyshield.htmlIf, after attempting to resolve a dispute through ICDR, you feel that your concerns about the handling practices of your Personal Data and Data Concerning Health by a service provider in the United States have not been resolved, please visit www.privacyshield.gov.12. Age and ConsentOnly individuals 18 years of age or older may subscribe to our Services and access the WebApp.A parent or a legal guardian of individuals under the age of 18 may register for an account on behalf of a minor.When you provide PII or PHI to open and Account and Onboard, or to provide PII to complete a transaction by credit card, you consent to our collecting your PII and PHI required to complete these activities only.When you register your Account, you can provide your consent to receive marketing and promotional e-mails and to consent to our use of your PII and PHI in our custody and control (in aggregated and de-identified form) for Service improvement purposes, or other outlined purposes.YOU CAN WITHDRAW CONSENT FOR OUR USE OF YOUR PII OR PHI IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR PII OR PHI FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR PII OR PHI IS AUTHORIZED OR REQUIRED BY LAW.Our service providers whom you consented to collect and store your PII and PHI may use your information according to their respective privacy policies and terms service /use. If you wish to withdraw your consent from these entities, you must follow their consent withdrawal procedures. We will assist you in that process.Please contact visit the Consent Center or contact us at privacy@Fawkesbiodata.com if you wish to withdraw your consent for our use of your PII and/or PHI.13. Third-Party Services and LinksYou may access third-party websites through links available on our Site or the WebApp. These links are provided for convenience only. Once you leave our Site or WebApp or are redirected to a third-party website or application, you are no longer governed by this Privacy Notice or our Terms of Service.We have no control over those third-party websites and you access them at your own risk. We recommend that you read the privacy policies of these third-party providers so you can understand how they handle your PII and PHI.You acknowledge that these links may lead you to third-parties that may operate in a different jurisdiction than either yours or ours. If you provide your PII or PHI to these entities then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.14. Accuracy: How Do You Modify Your Information?We want to ensure that the PII and the PHI we collect from you and that is in our custody and control is accurate, complete, and up-to-date for the purpose for which it is to be used and will destroy any information that is out-of-date or that is no longer required for the purpose for which it was collected, unless we must keep it to comply with Ontario or Canadian law.Our service providers who collected your PII and PHI with your consent have their own policies about data accuracy, retention, and destruction.We use reasonable means to ensure that information in your Account record is accurate. You may update certain PII directly in your Account and you may also request access to your Account Record.If you have questions or identify any errors in your Account Record, please contact us at privacy@Fawkesbiodata.com. We will strive to address any correction requests promptly. If we dispute a correction request, we will log the reason for the disagreement.15. Access: Right to your dataYou may access your Account Record and port the information from us to another entity. If you request a copy of your Account Record, we will provide it to you at no charge. You can request access to your Account record by contacting us at privacy@Fawkesbiodata.com.Before we grant you access to your Account records we will first authenticate you to confirm your identity. We will handle all access requests promptly, subject to applicable privacy laws. We will provide you the legends for any special codes, acronyms or other similar information in the disclosed material, so your right of access is meaningful.16. Account Closure: Data DeletionEU residents have the right, in certain circumstances, to have your Personal Data erased (the "Right to be Forgotten”). Non-EU residents may also elect to exercise the Right to be Forgotten.To close your Account or to request that the PII, PHI, or Personal Data, as applicable, we have about you be deleted, please email us at to privacy@Fawkesbiodata.com. Once we receive your request and authenticate your identity we will remove your Account from active use. If you do not re-activate your Account within 12 months, we will delete your Account Record, but we will keep some PII as described in Section 9. If you wish to delete your Account Record immediately, but subject to Section 9, indicate so in your email to us.17. Challenge ComplianceIf you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with privacy laws applicable to it.We are not responsible for the PII, PHI, or Personal Data (as applicable) handling practices of third-party service providers to whom you consented to access your information, whether on our behalf or otherwise. If your complaint has to do with the privacy practice of those providers, we will direct you to them. Links to the privacy policies and terms of use/service of our service providers are available in the Consent Center.Please notify our Chief Privacy Officer of your complaint by emailing at privacy@Fawkesbiodata.com.We pledge to address your complaint promptly. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Ontario.If you are unhappy with the response you receive from us, we hope you would contact us to resolve the issue, but you may also lodge a complaint with the data protection authority in your home country. They can advise you how to submit a complaint.18. Changes to This Privacy NoticeWe may change or update this Privacy Notice from time to time. All changes and updates are logged in the CHANGE LOG section below.When our Privacy Notice changes, the Site and the WebApp will display a notice prompting you to review the changes.If we make changes to this Privacy Notice, then in addition to displaying a notice on the Site and the WebApp prompting you to review the changes, we may also notify you by email at the email address associated with your Account.The changes to the Privacy Notice will take effect on the date on which they were made or on the date provided in the notice.By continuing to use the Site, the WebApp, or the Services after you receive the notice you implicitly consent to be bound by the Privacy Notice terms in effect on that date on which you visit the Site, the WebApp.LAST UPDATED on May 6, 2024.