Skip to content

Privacy Notice

Effective date: January 01, 2023

Last updated: July 01, 2023

Return to Legal, Privacy, and Compliance overview page.

TABLE OF CONTENTS:

Flatiron Health, Inc. (“Flatiron,” “we,” or “us”) is committed to protecting your Personal Information.  This Privacy Notice (this “Notice”) outlines the type s of Personal Information Flatiron may collect; the means by which Flatiron may collect, use, or share your Personal Information; steps Flatiron takes to protect your Personal Information; and choices you are provided with respect to the use of your Personal Information.   For the purposes of this Notice, “Personal Information” (also known as “personally identifiable information” (PII) or “personal data” in some jurisdictions) is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household.  Unless otherwise stated, this Notice applies to Personal Information that Flatiron collects through our website (“Sites”) or through your other interactions with Flatiron.   

 

1. Overview

To comply with certain data protection laws, we are required to disclose specific information regarding the categories of Personal Information we collect, and your rights with regard to that Personal Information. The following table identifies Personal Information we collect, and specific information as required by those laws.

Category of PI

Do we collect PI from this category?

Purposes for which the PI is collected or used/processed

Retention Period

Do we sell this PI?

Do we share this PI for targeted advertising?

Do we share this PI with third parties?

If yes, we share this PI with the following categories of third parties

Direct identifiers

Yes

See §§ 2, 3

See § 5

No

No

Yes

See § 4

Internet activity information

Yes

See §§ 2, 3 

See § 5

No

No

Yes

See § 4

Location information

Yes

See §§ 2, 3

See § 5

No

No

Yes

See § 4

Profile information

Yes

See §§ 2, 3

See § 5

No

No

Yes

See § 4

 

 

2. What personal information we collect and its source

When you interact with us, we may collect the following Personal Information:

  • Direct identifiers, such as your name, address, email address, telephone number, or an IP address or other online identifier. We typically collect this information directly from you in order to communicate with you, and provide you with access to certain information on our Sites or about our services.

  • Internet activity information, such as your browsing history, search history, and browser information as it relates to the use of our Sites or other services. We typically collect this information from our use of cookies and other data collection technologies to help us design our website, to identify popular features, and for other managerial purposes. You can review our Cookie Notice here

  • Location information, which is used to locate the device you use to access our Sites. Location information may include: (i) the location of the device derived from GPS or WiFi use; (ii) the location derived from the IP address of the device or internet service used to access the Sites; and (iii) other information made available by a user or others that indicates the current or prior location of the user. We typically collect this information from our use of cookies and other data collection technologies so that we may tailor our services to your location. You can review our Cookie Notice here

  • Profile information, such as information about your preferences and characteristics. We typically collect this information directly from you and through our use of cookies and other data collection technologies in order to tailor our services and communications to you. You can review our Cookie Notice here.

The provision of certain types of Personal Information may be necessary or optional, depending on the circumstances. Mandatory Personal Information will be marked as such at the moment of collection of your information. If you refuse to provide mandatory Personal Information, Flatiron may not be able to process your request (such as your contact request). We may also collect non-identifiable information, such as the type of browser or operating system you are using. We may also de-identify or anonymize your Personal Information in accordance with applicable law or create aggregate, anonymized information that relates to a group of individuals, which we may use for any lawful purpose in accordance with applicable law.   

3. Purpose for collection of information

In addition to the purposes for collection listed above, we may also collect each of the above categories of Personal Information in order to provide you services and for our own internal business purposes, which include:

  • Fulfilling your requests, including to register and administer your account and provide you the information, products and services that you request (including, where applicable, user activities associated with the licensing and use of Flatiron tools and services, such as user authentication and credentialing). 

  • Enhancing your experience, such as by tailoring content and advertising and remembering your preferences

  • Improving our Site and services, such as by improving the content, features and functionality of our Site and services, identifying popular features, enabling more accurate reporting, and improving the effectiveness of our marketing. 

  • As otherwise may be disclosed to you at the time of collection.


 

4. How we share your personal information

We may share your Personal Information for the reason(s) disclosed to you at the time we collect it, with your consent, at your direction, or in the following ways:

  • Within Flatiron: We may share your Personal Information internally among the Flatiron subsidiaries (e.g. Flatiron US, Flatiron UK, Flatiron Germany, and Flatiron Japan) in order to provide you our services and generally improve our product and service offerings.

  • With vendors and other service providers: We may share your Personal Information with service providers who perform services for us and act on our direction. These services may include activities such as direct mailing, fulfillment services, email-campaigns, digital advertising, hosting, and other IT services.

  • In the event of a corporate transaction:  In the event we go through a business transition, such as a merger, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy, or sale of all or a portion of our assets, we may disclose your Personal Information to the party or parties of such transaction.

  • To comply with our legal obligations and to protect our rights:  We will disclose your Personal Information when we think it is necessary to investigate or prevent actual or expected fraud, criminal activity, injury or damage to us or others or when otherwise required by statute, regulation, subpoena, court order, or other law, or if necessary to protect the rights, property, or safety of us, our employees, or others.

 

5. Retention periods

We will only retain your Personal Information for as long as necessary to fulfill the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.  We will also retain and use your Personal Information to the extent necessary to resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies. To determine the appropriate retention period for your Personal Information, we will consider the amount, nature, and sensitivity of the data, the potential risk of harm for unauthorized use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.  Upon expiration of the applicable retention period we will securely destroy your personal data in accordance with applicable laws and regulations.    

6. Your rights regarding personal information

Certain data protection laws grant consumers specific rights with regard to their Personal Information, of which we are obliged to inform you. Those rights include the right to:

  • Confirm whether or not we are processing your Personal Information, and access to your Personal Information

  • Correct inaccurate Personal Information

  • Delete Personal Information

  • Confirm whether Flatiron is processing your Personal Information and access that Personal Information

  • Obtain a copy of Personal Information in a portable and, to the extent technically feasible, a readily usable format for you to transmit to another controller

  • Opt-out of (i) targeted advertising, (ii) the sale of PI, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

You may exercise your rights by contacting us at 888-662-6367 or emailing us at privacy@flatiron.com. If we reject your request, you may appeal that rejection by contacting us at 888-662-6367 or emailing us at privacy@flatiron.com. In certain U.S. states, may contact the state Attorney General if you have concerns about the result of an appeal.

We will take steps to verify your identity before processing your request to exercise these rights. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an account with us, we will use our existing account authentication practices to verify your identity. If you do not have an account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.

As described in greater detail in Section 17 (“Provider Agreements and Your Health-Related Information”) requests regarding your personal health information must be directed to your healthcare provider. As described in greater detail in Section 18 (“Our Clinical Research Offerings) requests regarding your personal information collected in the context of a clinical study in which Flatiron’s Clinical Research Offerings are utilized must be directed to the study sponsor or  the clinical research organization  that is responsible for the study or your study healthcare provider.     

7. Special notice to California residents

If you are a resident of California, you may be entitled to the privacy rights described below under the California Consumer Privacy Rights Act (“CPRA”). Please note that certain categories of Personal Information, such as personal health information, are not covered by these CPRA privacy rights, but are protected by HIPAA and other laws that provide similar protections.   In addition to those rights otherwise stated in this Notice, as a California consumer, under the CPRA you have the right to:

  • Request the: 

    • Categories of Personal Information collected

    • Categories of sources from which Personal Information is collected

    • Business or commercial purpose for collecting, selling or sharing (for targeted advertising) Personal Information

    • Categories of third parties to whom Personal Information is disclosed

    • Categories of Personal Information sold or shared (for targeted advertising), if any

    • Categories of third parties to whom Personal Information was sold or shared (for targeted advertising), if any

    • Categories of Personal Information disclosed for a business purpose

    • Categories of persons to whom Personal Information was disclosed for a business purpose

  • Opt-out (or opt-in for children under 16) to the sale or sharing (for targeted advertising) of Personal Information, if such occurs 

  • Equal service (no retaliation or discriminatory practices for exercising your CPRA rights)

  • Limit use of sensitive Personal Information to that necessary to perform the services or provide the goods reasonably expected by an average consumer

     

Do Not Sell My Personal Information. Under the CPRA, sell means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's Personal Information by the business to a third party for monetary or other valuable consideration. We do not sell Personal Information. 

Do Not Share My Personal Information. Under the CPRA, share means the sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, of consumer's personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. We do not share Personal Information for targeted advertising.

Limit the Use of My Sensitive Personal Information.  If we used or disclosed sensitive Personal Information (other than as permitted by the CPRA), this sensitive Personal Information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. As a California consumer, you have the right to limit the use or disclosure of your sensitive Personal Information. You may limit the use of sensitive Personal Information by contacting us at 888-662-6367 or emailing us at privacy@flatiron.com.

Exercising Your Rights. You may exercise these rights twice a year free of charge by contacting us at 888-662-6367or emailing us at privacy@flatiron.com We will take steps to verify your identity before processing your request to know or request to delete. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an account with us, we will use our existing account authentication practices to verify your identity. If you do not have an account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose. You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.

Disclosure Regarding De-Identified Datasets: Flatiron may sell or license de-identified datasets derived from patient information for any lawful purpose, including but not limited to, supporting cancer researchers in generating insights or to address hypotheses across a range of scientific, medical, clinical, or pharmaceutically-relevant questions. These de-identified data sets may include Protected Health Information that has been de-identified under the HIPAA expert determination method, which means that a statistical expert has determined that there is a very small risk that the information could be used, alone or in combination with other reasonably available information, to identify you. Data de-identified in this way does not constitute Protected Health Information. 

Shine the Light – Third Party Marketing: California law also gives California residents the rights to request certain information regarding our disclosure of their Personal Information to third parties for those third parties’ direct marketing purposes. You may request information regarding the disclosure of your Personal Information to third parties for those third parties’ direct marketing purposes by emailing privacy@flatiron.com or writing us to the address in the contacting us section. Please indicate “California Rights” in the subject or attention line of your communication.  

 

8. Cookies and other data collection technologies

We use cookies, pixel tags, log files, and other technologies (collectively, “Data Collection Technologies”) on our Sites, to help us facilitate our services, tailor our content and enhance your online experience. For more information, please review our https://flatiron.com/legal/cookie-notice/.    

9. Sale/sharing for targeted advertising and use for profiling

We do not sell Personal Information, nor do we use Personal Information for targeted advertising or profiling.  

10. Your choices; interest-based ads

We encourage you to communicate your preferences to us about how we use your Personal Information.

  • Unsubscribe from marketing:  You may opt-out of receiving marketing communications from us by following the instructions included in each communication or by emailing us at privacy@flatiron.com.  If you receive marketing communications from any of our business partners or other parties, you must opt-out with each of those parties. Note that if you unsubscribe from our marketing communications, you still may receive transaction and other administrative communications from us based on the nature of your relationship with us.

  • Modify your Personal Information:  You may request changes to any incorrect Personal Information that we maintain about you. Contact us at the email, address, or phone number included in the Contacting Us section, below, to make a request. We will endeavor to comply with your request, but please understand that we may not be able to modify information about you that we have relied upon to provide services to you or that we are legally required to maintain. 

  • Turn off location services:  If you do not want us to collect information from your device, please disable the location setting(s) on your device or, when applicable, delete any Flatiron applications. Please note that disabling the location setting may affect certain features of our Sites and any Flatiron applications.

We may use third-party vendors to serve advertisements on our behalf across the internet. These advertising vendors may collect (by using Data Collection Technologies) information about your visits to and interactions with our Sites. In addition to the information about your visits to our Site, these vendors may also use the information about your visits to other websites to target advertisements for products and services available from us. If you would like more information about this practice and your choices relating to this data collection, please visit network advertising.org. You may manage your third-party advertising preferences  

11. Children's information

Our Sites are not intended for use by or directed to children under 18 years of age. If you are under 18 years old or otherwise have not attained the age of majority in your state of residence, you must have your parent or other legal representative’s permission to use the Sites.  If we learn that we have received any Personal Information directly from a child under age 18 without first receiving his or her parent’s verified consent, we will use that Personal Information only to respond directly to that child (or his or her parent or legal guardian) to inform the child that he or she cannot use the Sites.  We will then subsequently delete that child’s Personal Information.  

12. Do not track

Some web browsers incorporate a “Do Not Track” (“DNT”) feature that signals to the websites that you visit that you do not want to have your online activity tracked. Many websites and applications, including our Sites, do not currently respond to web browser DNT signals because such signals are not yet uniform. For more information about DNT signals, please visit www.allaboutdnt.com  

13. Links to other sites

Our Sites may contain links to other sites that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices or content of such other sites. We encourage you to be aware when you leave our Sites and review the privacy policies of such sites as their privacy policies may differ from ours.   

14. Note to site visitors outside the US, EU, UK, or Japan

The Sites are intended for use in the United States, EU, UK and Japan only.  If you visit our Sites or contact us from outside of the United States, EU, UK, or Japan please be advised that (i) any information (including Personal Information) you provide to us or that we automatically collect will be transferred to the United States; and (ii) that by using our Sites or submitting information through the Sites (including Personal Information), you explicitly authorize its transfer to and subsequent processing in the United States in accordance with the laws of the United States and this Notice.   

15. Changes to this privacy notice

We reserve the right to change or replace this Notice at any time.  Please check back from time to time to ensure that you are aware of any changes or updates to the Privacy notice.  We will indicate the date that the Notice was last updated at the top of this page. If we make material changes that would impact your use of the Sites or your privacy rights, we will endeavor to notify you of the changes, such as by posting a notice directly on the Sites or by sending an email notification if you have provided your email address to us.   

16. Securing your information

We use reasonable safeguards aimed to protect against unauthorized use, disclosure, alteration or destruction of the Personal Information we collect and maintain. You should keep in mind, however, that no data transmitted over the internet is 100% secure. As a result, while we strive to protect your Personal Information, we cannot guarantee or warrant the security of any information you transmit to or from our Sites.   

17. Provider agreements and your health-related information

Flatiron provides electronic health record (“EHR”) services, patient portals, and other services (collectively “Services”) to health care provider customers (“Provider Customers”) under agreements with the Provider Customers that govern our use and disclosure of their patients’ Protected Health Information (as defined below) and other Personal Information through the Services (“Provider Agreements”).  This Notice supplements those Provider Agreements.  To the extent that a term of this Notice conflicts with any applicable Provider Agreement, the Provider Agreement will control. In the performance of the Services, Flatiron may collect electronic health record information, including Protected Health Information, which is personally identifiable health information protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“Protected Health Information”).  Included in your Protected Health Information may be other sensitive categories of information such as your race, gender, sexual orientation or preferences, and biometrics. We collect this information solely for the purposes of providing the Services to our Provider Customers and only use the Protected Health Information as permitted under the applicable Provider Agreement.   As between Flatiron and our Provider Customers, our Provider Customers are responsible for determining how we use and disclose the Protected Health Information we collect through the Services.  Your healthcare provider’s collection, use, and disclosure of information about you is governed, in turn, by your provider’s own notice of privacy practices, privacy policies and terms and conditions. If you are a patient of one of our Provider Customers using a patient portal or other Service provided under a Provider Agreement and have questions about your treatment or handling of your health-related information, you should check with your healthcare provider. If you would like to request changes to your Protected Health Information that your healthcare provider stores in our EHR systems or uses in connection with the Services, please contact your healthcare provider directly.   

18. Our clinical research offerings

Flatiron provides multiple clinical research support offerings (“Clinical Research Offerings”) to clinical trial sponsors, contract research organizations, functional service providers, and health systems (collectively “Clinical Research Customers”).  Our  agreements with the Clinical Research Customers govern our collection and use of Personal Information that we collect in connection with our Clinical Research Offerings (“Clinical Research Offerings Agreements”).  Our Clinical Research Customers are responsible for determining how we can use the Personal Information we collect through the Clinical Research Offerings.   If you are a participant in a clinical study in which Flatiron’s Clinical Research Offerings are utilized and you have questions about the study or how Personal Information is handled, you should consult with the study sponsor or  the clinical research organization  that is responsible for the study or your study healthcare provider.      We are represented by the DPO Centre Ltd with respect to our processing of personal data for Clinical Research Offerings in the European Union (EU) and the United Kingdom (UK). Individuals in the EU may contact our EU Representative at eurep@flatiron.com. Alternatively, they can be reached by post (The DPO Centre Europe Ltd, Alexandra House, 3 Ballsbridge Park, Dublin, D04C 7H2) or +353 1 631 9460. https://www.dpocentre.com/contact-us/. Individuals in the UK may contact our UK Representative at ukrep@flatiron.com. Alternatively, they can be reached by post (The DPO Centre Ltd, 50 Liverpool Street, London, EC2M 7PY) or +44 (0) 203 797 6340. https://www.dpocentre.com/contact-us/  

19. How patients contribute to research (opt-out)

Flatiron is committed to improve and extend lives by learning from the experience of every person with cancer. In service of this mission, Flatiron works with a network of oncology clinics, several academic centers, the Food & Drug Administration, the National Cancer Institute, and biopharma companies, to create datasets that enable our clinics to provide the best care possible and researchers to accelerate their understanding of the way cancer treatments work. You can see some examples of how we’re working to advance cancer research here. For many oncology clinics across the country, Flatiron provides an electronic health record (EHR) software called OncoEMR®. If you are treated at one of these clinics, Flatiron accesses your data to help the clinics with your care and  to use in a de-identified and aggregated form for research purposes. Flatiron also has partnerships with academic medical centers to provide quality monitoring and outcomes research. As part of its engagements with oncology clinics and academic medical centers, Flatiron may  also have certain additional rights pertaining to research and de-identification. Specifically, Flatiron has the ability to create de-identified datasets that are made available to third parties through Flatiron’s real world data products. These products include tumor-specific and pan-tumor datasets with deep clinical, genomic and outcomes variables that may be used for research purposes by Flatiron’s partners. The datasets we share with third parties for research purposes are de-identified in accordance with the expert determination method in accordance with the Health Insurance Portability and Accountability Act (“HIPAA”) and never contain your personally identifiable information. In addition to the de-identified datasets referenced above, certain of our engagements with oncology clinics and academic medical centers allow for Flatiron to conduct internal research using your data. In the rare instances that research cannot be done using Flatiron’s de-identified real world data products, all such research is done pursuant to a waiver of the Authorization requirement by an institutional review board or privacy board in accordance with the standards set forth under HIPAA. Please note that even in those instances where internal research is done pursuant to a waiver, only the minimum amount of data that is required for the research is used and all direct identifiers relating to an individual patient are removed, such as name and social security number.    Please know that Flatiron will never use your information — even in de-identified form — for marketing purposes.  Your information, along with that of thousands of other patients, is contributing to cancer research and is helping to accelerate the development of new treatment options for future patients. However, we respect your right as a patient to opt-out of this research. If you wish to know whether you are treated at a clinic that uses Flatiron’s technology, please ask your provider for the name of the EHR that they use. If you are still unsure whether your information is included in our datasets, or if you would like to opt-out of our research, please complete the online form. By filling out the online form, you give Flatiron permission to contact you to confirm any additional information needed to process your opt-out request. Please be aware that your opt-out will apply only to Flatiron’s future use of your Personal Information for research. Your opt-out will not apply to de-identified information that Flatiron US has already created for current and future research purposes.  Further, your opt-out does not apply to certain practice-level OncoEMR reports or DataConnect files, which practices use for operational purposes, regulatory reporting, and other use cases. You should speak with your provider if you would like to be removed from any practice-initiated data projects.  

20. Special notice to individuals located in the EU and the UK

If you are located in the European Union (“EU”), other countries in the European Economic Area (“EEA”), or the United Kingdom (“UK”) the disclosures and your rights under the Regulation (EU) 2016/679 (General Data Protection Regulation) or, respectively, said Regulation as it applies in the UK as retained EU law (collectively, the “GDPR”) set out below apply to you in addition to the disclosures set out in the general sections of this Notice. 

For interactions that do not go through one of our Sites, please refer to the information provided at the point of contact, such as the relevant email signatures, to find out which Flatiron entity is the controller.

Please note that this Notice does not apply to your health-related information, which will be treated and handled in accordance with separate policies provided at the time of collection. Legal Basis for Processing Your information will be processed on the basis of the following legal bases: 

Purpose and Categories of Personal Information 

Legal Basis  (Article 6 GDPR)

Responding to Requests or Inquiries: We may use information that you provide to us to take the steps necessary to respond to your requests. For example, you may inquire about a product or subscribe to one of our mailing lists. Depending on your request, we may collect your contact information (such as your name, mailing address, telephone number), your interests and preferences (such as products or areas of interest), and any other information you provide to us. 

Consent (6(1)(a));  Legitimate interest (6(1)(f)) in answering your inquiry

Personalizing Your Experience.  We may collect certain information about you, your preferences, and how you have interacted with us in the past in order to understand your interest in our products and services so that we can best serve you. This may include information about your contact and product preferences, languages, marketing preferences, and demographic data. For more information, please see our Cookie Notice

Consent (6(1)(a))

Website Analytics and Tracking.  Where permitted by law, we may collect information directly from you and through our use of cookies and other data collection technology. More information about this can be found in our Cookie Notice

Consent (6(1)(a))

To run and maintain our Sites.  We use this information to secure our Sites, network systems, and other assets.  This may include information concerning your IP address, geographic location, resources you have accessed, and similar information. The data processing of this access data is absolutely necessary to enable your visit to the Sites, to ensure the permanent operability and security of our systems as well as for the general administrative maintenance of our Sites. The access data is also temporarily stored in internal log files for the purposes described above. 

Legitimate interest (6)(1)(f)) in enabling website access and permanent functionality and security of our systems

To send important notices regarding Flatiron services, including changes to our terms, conditions, and policies.  If we need to contact you regarding important notices, we will use information you have provided to us such as your name and email address. 

Legitimate interest (6(1)(f)) in the legally compliant performance of an existing contractual relationship

To comply with legal obligations to which Flatiron is subject.  We may use all information we have collected from or about you as necessary to comply with a legal obligation to which we are subject.

Legal obligation (6(1)(c))

In the event of a corporate transaction such as  a sale, merger, consolidation, change in control, transfer of substantial assets, reorganization, or liquidation, to transfer, or assign to third parties information concerning your relationship with us, including, without limitation, personal data that you provide to us and other information concerning your relationship with us. 

Legal Obligation (6(1)(c)); Legitimate interest (6(1)(f)) in the performance of a legally compliant corporate transaction. 

 

Who is Responsible for the Processing of Your Personal Information With respect to Personal Information that is collected through your use of the Sites, the Flatiron entity that provides the respective Site will be the controller unless otherwise set out at the point where we collect data (e.g., on a contact form). Please refer to the information on the respective Site to find out who the provider for a particular Site is.  For your reference, the information of each Flatiron entity that may act as a controller for data subjects in the EU/EEA and UK according to this Notice is set out below:

Flatiron US Flatiron Health, Inc. 233 Spring Street 5th Floor New York, NY 10012 Flatiron UK Ivy House, 107 St. Peter’s Street, St. Albans, Hertfordshire AL1 3EW Data Protection Officer Kaleidoscope (dpo.flatiron@kdpc.uk) East Side, Kings Cross London N1C 4AX United Kingdom
Flatiron Germany Flatiron Health GmbH Richmodstrasse 6 50667 Cologne Germany Data Protection Officer ISICO Datenschutz GmbH dpo.de@flatiron.com Am Hamburger Bahnhof 4 10557 Berlin Germany   

 

Your GDPR Rights  If you are located in the EEA or the UK, you have certain rights in relation to Personal Information collected about you:

  • Access: You have the right to obtain confirmation as to whether we process your Personal Information, access to such Personal Information as well as to information regarding the purposes of such processing, the categories of personal data concerned, the recipients, the period for which the information will be stored, your rights, and possibly the source of the information.

  • Portability: You have the right to receive a copy of the information we hold about you in case you have given us consent and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.

  • Correction: You have the right to request correction of any personal information about you we hold that is inaccurate.

  • Erasure: In certain circumstances, you have the right to delete the information we hold about you.

  • Restriction of processing to storage only: You have the right to require us to stop processing the information we hold about you, other than for storage purposes, in certain circumstances.

  • Objection: You have the right to object to our processing of Personal Information about you on grounds of your particular situation in case we process such information for our legitimate interests.

  • Objection to marketing: You can object to marketing at any time, including by opting-out using the unsubscribe/opt-out function displayed in our communications to you.

  • Withdrawal of consent: You have the right to withdraw your consent at any time.

  • Complaint to a supervisory authority:  You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes your rights under the GDPR. 

Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain personal information about you. To exercise any of these rights, please contact the country specific DPO listed in the section above. We will respond to requests to exercise these rights without undue delay and at least within one month (though this may be extended by a further two months in certain circumstances). 

International Data Transfers  Personal Data we collected through the Site will be processed and stored in the United States.  When we transfer your personal data to recipients in countries outside of the EU/EEA and UK that do not provide adequate legal protection for the processing of personal data, we will ensure that appropriate safeguards are implemented to secure such data transfers in compliance with applicable data protection laws and after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient is established. We have implemented international data transfer agreements based on the EU and UK Standard Contractual Clauses to cover our international data transfers. In order to receive a copy of these clauses and/or other safeguards, you can contact us at privacy@flatiron.com  

 

21. Special notice for individuals located in Japan

If you are located in Japan, the sections based on the Act on the Protection of Personal Information (“APPI”) as set out below apply to you in addition to the disclosures set out in the general sections of this Notice.  Flatiron Health, Inc. (“Flatiron US”) and Flatiron Health, K.K. (“Flatiron Japan”) are jointly responsible for managing your Personal Information. The Personal Information that Flatiron US and Flatiron Japan will handle jointly is described in Section 2 of this Notice (“What Personal Information We Collect and Its Source”), for the purposes described in Section 3 of this Notice (“Purpose for Collection of Information”). The range of users of your Personal Information is described in Section 4 of this Notice (“How We Share Your Personal Information.”)   

 

22. Contact us

If you have any questions or comments about this Privacy Notice, please contact us at privacy@flatiron.com or by mail at: Flatiron Health 233 Spring Street New York, NY 10013 United States Attn: Chief Compliance & Privacy Officer 

Questions?

Please reach out to privacy@flatiron.com