NOTICE: Although Privacy Shield has been invalidated by the Court of Justice of the European Union, MD7 continues to protect data pursuant to the Privacy Shield in accordance with its principles. Transfers from MD7 clients in the EEA to MD7 in the US continue to take place pursuant to European Commission-approved Standard Contractual Clauses.
Effective date: January 30, 2019
Revised: October 15, 2020
For the purpose of applicable European data protection legislation, the Data Controller is:
for Personal Data Processed through our website, app or related service, the controller is MD7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130 (“MD7, LLC”).
for Personal Data Processed in connection with a contractual agreement that you have with one of the MD7 entities, the controller is the contracting MD7 entity, i.e.:
for US contracting parties, this is MD7, LLC; and
for EEA and non-US contracting parties, this is either MD7 International (Telecommunications) Limited (Unit 4 The Capel Building, Mary’s Abbey, Dublin 7, Ireland, “MITL”) or MD7 Nederland B.V. (Wim Duisenbergplantsoen 51, 6221 SE Maastricht, The Netherlands, “MD7 NL”).
The Federal Trade Commission (FTC) has jurisdiction over MD7, LLC’s compliance with this Privacy Shield Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework, and MD7, LLC is subject to the investigative and enforcement powers of the FTC.
The following definitions apply to our Policy:
“Data Processor” means any person or organization, including any third party vendor or service provider, who processes Personal Data on our behalf and under our instructions for the purposes set forth in this Policy.
“Data Subject” (or “you”) means all natural persons (our customers, vendors and users of the website) about whom we hold Personal Data.
“Electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
“Personal Data” means information (whether stored electronically or in paper-based filing systems) relating to an identified natural person or that could reasonably be used (by itself or in combination with other data reasonably available) to identify a natural person. Personal Data does not include anonymous information, namely information which does not relate to an identified or identifiable natural person or to Personal Data rendered anonymous in such a manner that the Data Subject is not or no longer identifiable.
“Processing” is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data, including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.
“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, political opinions, religion or philosophical/ideological beliefs or activities, trade union membership, genetic data, biometric data, information on criminal convictions and offences, health status, or sexual orientation, preference or activities.
This Policy applies to the Personal Data Processed in connection with your use of our website, products, services, apps or in connection with the contractual relationship you have with one of our entities. This Policy covers Personal Data we Process regarding Data Subjects. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.
Processing of Personal Data
Personal Data We May Process and Purposes
A variety of Personal Data is Processed through the means described below. When you are asked to provide Personal Data, you may choose not to. But if you decline to provide Personal Data, your ability to use the website, product, service or app, or your ability to enter into a contract with one of our entities may be diminished or restricted.
Type of Personal Data
The Personal Data Processed through our website, app or related service, or in connection with a contractual agreement that you have with one of the MD7 entities includes:
Personal information, such as your name, address, telephone number, email address, mailing address and other (contact) information that you give through, for example, an input form on our website, through surveys, through the contractual arrangement you have with one of our MD7 entities, or through other means.
Lawful Bases and Purposes of Processing
Your Personal Data is Processed on the following lawful bases and for the following purposes:
For the performance of the agreement with you, e.g. to respond to your requests, such as a request for information, or a request to subscribe to a service or enter into a contract; to provide, manage, maintain, and secure the service(s) you request.
On the basis of your consent, e.g. to provide you with information about MD7's technologies, product or service releases, news, and other (marketing) communications.
For our legitimate interests, e.g. to provide existing customers marketing communications; to operate and improve the business, including to administer, protect, and improve services and systems; to develop new products and services, and for other internal business purposes; to better understand the preferences of the users of our services, compile aggregated statistics about usage of our services, and help personalize or improve your experience of the website and services; to optimize the performance of our website; and to conduct a prospective or actual sale, merger, transfer or other reorganization of all or parts of the business.
To comply with a legal obligation to which the relevant MD7 entity is subject, e.g. in connection with national security requests, requests from law enforcement officials and court proceedings.
We will retain such Personal Data for as long as it is required for purposes for which it was collected. This will be, for example, for as long as necessary to perform your request (e.g., your request to receive newsletters, until you opted-out) or for as long as necessary in view of the ongoing commercial relationship until the end thereof, plus the length of any applicable statutory limitation period.
A Special Note about Children’s Privacy
Children are not eligible to use our services and we do not knowingly Process children’s Personal Data. You must be at least 13 years old to use this website, and we ask that minors under the age of 13 do not submit any Personal Data to us. We do not knowingly collect, use or disclose Personal Data about visitors under 13 years of age.
Sensitive Personal Data
Please note that our practice is that we do not Process Sensitive Personal Data.
When you access our website outside of Europe, our system will automatically issue cookies when you log on to our website (unless you have set your browser to reject them). You are also able to visit our Cookie Page to learn more about the cookies used on this website.
You are free to refuse consent, but please be aware that restricting cookies will impact your user experience and may prevent you from using part of our website.
Cookies can be removed from your browser in two ways: automatically (when they expire), or when you manually delete them. We have included more details below to help you understand what kinds of cookies we use and how you can manage them.
Our website may use the following types of cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to log into secure areas of our site. We do not require your consent to place these cookies. Nevertheless, you may be able to block these cookies yourself on your device / browser, but restricting these cookies is likely to mean that our site will not work as you would expect and certain functionality may be inoperable.
- Non-essential cookies, which may include the following:
- Functionality cookies. These are used to recognize you when you return to our site. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Session cookies: These temporary cookies expire and are automatically erased whenever you close your browser. We use session cookies to grant our customers access to content and to enable commenting.
- Persistent cookies: These usually have an expiration date in the distant future and remain in your browser until they expire of you manually delete them. Persistent cookies may be used for a variety of purposes, including remembering our users’ preferences and choices when using our site or to target advertising. Whether a cookie is a “first” or “third” party refers to the website or domain placing them. In basic terms, first-party cookies are set by a website visited by the user – the website displayed in the URL window. The third-party cooking are cookies that are set by a domain, such as google.com, other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website, this would be a third-party cookies.
We may also use third-party cookies on the site. In keeping with our policies, these session or persistent cookies are set only by trusted partners to MD7, LLC. These cookies may collect information about your online activities across websites and over time. The third parties who may set cookies through our site include LinkedIn, YouTube, Facebook, Instagram, Elfsight and Bing.
Social media plugins by the social media providers such as Twitter and LinkedIn may be implemented on this website. Your web browser establishes a direct connection to the provider’s servers only when you activate the plugins. If you do not wish for the plugin providers to receive, save, and use data gathered through this website, you should not use the respective plugins.
We may also use tracking pixels on this web. A tracking pixel is a 1x1 image created with a small piece of HTML coding, used to track behavior when a user lands on our website.
If you prefer not to receive cookies or have pixels used through our website, you can either set your browser to reject cookies, or you can visit our Cookie Preferences. Within our Cookie Preferences page, you can choose to accept all cookies, reject all cookies, or accept / reject particular categories of cookies. If you access our website in Europe, you can refuse to click the “I accept” box, and instead click the “I refuse” box when you are presented with a cookie notice on our homepage. Likewise, you can manage specific categories of cookies within the Cookie Preferences page.
When you access our website outside of Europe, our system will automatically issue cookies when you log on to our website (unless you have set your browser to reject them).
We do not use flash cookies (which are sometimes referred to as local shared objects or LSOs).
You can browse our site with cookies disabled, though some interactions may not work properly.
There are several ways you can manage your cookie settings and preferences:
- Learn more about cookies: http://www.allaboutcookies.org/
- Visit our Cookie Preferences
- Manage cookies in your web browser
Where We Store and Process Data, including
Disclosure and Transfer
Personal Data may be disclosed to and Processed within our organization. For example, Personal Data may be disclosed to MD7, LLC in the United States as, and to the extent, business needs require.
Furthermore, we may provide Personal Data to Data Processors for the purposes set forth in this Policy. For example, MD7, LLC stores Personal Data in facilities operated by a Managed Cloud Company. Personal Data will only be disclosed to a Data Processor if it agrees to comply with procedures and policies which are compliant with our Policy and procedures regarding data protection, or if the Data Processor puts in place adequate measures which are compliant with applicable law and are consistent with our obligations under the Privacy Shield Principles.
The above disclosures may include transfers of Personal Data from the EEA or Switzerland to the United States or other countries that may not provide an equivalent level of privacy or data protection law as your country. When Personal Data is transferred from the EEA or Switzerland, we use a variety of legal mechanisms to effectuate the transfer (such as your consent, our Privacy Shield Certification or the use of Standard Contractual Clauses (of which you may request a copy via the contact details below)). All employees within our organization and Data Processors who handle Personal Data are required to comply with the principles stated in this Policy, and may access and use Personal Data only if they are authorized to do so and only for the purposes for which they are authorized.
Furthermore, we will transfer Personal Data to Data Processors who reasonably need to know such data only for the scope of the initial transaction and will not Process Personal Data for other purposes. We take reasonable and appropriate steps to ensure Data Processors process EU and/or Swiss Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third party agents and service providers who perform services on our behalf for their handling of EU and Swiss Personal Data that we transfer to them.
In addition to the foregoing, we may share your Personal Data with third parties as follows:
- Business Transaction Disclosures. Your Personal Data may be shared or transferred in connection with a prospective or actual sale, merger, transfer or other reorganization of all or parts of our business.
- Legally-Required Disclosures. Your Personal Data may also be shared or transferred as required by law or in the interest of protecting or exercising MD7’s or others’ legal rights, e.g., without limitation, in connection with national security requests, requests from law enforcement officials, and court proceedings.
- Transfers overseas. The Personal Data we collect in connection with your use of the website, app or related service, or in connection with a contractual agreement that you have with one of the MD7 entities will be held on our computers and systems in the European Union and in the computers and systems of our offices in the United States and may be accessed by or given to our staff working outside the European Union.
Our Responsibility for Personal Data
How we protect Personal Data
Reasonable efforts are used to maintain the accuracy and integrity of Personal Data and to update it as appropriate to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
Reasonable security procedures have been implemented in an effort to ensure that any Personal Data we hold is kept in accordance with this Policy. Physical, administrative and technical procedures are also used to limit access to Personal Data as described in this Policy. In addition, security measures and technology are maintained to assist us so that Personal Data is not disclosed either orally or in writing or via the internet or by any other means, accidentally or otherwise, to any unauthorized third party.
Although industry standard efforts are used to safeguard the confidentiality of your Personal Data when you transmit it over the Internet, such as firewalls and Secure Socket Layers, perfect security does not exist on the Internet.
Website Links to Other Sites
Our website operated by MD7, LLC contains links that may direct users to other websites. MD7, LLC is not responsible for the privacy practices of or the content contained in other websites that may be accessible by links from our website, and the privacy practice on those sites may differ from that of MD7, LLC as set out in this Policy. MD7, LLC is not responsible for any product or services that you download, purchase, or otherwise receive in any manner or form, from a third party website.
Do Not Track Signals
We do not currently respond to “Do Not Track” (“DNT”) signals sent by web browsers. A uniform standard has not yet been adopted to determine how DNT signals should be interpreted and what actions should be taken by websites and third parties that receive them. However, you may use a variety of other means of controlling data collection and use, including cookie controls in your browser settings.
The MD7 entities will not send email marketing communications and advertisements unless applicable law authorizes us to do so. We may do so on the basis of your consent, such as when you submit your email address and opt-in to receive marketing communications (for example to MD7, LLC through the website). You may withdraw your consent at any time by contacting the applicable Data Controller at one of the contact methods listed below under “Administration of this Policy” or to send an opt-out request via the unsubscribe link included in the email you have received.
Opt-In/Out. In some circumstances, such as email marketing, the applicable Data Controller offers you the ability to opt-in or opt-out of some kinds of data collection, use, or sharing. In such circumstances, the applicable Data Controller will respect your choice. In addition, where required by applicable law, the applicable Data Controller may offer you an opportunity to choose whether your Personal Data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. Further, when the applicable Data Controller Processes Sensitive EU and/or Swiss Personal Data (which in practice, we don't), we will obtain your opt-in consent where the Privacy Shield or applicable law requires, including if we need to disclose your Sensitive EU and/or Swiss Personal Data to third parties, or before we use your Sensitive EU and/or Swiss Personal Data for a different purpose than we collected it for or than you later authorized.
Right to Access, Rectification, and Erasure. The applicable Data Controller provides Data Subjects with reasonable access to the Personal Data we hold about them. To learn what Personal Data we hold about you or to correct, amend or delete that Personal Data, please submit a written request using one of the contact methods listed below under “Administration of this Policy”.
In addition, to the extent that European data protection legislation applies, you may have the following additional rights as from 25 May 2018:
Right to Restriction. You may ask the applicable Data Controller to restrict the Processing of your Personal Data where, for example, we no longer need your Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims.
Right to Withdraw Consent. You have the right to withdraw your consent at any time where the applicable Data Controller Processes your Personal Data on the basis of your consent.
Right to Data Portability. You can request the applicable Data Controller to receive certain Personal Data which you have provided to us in a structured format, which can be transmitted to another service provider where technically feasible. This only applies to Personal Data the applicable Data Controller Processes by automatic means, and on the basis of your consent or the performance of a contract between you and the applicable Data Controller.
Right to Lodge a Complaint. You also have the right to lodge a complaint with a supervisory authority, in particular in your Member State of residence, if you consider that the Processing of your Personal Data infringes applicable data protection law.
For further information regarding your rights, or to exercise any of your rights, please contact our Chief Technology Officer at the contact details listed below under “Administration of this Policy.”
Administration of This Policy
Our Chief Technology Officer is responsible for ensuring compliance with the law and with this Policy. Any requests regarding your Personal Data and/or questions or concerns about the interpretation or operation of this Policy or about what may or may not be done with regard to Personal Data should be sent by email to email@example.com or by mail to Chief Technology Officer, MD7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130. Please always indicate to which Data Controller (MD7, LLC, MITL or MD7 NL) the request or question relates. The Chief Technology Officer responds to questions, concerns, or complaints within one month of receipt.
Enforcement and Oversight of Our Policy
We will conduct periodic compliance audits of our privacy practices to verify adherence to this Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework. We conduct annual self-assessments of our practices with respect to Personal Data to verify that representations we make about our Personal Data privacy practices are true and have been implemented as represented. Any employee found to have violated this Policy is subject to disciplinary action, up to and including termination of employment.
Privacy Shield Enforcement and Dispute Resolution
In compliance with the Privacy Shield Principles, MD7 commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss Individuals with inquiries or complaints regarding our Privacy Shield policy should first contact MD7, LLC by email to firstname.lastname@example.org or by mail to Chief Technology Officer, MD7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130. MD7, LLC resolves to respond to complaints within one month of receipt.
MD7 has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit JAMS at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
You may have the option to select binding arbitration before a Privacy Shield Panel for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with us and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you.
Changes in this Policy
We reserve the right to change this Policy at any time. If we modify this Policy, we will provide notification of the changes as needed, for example on our website at least thirty (30) days prior to the date the change becomes effective. It is our policy to post any changes we make to this Policy on this page with a notice that the Policy has been updated on the website home page. If we make material changes to how we treat Personal Data, we will notify you through a notice on the website home page or through other means required by applicable law. Our Policy will indicate the date it was last updated. Your continued use of our site and our services will signify your acceptance of the changes to our Policy.