Introduction

PURPOSE AND SCOPE

This policy identifies Sycamore Informatics’ policies for identifying and maintaining the privacy of personal information maintained by Sycamore Informatics in its products or for its vendors/customers.

This Privacy Statement applies to all Sycamore Informatics staff, Affiliates, Websites, and Services. It describes our privacy practices for collecting, sharing, and processing information relating to individuals (“Personal Data”) and how you can learn about your rights and choices regarding processing your Personal Data.

PRIVACY RELATED COMMUNICATION

Sycamore strives to maintain communication with our current and prospective customers.  Our Chief Privacy Officer is happy to help with questions or inquiries.

Michael Owings
Chief Privacy Officer
privacy@sycamoreinformatics.com
Sycamore Informatics, Inc.
271 Waverley Oaks Rd, #103
Waltham, MA 02452
United States

CHANGES TO PRIVACY POLICY

Sycamore Informatics reserves the right to modify this Privacy Policy at any time.

Policy

This Privacy Policy describes the practices of Sycamore Informatics and how it uses personal information in connection with its software products and services.

INFORMATION COLLECTED

When contacting Sycamore or requesting information from the Sycamore website, we may collect information such as your email. When accessing secured areas for our services, such as the collaboration site, Sycamore Software as Services for our product, and online user guides, we may collect information such as full name, company name, email address, phone number, login ID, and password.

Sycamore may collect information through commonly used information-gathering tools such as web beacons and cookies. Information collected includes standard information from your web browser, such as your Internet Protocol (IP) address, browser type, operating system, referring/exit pages, links clicked, and actions taken while browsing.

Sycamore Informatics does not store any Protected Health Information (PHI) in its products for user authentication, audit trail, or user notifications. Sycamore’s customers may store this information as part of their data and are subject to their privacy policies.

Sycamore Informatics has a policy on cookies collected by its website. See Cookie Policy for details.

This policy can be reviewed during an audit of Sycamore Informatics and through links on the Sycamore Informatics website.

PERSONAL INFORMATION USED BY SYCAMORE INFORMATICS

Sycamore Informatics uses personal information collected from our Website to perform the services requested.  This may include the following examples:

• Gather support issues and requests from customers, 

• Obtain contact information from prospective customers who visit our website, 

• User authentication and identification within our products

• Administer your account

• Send requested product or service information

• Send product updates

• Send marketing communications

• Respond to questions and concerns

• Improve our Web site and marketing efforts

Personal Information stored in Sycamore’s products includes information to authenticate users, record an audit trail and provide users with informational messages about the status of the products. Sycamore uses personal information to authenticate user access to its products and to record user actions.

THIRD-PARTY ACCESS

We may share your Personal Data with third parties as described in this Privacy Statement.

We may provide your Personal Data to companies or their Websites (such as our Customer Service Portal Provider) that provide Services to help us with business activities, such as customer support for our Services. These companies are authorized to use your Personal Data only as necessary to provide these Services to us.  Furthermore, these companies have privacy policies that Sycamore has reviewed.

We may also disclose your Personal Data:

• As required by law, such as to comply with a subpoena or similar legal process,

• When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a lawful government request,

• To any other third party with your prior consent to do so.

Sycamore does not publish any personal data.

TRANSFER OF BUSINESS OWNERSHIP

If Sycamore is involved in a merger, acquisition, or sale of all or a portion of our assets, personal information is considered to be among the business assets that are subject to transfer. We are committed to safeguarding the confidentiality of your personal information. Impacted users will be notified via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data. As part of the transfer of Business Ownership, the new entity's privacy policy may supersede this policy

Customer Data

Customers may provide or upload data for hosting and processing Purposes (“Customer Data”). Sycamore will not review, share, distribute, or reference any such Customer Data except as provided in the SYCAMORE INFORMATICS, INC. MASTER PROFESSIONAL SERVICES & SUBSCRIPTION AGREEMENT or as may be required by law. Per the agreement, we may access Customer Data only to provide the SaaS or Professional Services, prevent or address Service or technical problems at a Customer’s request in connection with Customer support matters, or as may be required by law.

SERVICE PROVIDERS, SUB-PROCESSORS, AND THIRD PARTIES

To help Sycamore provide SaaS and Professional Services to our customers, Sycamore may transfer Personal Data to third-party partners. The provisions of our Customer and partner agreements cover such transfers to third parties. A list of the processors can be requested by sending your request to privacy@sycamoreinformatics.com.

DATA RETENTION

Sycamore will retain your information (including Customer Data we collect on behalf of our Customers) for as long as the Customer’s account is active or as needed to provide you with SaaS and Professional Services and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes. This is also covered in the Sycamore Informatics, Inc. Master Professional Services & Subscription Agreement.

GDPR

For Customers: Sycamore’s data processing commitments to all Customers comply with the GDPR and other applicable data protection laws. Sycamore Customers may e-sign and receive a countersigned copy of Sycamore’s Privacy and Security Processor Addendum (“Privacy & Security Addendum”) here.

The GDPR Addendum sets out the scope, subject-matter, duration and purpose of Sycamore’s data processing, as well as the types of personal data processed and rights of data subjects. It also details Sycamore’s confidentiality obligations as a data processor, cooperation regarding inquiries from data subjects and authorities, international data transfers, Sycamore’s sub-processors, and the location and deletion of data. Finally, our security measures and personal data breach indemnity commitments are explained.

For Individuals: This section provides specific information about how Sycamore complies with the EU General Data Protection Regulation (“GDPR”). It supplements the information contained in the rest of our Privacy Statement and applies to all data subjects residing in the European Union.

Our EU Data Protection Officer and Information Security Officer have assessed our obligations as a data controller for Sycamore OpenData and Sycamore Oncology Link data products and as data processor for the rest of our product suite, Sycamore CRM, Sycamore Nitro, Sycamore Andi, Sycamore Vault and Sycamore Network. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient and creating better relationships with our customers and those whose data they collect.

Sycamore will process personal data only if and to the extent that at least one of the following applies:

1. You have given consent to the processing of your personal data for one or more specific purposes;

2. processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;

3. processing is necessary for compliance with a legal obligation to which Sycamore is subject; or

4. processing is necessary for the purposes of the legitimate interests pursued by Sycamore or by a third party, except where such interests are overridden by your interests or your fundamental rights and freedoms.

When Sycamore collects personal data from you, we will make sure that you are aware of the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, if applicable, the legitimate interests pursued by Sycamore or by a third party; the recipients or categories of recipients of the personal data, if any; and where applicable, the appropriate or suitable safeguards to protect your personal data. We will also inform you of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; your right to request access to and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability; if processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; your right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract with us, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

If Sycamore intends to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you, prior to that further processing, with information on that other purpose and with any relevant further information.

You may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting privacy@sycamoreinformatics.com. Sycamore will provide information on action taken on a request under Articles 15 to 22 to you without undue delay and, in any event, within one month of receipt of the request.

If Sycamore needs to extend by two further months where necessary, taking into account the complexity and number of the requests that require more time, then Sycamore will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you make the request by electronic form means, we will provide the information to you by electronic means where possible, unless otherwise requested by you.

If Sycamore does not take action on your request, we will inform you without delay and, at the latest, within one month of receipt of the request of the reasons for not taking action and your possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

For Software Solutions, Sycamore is a Data Processor of EU Personal Data under the direction of our Customers, who are Data Controllers. Here, Sycamore has no direct relationship with the individuals whose Personal Data it processes. If you are a customer of one of our Customers and would no longer like to be contacted by one of our Customers that use our Services, please contact the Customer that you interact with directly. An individual who seeks access or who seeks to correct, amend, or delete inaccurate data should direct queries to the appropriate Sycamore Customer (the Data Controller). If a Sycamore Customer requests our assistance in the removal of data, Sycamore will respond to such requests within 45 business days.

For more information on GDPR, please visit: What is GDPR, the EU’s new data protection law?

Data Privacy Framework

Sycamore Informatics, Inc. complies with the EU-U.S. Data Privacy Framework (Previously Privacy Shield Framework) and the Swiss-U.S. Data Privacy Framework (Previously Privacy Shield Framework) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union (“EU”), the United Kingdom (“UK”) and Switzerland to the United States, respectively. 

Sycamore Informatics, Inc. complies with the EU-U.S. Data Privacy Framework (Previously Privacy Shield Framework), Swiss-U.S. Data Privacy Framework (Previously Privacy Shield Framework) and UK Extension to the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. The UK Extension to the EU-U.S. DPF provides participating organizations with a reliable mechanism for personal data transfers to the United States from the United Kingdom (and Gibraltar) while ensuring data protection that is consistent with UK law.

Sycamore Informatics, Inc has certified to the U.S. Department of Commerce that it adheres to the Data Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework organizations shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov. A list of Data Privacy  member organizations can be found at: https://www.dataprivacyframework.gov/list.

TYPES OF PERSONAL DATA COLLECTED

Sycamore collects business contact details from customers, suppliers, and other business partners in the EU, UK, and Switzerland (“EU, UK, and Swiss Business Contacts”), including name, job title, company affiliation, and contact details. From our website, visitors who request additional information about our products or who wish to access secure areas of our website, we collect name, company name, email address, mailing address, phone number, portal login ID, and password.

Sycamore also stores and processes personal data on behalf of our customers. Our customers use our cloud-based software products to process personal data at their discretion, including data about their customers, employees, and patients.

Sycamore is subject to the Principles for all personal data that we receive from companies or individuals in the EU, UK, and Switzerland (“EU, UK, and Swiss Data”) in reliance on the Data Protection Frameworks. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the Standard Contractual Clauses.

PURPOSES OF COLLECTION AND USE

We collect and use personal data of EU, UK, and Swiss website visitors for purposes of providing products and services to our customers, communicating with business partners about business matters, processing data on behalf of corporate customers, providing information on our services, and conducting related tasks for legitimate business purposes.  

TYPES OF THIRD PARTIES TO WHICH WE DISCLOSE PERSONAL DATA AND PURPOSES

Sycamore is responsible for the processing of personal data it receives under the Data Protection Frameworks and subsequently transfers to any third party acting as an agent on its behalf. Sycamore complies with the Data Protection Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

We share EU, UK, and Swiss Data with our subsidiaries, affiliates, and contractors who process personal data on behalf of Sycamore. We may also need to provide personal data to our partners to fulfill product and information requests and to provide customers and prospective customers with information about Sycamore and its products and services. We share EU, UK, and Swiss Data with other third parties for the purposes for which we receive the EU, UK, and Swiss Data (e.g., performance of contractual obligations and rights), and we may also disclose EU, UK and Swiss Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and we have a legitimate business interest in such disclosure.

EU, UK, and Swiss website visitors may opt out of disclosures to entities other than agents unless the disclosure is required by law or necessary under contracts by sending an email to privacy@sycamoreinformatics.com, but such an opt-out request may make it difficult or impossible for us to provide requested services. We minimize disclosures of personal data as reasonably practicable.

RIGHT TO ACCESS

EU, UK, and Swiss website visitors have the right to access the personal data we process about them. To access your personal data, please send a request to privacy@sycamoreinformatics.com.

Because Sycamore may have limited access to personal data our customers store in our services, if you wish to request access, limit use, or disclosure, please provide the name of the Sycamore customer who provided your personal data to our services. We will refer your request to that customer and support them as needed in responding to your request.

CHOICES AND MEANS

EU, UK, and Swiss Business Contacts may choose to change personal data, unsubscribe from email lists, or cancel an account by contacting privacy@sycamoreinformatics.com. EU, UK, and Swiss website visitors may choose to unsubscribe from our marketing communications using the unsubscribe mechanism in our emails.

INDEPENDENT DISPUTE RESOLUTION BODY AND ARBITRATION

Any unresolved privacy or data use concern that we still need to address satisfactorily, please contact Sycamore’s independent dispute resolution services in the US: 

American Arbitration Association at https://adr.org/.

When covering employee data received from the EU, UK, and Switzerland for use in the context of the employment relationship, Sycamore commits to cooperate with and comply with the advice of the EU and UK Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner.

INVESTIGATORY AND ENFORCEMENT POWERS OF THE FTC

Sycamore’s commitments under the Data Protection Frameworks are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

THE REQUIREMENT TO DISCLOSE

Sycamore may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Version 5.0