DATED EFFECTIVE: March 1, 2019
By visiting the Site, using or downloading the Apps, or otherwise using any of Hone’s Services, you agree that your personal information will be handled as described in this Policy. Your use of Hone’s Site or Services, and any dispute over privacy, is subject to this Policy and Hone’s Terms of Service, including its applicable limitations on damages and the resolution of disputes. Hone’s Terms of Service are incorporated by reference into this Policy.
Hone revises this Policy from time to time to reflect changes in Hone’s personal data collection and handling practices. The latest version of the Policy is provided here with the effective date set forth above.
The Information Hone Collects About You
Hone collects information about you directly from you and from third parties, as well as automatically, through your use of Hone’s Site or Services.
Information We Collect Directly from You.
Certain areas and features of Hone’s Services require registration. To register you must provide your email address, name, occupation, health care specialty (or area of study), (expected) graduation year, ZIP Code or Postal Code (for healthcare providers), and password. We also may request or collect additional optional information from you; however, you are not required to provide us with this information. It is important that the personal data (personal data, or personal information, means any information about you through which you can be identified; it does not include data where the identity has been removed such as anonymous data) we hold about you is up to date and accurate. Please keep us informed if your personal data changes during your relationship with us.
Information that We Collect About You from Doximity.
Information We Collect Automatically.
We may automatically collect information about your use of Hone’s Services (including Apps) through cookies, web beacons, log files, and other technologies including: your domain name; your browser type and operating system; IP address; referring URL; page views; links you click; location information; the length of time you visit the Hone Site and/or use Hone’s Services; access date and time; mobile device ID; advertising ID (IDFA, IDFV, or GAID); location and language information; device name and model; operating system type, name, and version; your activities within the Services; and the length of time that you are logged into Hone’s Services. We may combine this information with other information that we have collected about you, including, where applicable, your user name, name, and other personal information. Please see the section “Cookies and Other Tracking Mechanisms” below for more information.
Information Not Collected.
We do not collect any special categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), and we also do not collect any information about criminal convictions and offences.
How Your Information is Used by Hone
Hone will only use your personal data in accordance with relevant legal restrictions. Most commonly, we will use your information, including your personal information, for the following purposes:
• For Hone to provide the Services to you, to communicate with you about your use of Hone’s Services, to respond to your inquiries, to fulfill your requests, and for other customer service purposes.
• For marketing and promotional purposes. For example, we may send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you via email, in-app notices and ads, and push notifications. We also may use the information that we learn about you to assist Hone in advertising its Services on third party websites.
• To tailor content and information that we may send or display to you, to offer location customization, personalized help and instructions, and to otherwise personalize your experiences while using Hone’s Site or Services.
• To better understand how users access and use Hone’s Site and Services, both on an aggregated and individualized basis, in order to improve Hone’s Site and Services and respond to user desires and preferences, and for other research and analytical purposes.
Where we need to collect personal data by law, or under the Terms of Service or any other contract we have with you and you fail to provide that data when requested, we may not be able to register you to provide the Services or perform the contract we have or are trying to enter into with you. In this case, you may not be able to use Hone’s Services or we may have to cancel Services with you.
How We Store and Share Your Information
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We store and share your information, including personal information, as follows:
• Hone Users. Your user name and any information that you provide for using Hone’s Site, including, without limitation, reviews, comments, and text will be available to, and searchable by, all users of the Site and Services.
• Service Providers and Partners. Hone may (and expects to) disclose the information we collect from you to third party business and technology partners, vendors, service providers, contractors or agents who perform functions on Hone’s behalf. All information provided will be protected to align with data privacy concepts, and the partner or service provider must agree to the GDPR requirements if any personal data will be originating from or processed in the EU. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service providers to Hone and partners to use personal data of EU data subjects for their own purposes and only permit them to process personal data originating from or processed in the EU for specified purposes and in accordance with Hone’s instructions.
• Aggregate and De-Identified Information. We may share aggregate or de-identified information about users with third parties for marketing, advertising, research or similar purposes.
• Business Transfers. If we are acquired by or merged with another company, if substantially all of Hone’s assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer the information we have collected from you to the other company.
• In Response to Legal Requirements. Hone will store and may also disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Cookies and Other Tracking
Currently, Hone’s Site and Services do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies or opting out of ad networks).
Clear GIFs (a.k.a. web beacons, web bugs or pixel tags) are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, though, clear GIFs are embedded invisibly on web pages, not stored on your hard drive. We might use clear GIFs to track the activities of Site visitors and Apps users, help us manage content, and compile statistics about usage. Hone and its third-party service providers also might use clear GIFs in HTML emails to Hone’s customers, to help us track email response rates, identify when emails to you from Hone are viewed, and track whether such emails are forwarded.
Third-Party Ad Networks
You may opt-out of many third-party ad networks, including those operated by members of the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”). For more information regarding this practice by NAI members and DAA members, and your choices regarding having this information used by these companies, including how to opt-out of third-party ad networks operated by NAI and DAA members, please visit their respective websites: www.networkadvertising.org/optout_nonppii.asp (NAI) and www.aboutads.info/choices (DAA).
Opting out of one or more NAI member or DAA member networks (many of which will be the same) only means that those members no longer will deliver targeted content or ads to you. It does not mean you will no longer receive any targeted content or ads on Hone’s Site or other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing. Also, if your browsers are configured to reject cookies when you visit this opt-out page, or you subsequently erase your cookies, use a different computer or change web browsers, your NAI or DAA opt-out may no longer be effective. Additional information is available on NAI’s and DAA’s websites accessible by the above links.
User Generated Content
We invite you to post content on Hone’s Apps and Sites, including your comments, pictures, and any other information that you would like to be available on the Hone Site. If you post content to Hone’s Site, all of the information that you post will be available to all users on the Services we provide. If you post your own content on Hone’s Site or Services, your posting may become public and Hone cannot prevent such information from being used in a manner that may violate this Policy, the law, or your personal privacy.
Hone’s Site and Services may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those third-party websites. We do not control and are not responsible for the information practices of such third-party websites. When you leave Hone’s website, we encourage you to read the privacy notice of every website you visit.
Access to My Personal Information
You may access, correct, erase, withdraw, or modify personal information that you have submitted by logging into your account and updating your profile information. Please note that copies of information that you have updated, modified or deleted may remain viewable in cached and archived pages of the Site or Apps for a period of time.
What Choices Do I Have Regarding Use of My Personal Information?
You have the rights of access, correction, erasure, restriction, withdraw, objection, and data portability of your personal information. For example, we may send periodic promotional or informational emails to you. You may opt-out of such communications by following the opt-out instructions contained in the email. Please note that it may take up to ten (10) business days for us to process opt-out requests. If you opt-out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about your account or any Services you have requested or received from us. You also have the right to withdraw consent for us to use your personal information. To withdraw your consent or erase your personal information, please go to your personal profile to confirm the withdrawal or erasure.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Hone’s response.
Children Under 13
Hone’s Services are not designed for children under 13 and we do not knowingly collect data relating to children. If we discover that a child under 13 has provided us with personal information, we will delete such information from Hone’s systems.
Special Information for California Consumers
California residents may request a list of certain third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make one request per calendar year. In any such request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by contacting Hone at firstname.lastname@example.org. Please allow up to thirty (30) days for a response.
European Union (EU) General Data Protection Regulation (GDPR)
Hone may at times be subject to GDPR, which is the European Union’s (EU’s) General Data Protection Regulation, as a controller or processor, of personal data as described below:
1. The GDPR considers data protection as a fundamental human right of an individual, which includes a “right to the protection” of their personal data. Any data subjects (i.e. anyone) based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect such personal data.
2. The GDPR applies to a controller or a processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders in the EU or who monitors the behavior of personal data in the EU.
3. To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the EU to follow the requirements set forth in the GDPR.
In compliance with GDPR, Hone has implemented the data security processes set forth below to ensure the following are properly identified and processed:
A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization that works with Hone and determines the processing of personal data provided to Hone. Hone is a controller for its third-party partners when Hone determines the processing of personal data provided to the third-party.
A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a National Provider Identifier (NPI) number, a user name, or a web cookie.
Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU.
Any personal information, including sensitive personal information, relating to a Data Subject. For example, email address, occupation (which may be student and program of studies), (expected) graduation year, and ZIP Code or Postal Code (for healthcare providers).
A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, attorney, an insurance agent, or an agency.
Supervisory Authority: An independent public authority established by an EU member state (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency.
Third party: Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
Key GDPR Data Security Requirements:
Hone’s key GDPR data security requirements can be broadly classified into three categories:
• Prevention, and
The GDPR also requires compliance with the data protection principles to enhance the quality and rigor of protection of the data. This section summarizes key data security requirements discussed in the GDPR and adopted by Hone.
Specifically, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on Hone’s instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. More on these security measures, limitations, and procedures is described below.
Assess Security Risks:
Data protection impact assessments lay a foundation for preventing breaches by evaluating the gaps and risks. The GDPR mandates that Controllers perform Data Protection Impact Assessments when certain types of processing of Personal Data are likely to present a “high risk” to the data subject. Hone’s assessment includes a systematic and extensive evaluation of processes, profiles, and how these tools safeguard the Personal Data, and when applicable a data processing agreement with Controllers and Processors.
At various places in the regulation, the GDPR reiterates the importance of preventing security breaches. The GDPR recommends several techniques to prevent an attack from succeeding:
• Encryption: The GDPR considers encryption as one of the core techniques to render the data unintelligible to any person who is not authorized to access the personal data. When applicable, Hone encrypts personal data it collects to render it unintelligible if accessed without authorization, and as applicable when processing or transferring the data to a Processor.
The GDPR provides that in the event of a data breach, the Controller does “not” need to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it.
• Anonymization and Pseudonymization: Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity. Where applicable, Hone anonymizes and pseudonyms the personal data it processes. This includes aggregating the data to be personally unidentifiable, such that the Personal Data is rendered anonymous and unlinkable to the original identity of a data subject.
• Privileged User Access Control: The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts. Hone limits access to Personal Data to specific individuals within the organizations, and with instructions as to the sensitivity of the Personal Data to prevent attacks and compromises of the Personal Data.
• Data Minimization: The GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. While collecting, processing, or sharing Person Data, Controllers and Processors must be frugal and limit the amount of information to the necessities of a specific activity. Hone minimizes the Personal Data it collects by considering what is adequate and relevant to what is necessary in relation to the purposes for which they are processed.
• Fine-grained Access Control: In addition to privileged user control, the GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorized access to Personal Data. Hone selectively uses Personal Data for the specific purpose for which it is required.
Monitor to Detect Breaches: While preventive / proactive security measures help Hone minimize the risk of attack, such measures cannot eliminate the possibility that a data breach may occur. Hone will monitor to detect such breaches through recording or auditing of the activities on the Personal Data and maintaining it so that processors and third parties must not be able to tamper or destroy the audit records. In the case of a Personal Data breach, Hone shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of any Personal Data breach.
The three broad categories of security guidelines (assessment, prevention, and detection) help Hone address threats from multiple angles and secure the data from unauthorized access.
Additionally, Hone mandates making data protection a core part of the system. Considering security during the initial design phase of Hone’s Services increases the security worthiness of Hone’s system and ensures that technical security controls should perform as expected. As part of this, Hone is implementing centralized administration for dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralized controls also enforce uniformity across multiple targets, should serve to reduce the chances of errors on individual targets, and have the advantage of being able to leverage best practices across the enterprise. Since threats and attacks can come from multiple sources, Hone works to be prepared from all directions, and mandates protection of Personal Data in all stages of the data lifecycle such as data-at-rest and in-transit.
Transfer of EU data subjects personal data to third parties outside the EU: Many of Hone’s external third parties are based outside the European Economic Area (EEA) so their processing of EU data subjects’ personal data will involve a transfer of data outside the EEA. Whenever we transfer an EU data subject’s personal data to external third parties based outside of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer EU data subjects personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. (link to: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en);
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. (link to: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en); and
• Where we use providers based in the United States, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the EU and the US. For further details, see European Commission: EU-US Privacy Shield. (link to: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en).
You have the right to make a complaint at any time to your respective supervisory authority. (link to: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080) However, Hone would very much appreciate the chance to deal with your concerns before you approach the supervisory authority so please do not hesitate to contact Hone in the first instance.
If you have questions about the privacy aspects of the Services provided by Hone or would like to make a complaint, please contact us at email@example.com.
Changes to this Policy
This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check the Policy periodically. Hone will post any changes to this Policy at https://www.honeve.com/privacy-policy/ or on the Hone Site. If we make any changes to this Policy that may have a material effect on Hone’s practices with regard to the personal information we have previously collected from you, Hone will endeavour to provide you with notice in advance of such change by highlighting the change on Hone’s Site, or via firstname.lastname@example.org.
The Hone CUE Recognition App will soon be available on the App Store for early adopters. When it is available - you will be able to download it via the link below.