Effective Date: March 24th, 2022
Vana Health Inc., together with our affiliates and partners (hereinafter “we”, “us”, or “our”), are the provider of website(s), mobile application(s), platform and services (collectively, the “Services“).The term “you” refers to the person utilizing the Services, including to purchase products from us.
For residents of the UK and EEA, there is an additional category of “Sensitive Personal Information”, which includes information that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation or criminal convictions, offences, allegations or proceedings.
Consent for the collection, use and disclosure of Personal Information
For residents of the UK or EEA, please see the ‘Lawful Basis’ section below.
When we receive Personal Information from you for the purposes of providing you with our Services, or for other uses identified herein, you are providing us with consent as follows:
- to allow us to provide your Personal Information to third parties we engage to provide or support the Services;
- to allow us to use and store your Personal Information for the purpose of providing you with the products and services you purchase from us and to utilize the Services;
- to allow us, or any third party we engage or that assists us, and applicable HCPs, to collect, use and disclose any information collected about you through the Services, or HCP services, or that you provide to us through the Services; and
- to allow us to transfer your Personal Information outside of Canada (whereby your Personal Information will be treated in accordance with applicable foreign laws) for the purpose of storage, processing and use of your Personal Information by us.
If you need to provide us with Personal Information about other individuals, you hereby represent and warrant to us that, where required by law and prior to your disclosure to us, you will obtain the consent of each individual to the collection, use and disclosure by us for the specific purpose(s) that the disclosure is made by you, including all purposes set out herein.
There are legal exceptions where we will not need to obtain consent or explain the purposes for the collection, use or disclosure of Personal Information. Some examples of situations where consent is not required include an emergency that threatens the life, health or security of an individual, or if we must comply with a court order or governmental order.
We may use Personal Information without your knowledge or consent in limited circumstances whereby we are required to provide Personal Information to third parties for legal or regulatory purposes. For example, under certain exceptional circumstances we may have a legal duty or right to disclose Personal Information without your knowledge or consent. Various government agencies such as the Canada Revenue Agency, Human Rights Commission, Canadian Radio- television and Telecommunications Commission, and law enforcement, may have the authority to review our files and interview our staff when deemed necessary. These agencies have their own strict privacy obligations.
HCPs may disclose Personal Information about you, including to your emergency contact, if they believe that you are experiencing, or are at risk of experiencing, a medical emergency during a consultation and disclosure is necessary in order to eliminate or reduce the risk of serious harm.
For Residents of the UK and/or EEA:
Where the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies, including as it has been incorporated into the laws of the UK (the “UK GDPR”), we may collect, use and share your Personal Information on one or more of the following legal bases:
- as necessary to comply with our respective legal obligations;
- to protect your vital interests, or those of others;
- as necessary in the public interest;
- as necessary for our (or others’) respective legitimate interests, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data;
- to perform our contractual obligations, or to take steps at your request prior to entering into a contract with you;
- with your consent, for example, when sending you marketing communications; and
- in the case of Sensitive Personal Information:
– with your consent, which you may revoke at any time;
– to establish, exercise or defend legal claims; or
– where the information has already been made public by you.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the Services). In this case, we may have to cancel a Service you have with us but we will notify you if this is the case at the time.
Our Services may include features for progress tracking, and any Personal Information and other data collected in relation to such features may be stored and processed by us for a twelve (12) month period after it is provided. At the end of that time period your Personal Information will be destroyed in accordance with the terms herein.
Your consent to our keeping your Personal Information and data for this period of time for any of our Services or products is required due to the progress tracking which may be utilized to review the efficacy and performance of our products and Services and for other purposes relating to our business operations and product and service development. As examples:
- for any product or Service relating to cellulite reduction you may be requested to complete the following daily in the morning and evening: (i) take measurements of the circumference of each of your thighs; (ii) take photos of your thighs; and (iii) submit the measurements and photos to us in accordance with the instructions we provide to you.
- for any product or Service relating to recovery from athletic activity you may be requested to complete the following at intervals indicated by us: (i) take such measurements as are requested by us (e.g., body measurements, heart rate, energy levels, etc.); (ii) undertake periodic testing (e.g., relating to biomarkers); and (iii) submit the measurements and test results to us in accordance with the instructions we provide to you.
What information do we collect?
We collect Personal Information provided by you when you sign up for an account, complete a transaction through the Services, or fill out a form on the Services and we may collect Personal Information from you at other instances in the course of and in relation to the Services. When completing any forms or otherwise using the Services, as appropriate, you may be asked to enter your name, e-mail address, mailing address, phone number, payment information, and other Personal Information including Sensitive Personal Information. You may however visit our site anonymously.
As set out above, HCPs are responsible for the collection, use and disclosure of Personal Information as it relates to the provision of their services and for ensuring that adequate safeguards are in place to protect that information. We may collect Personal Information from you on behalf of a HCP when you request certain Services, such as Services relating to certain medical tests or medical appointments, to facilitate the provision of related services by the HCP. HCPs may further access Personal Information through the Services that you have entered or uploaded to any profile or you may set-up via the Services.
HCPs must comply with professional regulatory requirements, including as it relates to confidentiality and privacy and record keeping, as well as privacy laws. HCPs may create information such as laboratory test result reports, prescriptions, and other information relating to your interaction with them or relating to the services such HCPs provide to or for you.
We securely store your data on our servers whereby it is protected by security measures and precautions applied thereto. We will keep your personal information in such data for a period of time during which it is used to provide the Services, and as otherwise permitted in accordance with applicable laws relating to the storage and deletion of such personal information. Once this time period has expired we will delete your personal information by removing it from our servers and destroying such data.
What do we use your information for?
We use your Personal Information for the purposes for which it was collected, as well as other purposes for which we have a lawful basis to do so. In addition to those purposes set out in the Consent section above, this includes, but is not limited to, the following purposes:
- Marketing: In accordance with anti-spam laws, we may obtain your consent in order to send you commercial electronic messages. We do not share email addresses or other contact information with third parties without your permission.
- Notifications: We will ask you if you wish to receive notifications about services that you request. If you agree, we will send you email or text messages to notify you about the status of your requests, such as product orders.
- Payments: Some of our Services may be provided for fees, and you may be given the option to pay for Services via an electronic payment service. Such electronic payment service may be facilitated by a third party service provider on our behalf. Any payment information you provide may therefore be provided to such third party service provider.
- To improve the Services: Your information helps us to more effectively respond to your customer service requests and support needs, and use data analytics to improve the Services.
Do we disclose any information to outside parties?
We do not sell your Personal Information.
We may share some of the Personal Information we collect about you with third party companies, such as our trusted partners, affiliates and related entities, and our third party service providers, or other third parties where disclosure is necessary to provide you with the Services.
Your Personal Information will also be shared to facilitate the services needed in order to properly and efficiently handle duties related to your requests and use of the Services. For example, we may share information with lawyers, accountants, and auditors. We may share your Personal Information with government agencies to fulfill legal, reporting, and regulatory requirements and we may release your information when we believe release is necessary to comply with the law, enforce our site policies, or protect our or other’s rights, property, or safety.
Where you have consented to us doing so, we may also provide our affiliated companies, subsidiaries, and agents with your Personal Information so they may offer you additional services or perform analysis to determine your qualification to receive future services. We may provide non-personally identifiable visitor information to other parties for marketing, advertising, or other uses.
International Transfers of Personal Information
If you are a resident of the UK or EEA:
We may share your Personal Information with entities that are based outside of the UK or EEA.
Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; or
- Where we use certain service providers, we may use specific contracts approved for use by the Information Commissioner’s Office or EU Commission which give personal data the same protection it has in the UK or EEA.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EEA.
How do we protect your information?
We implement a variety of security measures to maintain the safety of your Personal Information. We use physical, organizational and technical industry-standard security safeguards commensurate to the sensitivity of Personal Information and other data collected, used or disclosed. We have implemented and maintain reasonable and appropriate security measures, procedures and practices to protect against the loss and unauthorized access, use, modification, destruction or disclosure of your Personal Information while it is in our custody or under our control.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Notwithstanding the foregoing, there are inherent risks to any technology however remote that could cause security protocols to fail or to be breached and which could result in the unauthorized collection, use or disclosure of your Personal Information.
For residents of the UK and EEA, we will obtain your consent before making use of any cookies which are not strictly necessary for the provision of the Services.
Cookies are small text files that a website saves on your computer or mobile device when you visit the site. They save and retrieve pieces of information about your visit to the website – for example, how you entered the site, how you navigated through the site and what information
and documentation was of interest to you. This means that when you go back to a website, it can often give you tailored options based on the information it has stored about you on your last visit. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re- entering them whenever you come back to the site or browse from one page to another. For clarity, cookies do not give us access to your computer or any information about you other than the data that you permit to be shared with us.
On our Services, cookies can be set by us (first party cookies) or by our partners (third party cookies).
We set cookies for the purposes set out below:
- collecting page views;
- viewing history; and
- session cookies – for keeping users logged in while browsing (for a duration of up to one hour).
The following major third-party analytics services (among others) may set cookies and have access to your IP address based upon your use of our website:
- Google Analytics
The names and purposes of the third party cookies are provided by such third parties and you should visit the websites of such third parties to obtain such information. All cookies used on our site are necessary for us to provide the Services, and are used in accordance with applicable laws. To our knowledge, all of the third party providers that we use are compliant with applicable laws, and such third parties face serious consequences if they are in breach of applicable privacy laws.
To find out more about cookies, including to see what cookies have been set and how to manage and delete them, visit https://www.allaboutcookies.org/.
If you do not wish to accept cookies from our Services, please leave the Services immediately and then delete and block all cookies from the Services.
Retention of Personal Information
Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Under some circumstances we may anonymize your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.
When Personal Information is no longer required by us or by law, we will either convert it into an aggregated non-identifying form or we will appropriately destroy or erase the Personal Information in a manner that is in accordance with our current policies and procedures.
We are committed to protecting the privacy of children. Our Services are not intended for children under 16 years of age. No one under age 16 may provide any information on the Services. We do not collect personally identifiable information from any person we actually know is a child. If we learn we have collected or received personal information from a child under age 16 without verification of parental consent, we will delete that information.
While we collect the Personal Information that you supply, we do so with the understanding that any such information is accurate. It is important to us that your Personal Information held by us is accurate and complete. Having accurate information about you enables us to provide you with the Services in a manner whereby they function as intended. We will bear no responsibility for any action or omission as a result of our lack of accurate contact information for you, including any inaccuracy, malfunction or other deficiency of the Services.
Access and Correction
We recognize that you may have the right to access your Personal Information. Any access request must be made in writing to: [email protected]. Where applicable or permitted, we will make the information available within 30 days or provide written notice when we require additional time to respond to a request for access to information.
In some situations, we may not be able to provide access to certain Personal Information as the right to access Personal Information is not absolute. If we do not provide you with the requested information, we will notify you in writing and explain our reason(s) for not fulfilling your request.
Where applicable, we will seek your express consent to contact you, including by way of commercial electronic messages, which may include email or SMS text messages. You can unsubscribe at any time from receiving commercial electronic messages by following the instructions in the message or by contacting us at [email protected].
Even if you have opted out of receiving marketing communications from us, please be aware that we may still contact you for other purposes. For example, we may contact you to provide communications you have consented to receive, regarding the Services we provide to you, or if you contact us with an inquiry.
What Are My Rights?
If you are a resident of or located in the UK or EEA, and the GDPR or the UK GDPR is applicable to you, you have the following rights:
i. The right to be informed about our collection and use of your personal data;
ii. The right to access the personal data we hold about you;
iii. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete;
iv. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold;
v. The right to restrict (i.e. prevent) the processing of your personal data;
vi. The right to object to us using your personal data for a particular purpose or purposes;
vii. The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time;
viii. The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases;
ix. Rights relating to automated decision-making and profiling.
If you are in the UK, further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau. Residents of the EEA can obtain further information from your local data protection supervisory authority (for example, the Agencia Española de Protección de Datos in Spain).
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (in the UK) or your local data protection supervisory authority (in the EEA). We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first.
Withdrawal of Consent
You may, at any time, withdraw your consent to our collection, use and disclosure of your Personal Information. Should you choose to withdraw your consent, we may be unable to provide, or continue to provide, the Services that can only be provided if we receive appropriate and required Personal Information.