Last Updated: November 16, 2019
QT Medical provides electrocardiogram (ECG) data acquisition, cloud storage and diagnostics services (the “Services”) through our website portal and mobile application. By using the Services, you consent to our collection and use of your Protected Health Information (as defined under the Health Information Portability and Accountability Act of 1996 and its implementing regulations, “HIPAA”) and certain Personal Information as described in this Policy. Except as set forth in this Policy, your Protected Health Information (“PHI”) and/or Personal Information (“PI”) will not be used for any other purpose without your consent. We acknowledge that in certain cases, we may be a Business Associate under HIPAA and will not use or disclose PHI collected through your use of the Services for any purpose that, where applicable, would violate HIPAA. We also do not actively collect PI for the purpose of sale of such information in a way that specifically identifies you as an individual (i.e., we do not sell customer lists).
Our Services are intended for individuals located within the United States. We do not knowingly collect any information from an individual located within the European Union (“EU”) or market to individuals residing in the EU. By accessing the Services from the EU or other regions of the world with laws governing data collection and use that may differ from U.S. laws, you are consenting to the transfer of your personally identifiable information outside of those regions to the United States and acknowledge that you may not have the same protections.
We collect information that you provide. We collect user-provided information. When you register for an account to use our Services or at any later time, you may provide certain personally identifiable and financial information such as: your name; password; age; gender; physician information, including the name of your primary care physician, cardiologist or prescribing physician and your physician’s order or prescription for you to receive our Services; email address; postal mailing address; zip code; credit or debit card number and expiration date; billing address, and home/mobile telephone number. We also collect health data about you through the use of our ECG monitoring device.
We collect device and mobile information. We collect device identifiers. We may also collect information about your location. QT Medical's servers may also automatically record certain information from your browser such as your Internet Protocol (IP) address, browser type, internet service provider (ISP), referring or exit pages, click stream data, operating system, and the dates and times that you visit our Website. This information is collected SOLELY for us to provide Services.
Data, Diagnostic & Login Information. You may be able to create, upload, publish, transmit, distribute, display, store, submit or share information, data, text, graphics, messages or other materials using our Services (collectively, “Data”), which may be stored and maintained on our servers.
We may collect information about you from your healthcare providers. As part of the Services and our provision of healthcare, we may collect information about you from your treatment providers. We will collect only the information necessary to provide the Services and will safeguard such information in accordance with the terms of this Policy.
We collect information directly from you. We collect information when you register for an account or use the Services. We collect information if you contact us through our Website or App.
We collect information about you passively. We use tracking tools like browser cookies, web beacons, and pixels. We do this on our Website and in emails we send to you. We collect information about users over time when they use our Website and Services. This includes usage and browser information. We may have third parties collect Non-PHI this way.
We use information to respond to your requests or questions. We use your information to respond to your questions. This includes questions about our Services or your relationship with us.
Health Information. We use your information for the provision, coordination or management of your health care, including consultations between health care providers relating to your care and referrals for health care from one health care provider to another, including but not limited to doctors, nurses, technicians, health students, volunteers, or other personnel involved. For example, copies of your ECG monitoring reports may be shared with your primary care physician or other treating practitioner pursuant to your request or otherwise as required by law.
Payment Information. We use financial information to manage your account, to provide the Services, and to collect payment for the Services. We may use a third-party service provider to manage credit card processing. If we do so, such a service provider will not be permitted to store, retain, or use billing information except for the sole purpose of credit card processing on our behalf.
We use information to improve our products and services. We use your information to improve our Website and App. We use your information to customize your experience with us. We also use your information to serve you specific content that is most relevant to you.
We use information for security purposes. We use your information to protect our company and our users. We also use your information to protect our Website and App. We may use your information to prevent, discover, and investigate violations of this Policy or Terms of Service.
De-Identified Information. We use aggregated, de-identified information to support our administrative, management or other business purposes. We may also use your information in a de-identified, anonymous way in conjunction with an analytics service to monitor and analyze use of the Services, for the Services’ technical administration, to increase the Services’ functionality and user-friendliness, to offer new or additional service lines and features, and to monetize business intelligence. We use de-identified information for commercial purposes for which we receive compensation from third parties.
According to Section 164.514(a) of the HIPAA Privacy Rule, we follow the standard for de-identification of PHI with the removal of 18 types of identifiers in 164.514(b)(2)(i):
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
(D) Telephone numbers.
(E) Fax numbers.
(F) Electronic mail addresses.
(G) Social security numbers.
(H) Medical record numbers.
(I)Health plan beneficiary numbers.
(J) Account numbers.
(K) Certificate/license numbers.
(L) Vehicle identifiers and serial numbers, including license plate numbers.
(M) Device identifiers and serial numbers.
(N) Web Universal Resource Locators (URLs).
(O) Internet Protocol (IP) address numbers.
(P) Biometric identifiers, including finger and voice prints.
(Q) Full face photographic images and any comparable images, and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section;
Retention. We will keep your PI and PHI for as long as it remains necessary for the identified purpose or as required by law, which may extend beyond the termination of our relationship with you. We may retain certain data as necessary to prevent fraud or future abuse, or for legitimate business purposes, such as analysis of aggregated, non-personally identifiable data, or account recovery. All retained PI and PHI will remain subject to the terms of this Policy.
We combine information collected offline with that we collect online. We combine information that we have collected from your healthcare providers and across other third-party sites. We combine information collected across devices, such as computers and mobile devices. We also combine information we get from third parties with information we already have.
We share information with our business partners. We may share your information with companies that provide services to us, including outside contractors or agents who help us manage our information activities, but they may only use your information to provide us with a specific service and not for any other purpose. These third parties enter into agreements with us to protect your information.
Healthcare Providers. When you access the Services through a health care provider and permit access to such healthcare provider, the provider may access and use the information you submit through the Services so they can provide health-related services to you. We may sign agreements with such health care providers to help protect the privacy and security of your information. We may share your information with other healthcare providers who have a treatment relationship with you for treatment purposes.
We share non-personally identifiable information. We may de-identify information about you or aggregate it with other information from other users in a manner that cannot be used to identify you and share that information with other parties.
We will share information if we think we have to in order to comply with the law or to protect you or ourselves. We will share information to respond to a court order or subpoena. This includes but does not limit to sharing of your information for public health activities (e.g., to prevent or control disease, injury or disease), law enforcement reasons, coroners and medical examiners, national security and intelligence activities, lawsuits and disputes, inmate health reasons, or serious security threats. Note that genetic information, HIV-related information, and alcohol and/or substance abuse records, mental health records, and other specific health information may enjoy special confidentiality protections under applicable state and federal law. Any disclosures we make for this information will be in accordance with applicable laws. We will also share information if a government agency or investigatory body requests it. This includes U.S. and non-U.S. law enforcement or regulatory authorities. We may also share information when permitted by law to protect us, the Services, and our Website.
We may share information with a successor to all or part of our business, as permitted by law. If part of our business is sold, we may include user information as part of that transaction. Where legally required, we will give you prior notice and if you have the legal right to do so, allow you to object.
We may share information for other reasons we may describe to you.
Restrictions on personal information. You may decline to enter any or all of your personally identifiable information, in which case we may not be able to provide to you some of the features and functionality of the Services. If you register for an account for Services, you may update, or correct, your account information and preferences at any time by going to your account settings page. To protect your privacy and security, we take reasonable steps to verify your identity before granting you access to your account or making corrections to your information. However, you are SOLELY responsible for maintaining the secrecy of your unique account and password information at all times. Most browsers are initially set up to accept cookies, but you can choose to configure your browser to refuse all cookies or to indicate when a cookie is being sent.
You can opt out of certain marketing. To stop receiving our marketing communications please email us at email@example.com or follow the instructions in any message you get from us. Nevertheless, if you opt out of marketing emails, you may continue to receive messages about your relationship with us permitted by law.
Access and amendment of your information. Upon request, we will provide you with a copy of the PI we have on file for you. To request this information, please contact us via the contact information at the bottom of this Policy. If you notice any errors that you are not able to update yourself, you may also contact us, we will correct it if we determine that the information is inaccurate and we are the source of such error. However, since we collect your information from a variety of sources, we may ask you to contact the source for correction from time to time.
Our Website and Services are meant for adults age eighteen (18) years or older.
We use appropriate and reasonable security measures as required by relevant laws, including but not limited to HIPAA, CCPA, HITECH and Standard of Privacy of Individually Identifiable Health Information. We are adopting required safeguards such as Security Management Process (risk analysis, risk management, sanction policy and information system activity review), Security Official, Security Incident, Contingency Plans (data backup plan, disaster recovery plan and emergency mode operation plan). The Internet is not 100% secure. We cannot promise that your use of our Website and App will be completely safe. We encourage you to use the Internet with caution.
QT Medical uses certain physical, administrative, and technical safeguards to help protect your PI. These safeguards comply with the current security standards under the HIPAA. If we learn a security systems breach, we may attempt to notify you electronically within 60 days following the discovery, so that you can take appropriate protective steps. We will post a notice if a security breach occurs., You may also receive written notice of security breach depending on where you live.
Information we collect may be stored and processed in the United States. If you live outside of the United States, you understand and agree that we may transfer your information to the United States which may not afford the same level of protection as the laws in your country. By submitting your information, you agree to the processing of it in the United States as permitted by law.
Under GDPR (the “General Data Protection Regulation”), “You” can be referred to as the Data Subject or as the User as you are the individual using the Services. “You” may also indicate the individual accessing or using the Services, or a company, or any other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
“Affiliate” means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
“Service Provider” means any natural or legal person who processes the data on behalf of QT Medical. It refers to third-party companies or individuals employed by the QT Medical to facilitate the Services, to provide the Services on behalf of QT Medical or to assist QT Medical in analyzing how the Services are used. For GDPR, Service Providers are considered as “Data Processors.”
“Personal Data” includes any information that relates to an identified or identifiable individual, such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
“Usage Data” refers to data collected automatically, either generated by using the Services or from the Services infrastructure itself.
“Data Controller” refers to QT Medical, as the legal person, alone or jointly with others determines the purposes and means of the processing of Personal Data.
“Account” means a unique account created for you to access all or part of our Services.
Legal Basis for processing Personal Data under GDPR – we may process Personal Data under the following conditions:
GDPR applies to the following natural/legal person:
Under CCPA (California Consumer Privacy Act), “Personal Data” means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with you.
“Business” refers to a company as the legal entity that collects Consumers’ Personal Data and determines the purposes and means of the processing of such data, or on behalf of which such data is collected, whether alone or jointly with others, determines the purposes and means of the processing of consumers’ Personal Data, that engages commercial activities in the State of California.
“Consumer” means a natural person who is a California resident. A “Resident”, as defined by law, includes (1) every individual who is domiciled in the US, and (2) every individual in the US for other than a temporary or transitory purpose.
“Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.
You have the right to request and obtain information regarding the disclosure of the following:
If you have any questions about this Policy or our data practices, please email us at firstname.lastname@example.org. You can also write or call us at:
We will not take action against you for filing a complaint. If you have a complaint concerning our compliance with applicable privacy laws, we will investigate your complaint and take appropriate measures. You may also file a complaint relating to our use and disclosure of your PHI to the United States Department of Health and Human Services Office for Civil Rights at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
This Policy may be updated from time to time without further notice to you and this will be reflected by a "Last modified" date above. Please revisit this webpage regularly for any changes. By continuing to use the Services, you are consenting to the terms of the then-current Policy.