Carestream Health, Inc. and its subsidiaries (collectively, Carestream) are committed to protecting personal information. This Privacy Notice is intended to give you confidence in the privacy and security of any personal information that is entrusted to Carestream.
This Privacy Notice explains our practices with regard to the “Personal Information” we collect from healthcare professionals, customers, website visitors and other individuals with whom we interact.
For information about how we protect the privacy of patient information that we receive from our customers for processing, please see our Privacy Statement for Patient Information.
This Privacy Notice is effective as of May 10, 2018.
1. Types of Personal Information Collected by Carestream
Personal Information is any information that can be used to identify, locate or contact you. It also includes other information that may be associated with your Personal Information. We collect the following types of Personal Information:
In many cases, we collect Personal Information directly from you. We will ask you for Personal Information when you interact with us, such as registering on our websites, signing up to receive materials electronically, or making a purchase. We also collect Personal Information when you contact us, such as for customer service purposes.
We may collect information from your company when a hospital provides us with information about healthcare professionals who are authorized to receive support or services. We may also collect information about you from third party data suppliers who enhance our files and help us better understand our customers, or through publicly-available social media sites, such as LinkedIn or Twitter.
Carestream also collects certain non-personal information directly from our imaging equipment and printers. This Device Information may include the location (IP address) of equipment, product usage information (such as film consumption), and other data for support and service. Device information does not contain any Personal Information, but we treat it as Personal Information if it is associated with other information that can be used to identify, locate or contact a healthcare professional.
2. How Carestream Uses Personal Information
We use your Personal Information to:
3. Why Personal Information Is Disclosed by Carestream to Others
We will not sell or otherwise disclose your Personal Information to other companies for their own use unless we have your permission or we are required to disclose the information by law. We will only share your Personal Information as follows:
Please note that we may anonymize and/or aggregate your Personal Information to allow us to disclose information that is not personally identifiable. For example, we may publish reports that contain aggregated and statistical data. These reports do not contain any information that would enable the recipient to contact, locate or identify you.
4. Cookies and Other Data Collection Technologies
When you visit our website or use our mobile applications, we collect certain Transaction Information by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons.
In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without any reference to Personal Information. For example, we use information we collect about all website users to optimize our websites and to understand website traffic patterns.
When you visit our website, we place cookies on your computer. Cookies are small text files that websites send to your computer, or other Internet-connected device, to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. In many cases, you can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. All browsers are different, so visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available.
We may use Flash Cookies (also known as Local Stored Objects) and similar technologies to personalize and enhance your online experience. A Flash cookie is a small data file placed on a computer using Adobe Flash technology. The Adobe Flash Player is an application that allows rapid development of dynamic content, such as video clips and animation.
We use Flash cookies to personalize and enhance your online experience and to deliver content for Flash players. We may also use Flash cookies for security purposes, to gather certain website metrics and to help remember settings and preferences. Flash cookies are managed through a different interface than the one provided by your web browser. To manage Flash cookies, please visit Adobe’s website at: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html. If you disable Flash cookies or other similar technologies, please be aware that you may not have access to certain content and product features.
Pixel Tags and Web Beacons
Pixel tags and web beacons are tiny graphic images placed on website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.
Server Logs and Other Technologies
We collect many different types of information from server logs and other technologies. For example, we may collect information from the device you use to access our website, i.e., your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs also record the IP address of the device you use to connect to the Internet. An IP address is a unique identifier that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to Carestream and the website you visit after you leave our site.
5. Third Party Advertising Companies and Browser Tracking Information
We have relationships with third party advertising companies to place advertisements on this website and other websites, and to perform tracking and reporting functions for this website and other websites. These third party advertising companies may place cookies on your computer when you visit our website or other websites so that they can display targeted advertisements to you.
These third party advertising companies do not collect Personal Information in this process, and we do not give any personal information to them as part of this process. However, this Privacy Notice does not cover the collection methods or use of the information collected by these other companies. For more information about third party advertising, please visit the Network Advertising Initiative (NAI) at www.networkadvertising.org. To opt out of being targeted by many third party advertising companies visit: www.networkadvertising.org/consumer/opt_out.asp or http://preferences.truste.com/truste/.
Our websites use some of Google’s analytics tools. For information on how Google Analytics uses data, please visit “How Google uses data when you use our partners’ sites or apps”, located at: www.google.com/policies/privacy/partners/.
Although our websites currently do not have a mechanism to recognize the various web browser Do Not Track signals, we do offer our customers choices to manage their cookie preferences as described in the previous section. To learn more about browser tracking signals and Do Not Track, please visit http://www.allaboutdnt.org/
6. Social Media Interactions and Interest-based Ads
Our websites may enable you to interact with us and others via social media platforms, such as Facebook, Twitter, and Instagram. While we respect all social media platform’s privacy policies, we may collect Personal Information about you and your friends if you choose to use these tools. We use the information to facilitate an interactive social experience.
We may display interest-based ads to you when you are using platforms such as Facebook and Google. These platforms allow us to personalize the ads that we display to you. We do not share any of your Personal Information with these platforms, although we may convert your email address into a unique number which can be matched by the platform with its user to allow delivery of the advertising. Although we do not provide any personal information to these platforms, they may gain insights about individuals who respond to the ads we serve.
7. Mobile Applications
We offer mobile applications that allow you to access your account, interact with us online and receive other information via your smartphone. All Personal Information collected by Carestream via our mobile applications is protected by the terms of this Privacy Notice.
When you download our mobile applications, you may choose to allow us to obtain your precise location from your mobile device. We use this information to deliver personalized content to you for our internal analytics purposes. We may also offer automatic (or "push") notifications. We will provide push notifications only to those individuals who opt-in to receive such notifications from us. You do not have to provide location information to us or enable push notifications to use any of our mobile apps. If you have questions about location and notification privacy, please contact your mobile service provider or the manufacturer of your device to learn how to adjust your settings.
8. Forums and Other Public Areas
9. Your Choices
You can always limit the information you provide to us. You can also limit the communications that we send to you. To opt-out of emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. To revoke permissions that you may have given to send text messages, text STOP in response to any message.
Please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account. For example, even if you opt-out of emails, we may still send you activity confirmations.
If you have any questions about your choices or if you need any assistance with opting-out, please contact us via email to email@example.com. You can also write us at the address noted in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and information about the communications that you do not want to receive.
10. Access and Correction
We respect your right to reasonably access and correct your Personal Information. If you have an online account, you can log into your account at any time to access and update the information you have provided to us. Additionally, Carestream complies with all laws regarding access and correction. If you need assistance updating your Personal Information, please contact us via email to firstname.lastname@example.org.
11. International Transfers
Your personal information may be transferred to, stored at or processed in the United States or other countries which may not have equivalent privacy or data protection laws. However, regardless of where your personal information is transferred, we will protect it in accordance with this Privacy Notice and applicable law. Personal information transfers from the European Economic Area (EEA) and other countries with data transfer restrictions will be authorized by approved model contracts or other appropriate means.
12. Important Information for European Economic Area (EEA) Residents
Carestream has a supplemental privacy notice to give individuals in the EEA the additional information required by the EU General Data Protection Regulation. These provisions, together with the statements in this Privacy Notice, explain our practices with regard to EEA personal data. Please click here to read our EEA Privacy Notice Supplement.
13. Information Security
We have implemented reasonable technical, physical and administrative safeguards to help protect your personal information against unauthorized access or loss. For example, when we ask users to provide payment information (such as credit card number), the data is protected during transmission to us using industry-standard encryption.
14. Privacy Policies of Third Parties
This Privacy Notice only addresses the use and disclosure of information by Carestream, Inc. and its affiliates. Other websites that may be accessible through this website have their own privacy policies and data collection, use and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by all third parties prior to providing them with information or taking advantage of an offer or promotion.
15. Job Applicants
If you have applied for employment with Carestream, the Personal Information submitted with your job application will be used only for recruitment and other customary human resources purposes.
16. Changes to this Privacy Notice
From time to time, we may update this Privacy Notice to reflect new or different privacy practices. We will place a notice online when we make material changes to this the Privacy Notice. Additionally, if the changes will materially affect the way we use or disclose previously-collected Personal Information, we will notify you about the change by sending a notice to the primary email address associated with your account.
17. How to Contact Us
Please contact us if you have any questions or comments about our privacy practices or this Privacy Notice. You can always reach us online at: email@example.com. You can also reach us via mail to:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
Carestream is committed to protecting the privacy and security of all personal information that we process in order to provide services to our healthcare professional customers and their patients. This notice explains our practices with regard to the personal information we receive from our customers as a data processor.
Carestream will collect and process patient personal information only as instructed by our customers. We will not use or disclose patient information for our own purposes. Carestream will at all times maintain reasonable and appropriate security controls to protect patient information.
Carestream will disclose patient information to our customers and to other entities (including other healthcare professionals) when instructed by our customers. We may disclose patient information to our affiliates and approved data processors as needed to provide the services that our customers have requested. These entities are all contractually bound to limit use of your personal information as needed to perform the services. We may also disclose patient information when required by law.
For patients based in the United States, patient information is classified as protected health information under the US health privacy law known as the Health Insurance Portability and Accountability Act (“HIPAA”). Carestream will collect and process protected health information only as required or permitted by our business associate agreements and applicable laws, including HIPAA. Carestream will at all times maintain reasonable and appropriate security controls to protect the information as required by HIPAA.
For patients based outside of the United States, your personal information is always processed in accordance with applicable law. Patient information may be transferred to Carestream affiliates and data processers in the United States and elsewhere in the world. Carestream will always protect the privacy and security of patient information, regardless of where it is processed. Patient information transfers from the European Economic Area and other countries with data transfer restrictions authorized by approved model contracts or other appropriate mechanisms.
If you have questions about your privacy rights, please contact your healthcare provider. If you believe that Carestream has not handled your personal information properly, you may also contact Carestream’s Privacy Office at: privacy@Carestream.com.
Carestream Health is providing this supplemental privacy notice to give individuals in the European Economic Area (EEA) the additional information required by the EU General Data Protection Regulation. These provisions, together with the statements in the Carestream Privacy Notice, explain our practices with regard to EEA personal data.
1. Information about Carestream
This notice is being provided by Carestream Health, Inc. and its affiliates.
Carestream Health, Inc. is based in the United States. Our representative in the EEA is:
Carestream Health Netherlands, B.V.
3755 BZ Eemnes
You may contact the Carestream Global Privacy Office by emailing firstname.lastname@example.org or by writing to:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
2. The Purposes and Legal Basis for Processing, including Legitimate Interests
Carestream’s Privacy Notice explains the reasons why we process your Personal Information. We only process Personal Information when we have a legal basis for the processing, such as:
We may also process your Personal Information for the purposes of our legitimate interests, provided that such processing shall not outweigh your rights and freedoms. In particular, we may process your Personal Information as needed to:
3. Automated Decision-Making and Profiling
We may use analytics for product development purposes, such as to understand product usage, or for security purposes, such as to identify unauthorized login attempts. We will not make automated-decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.
4. When You are Required to Provide Personal Information to Carestream
In most cases, you are not required by law to provide any Personal Information to Carestream. You are required to provide certain Personal Information to enable us to enter into a contract with you, so that you can use our products and services. Our registration forms indicate which data elements are required for our contracts. If you do not provide these data elements, we cannot do business with you.
5. Your Rights
As noted in the Carestream Privacy Notice, you always have the right to object to our marketing communications. To opt-out of emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. To revoke permissions that you may have given to send text messages, text STOP in response to any message.
Carestream also respects the rights of EEA residents to access, correct and request erasure or restriction of their Personal Information as required by law. This means:
To exercise these rights, please contact the Carestream Global Privacy Office, and a member of our Privacy Team will assist you. Please understand that we may need to verify your identify before we can process your request. If Carestream is processing your Personal Information as a data processor, we will refer you to our customer (such as your healthcare professional) for assistance with these requests. Carestream supports its customers in responding to requests as required by law.
If you believe that we have processed your Personal Information inappropriately, you may also contact the Carestream Data Protection Officer or other supervisory authority. You may reach our Data Protection Officer by writing to the DPO at the Carestream Global Privacy Office address set forth above.
6. International Transfers
As noted in the Carestream Privacy Statement, your Personal Information may be transferred to, stored at or processed in the United States and other countries which may not have equivalent privacy or data protection laws.
We generally use approved Standard Contractual Clauses to assure that Personal Information is adequately protected when it is transferred out of the European Economic Area or Switzerland, but we may also make transfers to recipients with approved Binding Corporate Rules or to recipients in the United States who have certified to the EU-US and/or Swiss-US Privacy Shield Framework.
Please contact the Carestream Global Privacy Office if you would like more information about cross-border transfers or to obtain a copy of the Standard Contractual Clauses.
7. Data Retention
We will retain your Personal Information for as long as the information is needed for the purposes set forth in Section 3 above and for any additional period that may be required or permitted by law. You may request that we delete your Personal Information by contacting Carestream Privacy Office. Unless we have a compelling interest in retaining your information, it will be deleted it within 30 days of your request.