Privacy and Security Policy
Last updated: June 1, 2022
Bone Health Technologies, Inc. (“BHT”, “us”, “we”, or “our”) operates websites including www.BHT.com (each a “Website”) and other online platforms used to gather information from others, such as Google Forms (together with our Websites, our “Online Platforms”) that allows (i) access to and download of certain information we provide through our Online Platforms and (ii) to assist us in our research and development efforts. This document sets out our privacy and security policy (the “Policy”) and, among other things, informs you of our policies regarding the collection, use and disclosure of Personal Information (as defined below) when you access our Online Platforms (whether directly or indirectly) or in any manner use any portion of our Online Platforms.
By visiting or using any portion of our Online Platforms or in any manner communicating with us via our Online Platforms, you accept our practices described in this Policy, and you consent to our collection, use and disclosure of your information, including Personal Information, as described in this Policy. If you do not wish to agree to the practices and uses described in this Policy, please do not access any of our Online Platforms.
We may update this Policy periodically. Your continued access and/or use of our Online Platforms after we post any modifications to the Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policy. If we make any changes to this Policy that we believe are material, we will either through the email address you have provided us by placing a prominent notice on our Websites, or otherwise notifying you of any such modified Policy. If you do not agree to the changes to this Policy, your only remedy is to discontinue all use of and access to our Online Platforms.
1. Applicability of this Policy
This Policy applies to your use of any of our Online Platforms, including any communication by you of information to us. Individual users of our Online Platforms are sometimes referred to in this Policy as “users.” This Policy is designed to tell you what information we gather from you in connection with your use of our Online Platforms, and how we may use and disclose that information, and it applies to information that we receive from you, as well as information about you that we receive from third parties. This Policy is incorporated into and subject to any terms of service or other agreements, between you and BHT relating to your use of and access to our Online Platforms.
Except as expressly stated herein, this Policy does not apply to any third-party applications or technologies that integrate with our Online Platforms, or any other third-party products, services, or businesses, or to third-party websites that you access via links or otherwise while using our Online Platforms (“Third-Party Services”). This Policy does not apply to data collected from, or provided by you to via Third-Party Services, and instead such data is subject to the practices of the provider(s) of the applicable Third-Party Services. You should review the privacy policies of such Third-Party Services (and any other applicable terms and conditions) to determine how your data will be used before sharing any of your data with them. For example, if you submit information to us via a Google Form, the privacy policies of Google shall apply.
If you are a California resident, you may have additional rights related to your Personal Information under California law as set forth in our California Privacy Addendum available at the end of this Policy.
2. Data We Collect From You; How We Use It
In connection with your use of our Online Platform, we may receive various types of information related to you, as well as information you provide us about others. Sometimes you provide us with this data and sometimes data about you is collected automatically. To the extent data is associated with an identified or identifiable natural person and is protected as personal information (or substantially equivalent terms) under applicable data protection laws, it is referred to in this Policy as “Personal Information.”
This information includes any such information that you affirmatively provide to us, as well as certain information we receive automatically through the use and functioning of our Online Platforms. This information may include the following:
- Location Information. Our Online Platforms may request permission to and track location-based information from your device, either continuously or while you are using or accessing the Online Platforms, to provide location-based services and we may receive this information from our Third-Party Providers who provide applicable aspects of our Online Platforms. If you wish to change our access or permissions, you may do so in your device’s settings. We use the information to provide you with our Online Platforms and related customer support (such as providing you with information tailored to your jurisdiction in response to inquiries), and to monitor the performance of our systems.
- Operational Data. Our software and systems, as well as the software, systems, and device(s) used to access our Online Platforms, may automatically collect technical and operational data, such as information about devices accessing our Online Platforms, including the type of device, device settings, operating system, application software, peripherals, and unique device identifiers, phone number, country, location, and any other data you choose to provide. Automatically collected data may also include information about the configurations and use of our Online Platforms, metrics about how and when our Online Platforms are used and how they perform, and information about events occurring on our technology systems. We use the information described in this paragraph to provide you with our Online Platforms and to optimize their delivery, to monitor the performance of our technology systems, to provide you with information through your account with respect to your use of our Online Platforms, to maintain the security of our systems and to detect and address harmful or fraudulent use, to confirm compliance with our contractual and legal obligations, to administer our disaster recovery plans and policies, and to create anonymized and/or aggregated data that we use to improve our products and services and for other lawful purposes.
- Third-Party Services. You may elect to use certain Third-Party Services that we make available in connection with your use of our Online Platforms. As noted above, information you provide to such Third-Party Services is subject to the privacy policies and practices of the provider of the applicable Third-Party Service. Additionally, once enabled, it is possible that the Third-Party Services may share certain data with BHT to effectuate integration between our Online Platforms and theirs. You should check the privacy settings and notices of any Third-Party Services you elect to use in connection with our Online Platforms to understand what data may be disclosed to BHT. We may receive data regarding your credentials for and use of the applicable Third-Party Services, such as your username, your unique identifier, and your information transmitted from or made available with permissions by such Third-Party Services (e.g., account profile, gender, age range, language, geographic region, etc.), and to the extent received we use this information as described elsewhere in this Policy.
- Customer Support Information. We may receive data, including Personal Information, from you in connection with customer support activities, such as calls or chats you have with our personnel, or other related inquiries you submit to us. We use this information to respond to your inquires and provide the requested support, and to facilitate the related aspects of our Online Platforms.
Any Additional Information Provided to Us
In addition to the categories described herein, we also may collect Personal Information that you post, upload, store, display, transmit, or submit through our Online Platforms in any other manner. Although we will treat such information consistent with this Policy, we are not responsible for the content of any information, including Personal Information, that you provide to us, and by using our Online Platforms, you assume full responsibility for obtaining, and you represent that you have obtained, all necessary consents and permissions to provide such information to us.
Additional Usage By Us of Your Information. By using our Online Platforms, you affirmatively agree that we can (also) use and disclose the information described as described in other parts of this Policy.
3. No Children’s Data
Our Online Platforms are not directed to or intended for children, and BHT does not intentionally collect, process, or store through our Online Platforms any Personal Information from any person under 18 years of age. In the event we discover we have inadvertently collected, processed, or stored any Personal Information from a person under 18 years of age without verifiable parental consent, we will promptly take the appropriate steps to delete such data or seek the necessary verifiable parental consent for that collection in compliance with the Children’s Online Privacy Protection Act (“COPPA”). We request that users not provide us with any Personal Information of any person under 18 years of age.
4. How We Share and Disclose Data
Except as described in this Policy, BHT will not use or disclose your Personal Information for any purpose other than to the extent reasonably necessary to perform our research and development efforts, provide you with services and/or support you request, or as otherwise described in this Policy. As a matter of policy, absent your express consent, we do not sell or rent information about you, and we will not disclose information about you in a manner inconsistent with this Policy except as required by law or government regulation.
Subject to the above paragraphs, we may share or disclose information about you as follows:
- With Your Consent. We may disclose your data, including Personal Information, to third parties when we have your express consent to do so. This includes any information that you post to any publicly viewable component of our Online Platforms – by publishing such information via our Online Platforms, you consent to our disclosure of this information.
- By Law or to Protect Rights. We cooperate with law enforcement inquiries, as well as other third parties, to enforce laws such as those regarding intellectual property rights, fraud, and other personal rights. WE CAN (AND YOU AUTHORIZE US TO) DISCLOSE ANY INFORMATION ABOUT YOU TO LAW ENFORCEMENT, OTHER GOVERNMENT OFFICIALS OR ANY OTHER THIRD PARTY THAT WE, AT OUR SOLE DISCRETION, BELIEVE NECESSARY OR APPROPRIATE IN CONNECTION WITH AN INVESTIGATION OF FRAUD, INTELLECTUAL PROPERTY INFRINGEMENT OR OTHER ACTIVITY THAT IS ILLEGAL OR MAY EXPOSE US, OR YOU, TO LIABILITY.
- Rendering our Service Offerings. Our employees, agents, and contractors may have access to your data on a need to know and confidential basis to the extent necessary to render our service offerings and related support to you. We require such parties to treat your information consistent with this Policy.
- Internal Research and Development. We may use your information to assist in our product and service research and development efforts and our application(s) for any and all governmental approvals (e.g., FDA approvals, etc.).
- Interactions with Other Users; Postings. If you interact with other users of our Online Platforms, those users may see identifying information and descriptions of your activity that you make available to them via our Online Platforms. If you speak to other users, post comments, contributions or other content in any way connected to our Online Platforms, your posts or other statements may be viewed or heard by other users and may be publicly distributed outside our Online Platforms.
- Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this Policy. Affiliates include our parent company and/or any subsidiaries (if any), companies with an ownership interest in BHT, joint venture partners, or other companies that we control or that are under common control with us.
- Our Service Providers. As describe above, we engage third parties to process data or otherwise support our Online Platforms (“Service Providers”). We may share your data, including Personal Information, with Service Providers (e.g., email services, platform hosting, cloud computing services, data storage and processing facilities) to the extent appropriate to let them perform business functions and services for us or on our behalf in connection with the provision of our services. For example, servers used by BHT in connection with providing our Online Platforms are not physically located at our facilities, but rather are managed by a third-party Infrastructure-as-a-Service provider (an “IAAS Provider”). We have taken commercially reasonable steps to choose a professional and reputable IAAS Provider(s) and to ensure that such IAAS Provider(s) and our other Service Providers use appropriate security measures in light of the risks and nature of the data being protected and consistent with industry norms. Still, it is impossible to guarantee that the security measures taken by our Service Providers will be adequate in all circumstances, and by using our Online Platforms, you understand and agree that we have no liability for the actions of such Service Providers.
- Third-Party Services. Our systems may enable or permit integrations with or use of Third-Party Services in connection with our Online Platforms. When such Third-Party Services are enabled, we may share certain data with them as requested to effectuate the integration, including data regarding your credentials related to our Online Platforms. As mentioned above, Third-Party Services are not owned or controlled by BHT and third parties that have been granted access to your data may have their own policies and practices for its collection and use; you should check the privacy settings and notices of these Third-Party Services to understand their privacy practices. For example, if you complete a survey via our Online Platform that uses Google Forms, the information you submit is made available to Google.
- Changes to BHT’s Business. If we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g., due diligence), we may share or disclose data in connection therewith, subject to standard confidentiality obligations.
- Aggregated or De-Identified Data. If any data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person or household (in the case of aggregated data) or no longer capable of being associated with or relinked with any identifiable natural person or household (in the case of deidentified data), we may use or disclose such aggregated or de-identified data for any purpose. For example, we may share aggregated or de-identified data with prospects or partners for business or research purposes, such as statistical analysis, to research trends and predictive analysis, or to develop or improve our Online Platforms.
- Enforcement of Agreements. We may disclose data to ensure compliance with and to enforce contractual or legal obligations with respect to our Online Platforms and our business, including any applicable lease agreements.
- Protection of Rights. We may disclose data to protect and defend our rights and property, including intellectual property rights, and to ensure compliance with applicable laws and enforce third party rights, including intellectual property and privacy rights.
- Safety and Security. We may disclose data to protect your safety and security; to protect the safety, security, and property of our users; and to protect our safety, security, and property and that of our employees, agents, representatives, and contractors.
Generally, we maintain all information you submit to us at least as long as needed for us to otherwise comply with this Policy and any other agreements we enter into with you, and as long as required by applicable law. This allows us to help ensure full functionality of our Online Platforms. To dispose of Personal Information, we may anonymize it, delete it, or take other appropriate steps, but we may not automatically delete all information received from you upon termination of an ongoing relationship with you. Your data, potentially including Personal Information, may persist in copies made for backup and business continuity purposes for additional time.
7. Security Measures
We take data security seriously and we maintain physical, technical, and administrative procedures to protect the data we collect and to secure it from improper of unauthorized use. We endeavor to protect data in our custody and control from loss, misuse, and unauthorized access, use, disclosure, modification, or destruction, and to use industry-standard security measures to ensure an appropriate level of security in light of reasonably available methods and the risks and nature of the information we collect. Substantially all information we receive from you or via your use of our Online Platforms are copied, stored, and managed through computer servers owned or controlled by us. While we attempt to employ security techniques commensurate with industry norms to protect your Personal Information and all other information we may host from unauthorized access by users inside and outside the organization, you should be aware that “perfect security” does not exist on the internet or any other method of electronic transmission or storage; third parties may unlawfully or improperly intercept or access transmissions, personal information, or private communications. As such, we cannot make any assurances or guarantee in any manner that a security breach will not occur that may expose your personally identifiable information to others.
- You provide information to us, including your Personal Information, at your own risk.
- No data transmission over the internet is guaranteed to be 100% secure, and we cannot guarantee that unauthorized access, hacking, data losses, or other breaches will never occur.
- You are responsible for protecting your account information related to our Online Platforms, including any applicable credentials, logins, passwords, etc. and for ensuring that they are not used by others to access our Online Platforms.
8. International Data Transfers
We primarily process and stores data in connection with our Online Platforms in the United States. However, it is possible that data may be processed other countries by our Service Providers. We will take measures to ensure that your Personal Information remains protected to the standards described in this Policy and any such transfers comply with applicable data protection laws. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.
9. Jurisdiction-Specific Notices
As noted above, California residents may have additional rights with respect to their Personal Information as set forth in our California Privacy Addendum below.
Nevada residents may have the right under applicable law to opt out of the sale of their Personal Information that we have collected or will in the future collect. If you are a Nevada resident and wish to make such a request, please contact us at the contact information provided below in this Policy.
Although we do not direct our website specifically toward residents of the European Union (“EU”), some EU residents’ data may be collected through marketing channels or by virtue of our users’ use of our Online Platforms. Collection and storage of any EU resident’s data by us is minimal and incidental.
Notwithstanding the foregoing, if you are an EU resident and would like to request that your data be securely removed from our systems, however collected, please send an email with proof of EU residency to email@example.com. [JS1] We will endeavor to remove all relevant data, so long as that removal is technically feasible, does not impact the legitimate accounting or business practices of our customers, and does not violate other regulatory or legal standards with which we must comply. We will also cooperate with our customers in good faith to address any requests they receive or that may impact them directly.
We will actively monitor our privacy and security practices to verify adherence to this Policy. Any agents, contractors, service providers, or other third parties subject to this Policy that we determine to be in violation of this Policy or applicable data protection laws will be subject to disciplinary action, up to and including termination of applicable services or relationship. Please contact us immediately at the contact information provided under the “Contact Us” heading below if you believe there has been a material violation of this Policy.
Please do not hesitate to contact us with any questions, complaints, or requests with respect to your Personal Information, this Policy, and/or our privacy practices.
You may contact us at:
Attn: Privacy Team
BHT CALIFORNIA PRIVACY ADDENDUM
This California Privacy Addendum supplements the information contained in our Policy[JS2] and applies to all visitors, users, and others who reside in the State of California (“consumers” or “you”) who use our Online Platforms (as defined and described in the Policy). BHT, Inc. (“BHT”, “we”, “us”, or “our”) has adopted this California Privacy Addendum to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and California Civil Code Section 1798.83 (the “Shine the Light Law”). Any terms defined in the CCPA have the same meaning when used in this California Privacy Addendum. With respect to users who are California residents, this notice is incorporated and made a part of our Policy, and the terms of this California Privacy Addendum shall control with respect to California residents in the event of any inconsistency between our Policy and this California Privacy Addendum. Where we use capitalized terms in this California Privacy Addendum that are not expressly defined, those terms have the meaning provided in the Policy.
For purposes of this California Privacy Addendum, personal information does not include:
- Publicly available information from government records
- De-identified or aggregated consumer information not capable of being associated with or be linked, directly or indirectly, to a particular consumer or household
- Information that is excluded from the CCPA’s scope, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), or personal information covered by certain privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) and the Driver’s Privacy Protection Act of 1994.
California Resident Rights under the CCPA
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we have collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
BHT’s Personal Information Collection and Use
We collect the following statutory categories of Personal Information as referenced in the CCPA:
- Identifiers (examples: real name, IP address, email address, or other similar identifiers)
- Personal Information listed in California Civil Code Section 1798.80 (any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information).
- Commercial information (examples: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
- Internet or other similar network activity (examples: Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
- Geolocation (examples/description: city or other general location)
- Sensory data (examples: Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
- Inferences drawn from other personal information (examples/description: profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes)
Although this California Privacy Addendum and the corresponding portions of our Policy are designed, as described in our Policy, to disclose and describe our receipt and use of personal information of which we are aware, we do receive information from users of our Online Platforms, including User Content (as defined in the Policy), in circumstances where we do not control or monitor what is contained in the information received. Accordingly, it is possible that we may receive unsolicited personal information falling in one of the categories described above under circumstances other than those described above. We endeavor to treat all personal information we receive consistent with the terms of our Policy but cannot guarantee such treatment with respect to personal information, if any, that we may unknowingly receive as described in this paragraph.
The categories of sources we receive Personal Information from and the business purposes for our use of such information are set forth in our Policy, in particular under the heading “2. Data We Collect From You; How We Use It”.
The categories of third parties to whom we disclose Personal Information are set forth in our Policy, in particular under the heading “4. How We Share and Disclose Data”
California Resident Rights under the Shine the Light Law
Under the Shine the Light Law, you may ask companies with whom you have a business relationship primarily for personal, family, or household purposes to identify third parties to which they have disclosed personal information (as defined under the Shine the Light Law) during the prior year for their own direct marketing purposes and the categories of information disclosed. We do not disclose your Personal Information to third parties for such third parties’ direct marketing purposes. However, if you reside in California, you can prevent future disclosures for direct marketing purposes of your Personal Information, at no charge, by indicating to us your intent to opt out of such disclosures in a message addressed to the email address or physical mailing address provided in “Section 11 – Contact” of the Policy providing your full name and mailing address and certifying that you are a California resident.