CAPTUREPROOF
REDUCE ER VISITS
REDUCE NON-URGENT FOLLOW UP VISITS BY 75%
YOUR DOCTOR CAN SEE YOU NOW
Terms

Terms & Conditions

Last Modified: October 3, 2017

Thank you for using CaptureProof®; The Service that CAPTUREPROOF, Inc. provides to you is subject to the following Terms of Service ("Terms").

These Terms constitute a legal agreement between you and CAPTUREPROOF, Inc. and its successors, parents, subsidiaries, affiliates and related companies or other companies under a common control that we may have now or in the future operate ("CaptureProof", "we", "our" or "us"). As used in these Terms, the words "you" and "your" refer to you, the user of the CaptureProof Service. The use of the word "including" in these Terms is used to refer to specific examples will be construed to mean "including, without limitation" or "including but not limited to" and will not be construed to mean that the examples given are an exclusive list of the topics covered. These Terms apply to the CaptureProof website and mobile applications (the "Site") and the asynchronous telemedicine communication service we offer on the Site (together with the Site, the "Service"). These Terms govern your access to and use of the Service, so please carefully read them before using the Service.

By using the Services you agree to be bound by these Terms. If you are using the Services on behalf of an organization, you are agreeing to these Terms for that organization and promising that you have the authority to bind that organization to these terms. In that case, "you" and "your" will refer to that organization.

The following is a brief summary of these Terms:

  • The Terms describe your rights and responsibilities in connection with your use of the Service.
  • As between CaptureProof and you, you own any content you post to the Service.
  • We will only use your content to the extent necessary to provide you with the Service.
  • Protecting your content is very important to us. We endeavor to keep your content secure against unauthorized access and disclosure using a variety of authentication and security processes and procedures.

EUROPEAN UNION AND SWISS CUSTOMERS

The Standard Contractual Clauses below (“Model Clauses”) shall apply to Customers with data that is transferred outside the Member States of the European Union (http://europa.eu/about-eu/countries/index_en.htm), either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Directive). The Standard Contractual Clauses will not apply to Customer data that is not transferred, either directly or via onward transfer, outside the Member States of the European Union.

CaptureProof complies with the US-EU Privacy Shield Framework and US-Swiss Safe Harbor Framework (“Safe Harbor”) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, including as set forth in the Privacy Shield Policy set forth below. To the extent of a conflict between the terms and provisions of Privacy Shield and the Model Clauses, the Model Clauses shall prevail.


HEALTH CARE PROVIDER-PATIENT RELATIONSHIP TERMS

The Service is a tool to facilitate the creation of a patient’s personal visual health record and/or facilitate secure visual and text asynchronous communication between a medical patient and his or her existing team of Health Care Providers. By accepting the Terms, the patient and Health Care Provider agree to this.

For purposes of sharing medical information between a patient user of the Service and a Health Care Provider user of the Service, a Health Care Provider-patient relationship is established when one of the following conditions is met:

  • A patient user sends a request via the Service to connect to a Health Care Provider and it is accepted by the Health Care Provider.
  • A Health Care Provider adds a patient to the Health Care Provider's CaptureProof account, with or without connecting to the patient.
  • A patient user uses an invite code their Health Care Provider has shared with them to create their account.

The Health Care Provider-patient relationship remains in effect until one of the following conditions is met:

  • A patient user terminates the connection to the Health Care Provider.
  • Either the patient or the Health Care Provider terminates his or her CaptureProof account.

Once data is shared with the Health Care Provider, it will remain shared with the Health Care Provider. Terminating the connection will prevent the Health Care Provider from having access to any subsequent data uploaded and/or shared by the patient.

You agree never to use the Service for urgent matters. If you experience any adverse reactions or your medical condition worsens, or for any other urgent matters, you understand that it is your responsibility to seek emergency care immediately.

If at any time you are concerned about your, or your child's, care or the treatment prescribed by a healthcare provider through the Service, or you believe or someone else advises you that you or your child has or suspect that you or your child has a serious or life-threatening condition, call 911 in areas in which that service is available, or go to the nearest emergency room or open clinic.


USER AGREEMENT TO SHARING

You authorize CaptureProof to share the health information contained in your CaptureProof profile, in part or in its entirety, with those entities and individuals you designate. You understand that the designated individuals may share this information with colleagues for the purpose of your treatment.


USER AGREEMENT TO SHARING - MINOR PATIENT

If the patient is under the age of 18, CaptureProof requires you to have the legal right to make health care related decisions on behalf of the minor patient. In using the service you certify that you are authorized by law to make health care related decisions on behalf of the minor patient including having the right to upload imagery of the minor patient to assist the provider's diagnosis and treatment of the minor patient.


ACCEPTANCE OF TERMS

By either (1) clicking to agree or accept to these Terms where these options are presented to you, or (2) following your initial acceptance of terms during account creation, actually using or accessing the Site or any part of the Service, you signify your agreement to be bound by these Terms and all other policies or notices posted by us on the Site. Your use of the Service is also governed by the CaptureProof Business Associate Agreement, Privacy Policy, Security Policy and Acceptable Use Policy - all of which are incorporated by reference into these Terms.

If you don't agree to these Terms, do not use the Service. You agree that your use of the Service will always be subject to the most current version of these Terms at the time of such use. It is your responsibility to review these Terms from time to time for any changes. If you use the Service after we have changed any of the Terms, you are agreeing to all of the changes. Again, if you do not agree, do not use the Service.

You may not use the Service and you may not accept these Terms if you are not at least 18 years of age and, in any event, of a legal age to form a binding contract with CaptureProof.

If you accept these Terms, you represent that you have the power to form a contract with CaptureProof and be bound by these Terms.

Depending on your activities when visiting the Site or using the Service, you may be required to agree to additional terms and conditions as indicated on the Site or via the Service.


PRIVACY AND PROTECTION OF PERSONAL INFORMATION

In addition to these Terms, CaptureProof has established a Privacy Policy to explain how we collect and use information about you. You can review the Privacy Policy below. The Privacy Policy is incorporated by reference into these Terms.

PATIENT RESPONSIBILITIES

It is the responsibility of the patient to follow the advice of their Health Care Provider and arrange any and all follow up in-office or online communication that is requested by the Health Care Provider. If a follow up appointment is requested and the patient does not either schedule or maintain the appointment, or even if the patient does follow up, CaptureProof is not liable for any delay in diagnosis or treatment.

This site does not provide medical or any other health care advice, diagnosis or treatment. Always seek the advice of your Health Care Provider or other qualified Health Care Provider with any questions you may have regarding a medical condition, diet, fitness or wellness program. Never disregard professional medical advice or delay in seeking it because of information you accessed on or through the service.

Files and other content in the Service may be protected by intellectual property rights of others. You agree not to copy, upload, download, or share files unless you have the right to do so. You, not CaptureProof, will be fully responsible and liable for what you share, upload or otherwise use while using the Service. You will not upload spyware or any other malicious software to the Service.

We do not claim ownership of the content you submit through the Service. Your content remains your content. We also don't control, verify, or endorse the content that you and others make available through the Service. While we assume no responsibility to monitor content that you and others make available, we retain the right to remove any content at our discretion.


MEMBER ACCOUNT, PASSWORD AND SECURITY

The Service requires you to register by creating a user account. You must complete the registration process by providing us with current, complete and accurate information as prompted by the applicable registration form. This means that you may not set up an account using someone else's name or contact information, unless you are a parent or legal guardian setting up and maintaining an account for your child, and in no event may you set up an account using a phony name or phony contact information. You also will be required to choose a password and/or a PIN. You are entirely responsible for safeguarding your password, PIN, and account, and you agree not to disclose your login information to any third party. Furthermore, you are entirely responsible for any and all activities that occur under your account, whether or not you authorized that activity. You agree to notify CaptureProof immediately of any unauthorized use of your account or any other breach of security, by sending an email to security@captureproof.com.

CaptureProof will not be liable for any loss that you may incur as a result of someone else using your password, PIN or account, either with or without your knowledge. However, you could be held liable for losses incurred by CaptureProof or another party due to someone else using your account, PIN or password. You may not use anyone else's account at any time, without the permission of the account holder. You may not transfer your account to someone else. You will be liable for losses and damages incurred by us (or anyone else) due to the unauthorized use of your account. If your account is terminated, we will permanently delete your data from our servers to the extent feasible. We have no obligation to return data to you after your account is terminated.


HEALTH CARE COMMUNICATION

AS A PATIENT: It is your duty to provide true, accurate, current and complete personal information, including your current contact information and medical records, which are necessary for us to provide the Service to you.

You must not make any misrepresentations in the information you provide to CaptureProof or your team of Health Care Providers. In order for the Service to function effectively, you must also keep your account information up-to-date and accurate.

In addition to these Terms, CaptureProof has established an Acceptable Use Policy, which governs the acceptable use of the Site and the Service. Please find a copy of this Policy at www.captureproof.com/home/terms.html. The Acceptable Use Policy is incorporated by reference into these Terms.


PAYMENT OF FEES

PATIENT:

Patients are not charged any fees for the use of the CaptureProof Platform


HEALTH CARE PROVIDER:

Payment
By accessing or using the services you agree that your credit card will be be billed on a monthly basis, on behalf of your medical institution or practice. If you are agreeing to the terms and conditions of the CAPTUREPROOF, Inc. pricing policy described herein. During registration, you will have the opportunity to elect which payment method you would prefer to make: Either instant pay via credit/debit card or to be invoiced and pay via wire transfer or check.

  • A. Payment through Account: Credit/Debit Card.
    1. Payment accepted via credit/debit card. CaptureProof accepts payment via a valid credit or debit card. Fees are due and payable in advance and are automatically charged to your credit card on the first day of each 30 day billing cycle. Fees paid for licenses are non-refundable. If your Practice Account has been suspended for non-payment, it will only be reactivated upon payment, in full, of all overdue fees. Your Practice Account will not be activated or reactivated without prior payment. Incomplete or incorrect account information may result in cancellation of your license and inactivation of your account. Your first month’s prepayment (prorated based on the date your license is activated) and the following month will be charged upon activation and you will otherwise be billed on the first day of each month. Please contact payments@captureproof.com for information on other billing methods available.
    2. Billing Information. Customer represents that it has provided Company with current, complete and accurate information for Practice Account. Customer will promptly update all information to keep Practice Account information current, complete and accurate (such as a change in billing address, card number or expiration date), and will promptly notify the Company if your chosen Payment Method is canceled (including if you lose your credit or debit card or it is stolen). The Administrator for Practice Account may make changes to such information on the "Virtual CaptureProof Office" on the Website. Charges for the Service are processed by Stripe or another third party provider. In such case, you hereby authorize the Company to charge your chosen payment provider (e.g., MasterCard, Visa, American Express) for the Service. You may change the Payment Method by logging into your account and going into your account settings. The Company may correct any billing errors or mistakes that it makes even if it has already requested or received payment. If Customer initiates a chargeback or otherwise reverses a payment, the Company may, in its sole discretion, terminate Customer’s Account and any of its Authorized Users’ Accounts immediately. If the Company successfully disputes the reversal, and the reversed funds are returned, Customer is not entitled to a refund or to have the Practice Account or License reinstated. If the Company does not receive payment from your Payment Method provider, you are still responsible for making the payment due and Customer agrees to pay all amounts due upon demand. If you fail to make a timely payment, as provided above, the Company may terminate or suspend the Practice Account and all Authorized Users’ Accounts and continue to attempt to charge your Payment Method provider until payment is received. Customer specifically authorizes the Company to obtain updated or replacement expiration dates and card numbers for the credit or debit card as provided by the credit or debit card issuer. In certain instances, the issuer of the credit card may charge a foreign transaction fee or related charges, which Customer shall be responsible to pay. For more information visit: https://stripe.com/us/terms and https://stripe.com/us/privacy. Company reserves the right to change its third party billing provider at any time without notice to Customer.
  • B. If Customer upgrades and/or increases users on the Practice Account (a “License Upgrade”), any incremental License Charges associated with such License Upgrade will be prorated over the remaining period of Your then current License Term, charged to the Practice Account. In any future License Term, Customer’s Subscription Charges will reflect any such Practice Account License Upgrade.
  • C. Payment Termination. In the event you decide to terminate your service, you simply need to notify us at least five (5) days prior to the end of the current billing and your account will be shut down at the end of the billing period; otherwise, the services will terminate at the end of the following period. All prepaid monthly fees are non-refundable and will not be prorated.
  • D. Lawful Use. It is a violation of law for you to misuse or fraudulently use credit and debit cards. CaptureProof will report all misuse and fraudulent use to government authorities, credit reporting services, financial institutions and credit card companies.
  • E. Problematic Transactions. If you believe that an unauthorized or otherwise problematic transaction has taken place under your account, you agree to notify CaptureProof immediately so that CaptureProof may take action to attempt to prevent financial loss or other loss.
  • F. Billing Discrepancies. Your right to raise billing discrepancies and any associated recovery is waived unless reported to CAPTUREPROOF at help@captureproof.com within sixty (60) calendar days after such discrepancy is discovered.

SUBMITTED INFORMATION

You warrant and represent to us that you either own all the information you are submitting or have the right to submit the information. Furthermore, you warrant and represent that you have the right to allow us to make your information available to our employees and agents to view and use in connection with providing the Service without requiring that any such use be subject to additional obligations or terms.


LEGAL NOTICES


MODIFICATIONS

We may revise these Terms from time to time and the most current version will always be posted on our website. We may communicate revisions to these Terms to you via email to the email address associated with your account or via notices displayed on the Site. By continuing to access or use the Service after revisions become effective, you agree to be bound by the revised Terms. If you do not agree to the new terms, please stop using the Service.


MISCELLANEOUS LEGAL TERMS

These Terms, together with any additional terms and conditions as indicated on the Site or via the Service, constitute the entire and exclusive agreement between you and CaptureProof with respect to the Service, and supersede and replace any other agreements, terms and conditions applicable to the Service. These Terms create no third party beneficiary rights. CaptureProof’s failure to enforce a provision is not a waiver of its right to do so later. If a provision is found unenforceable, the remaining provisions of the Agreement will remain in full effect and an enforceable term will be substituted reflecting our intent as closely as possible. You may not assign any of your rights in these Terms, and any such attempt is void, but CaptureProof may assign its rights without restriction. CaptureProof and you are not legal partners or agents; instead, our relationship is that of independent contractors.


CAPTUREPROOF PROPERTY

These terms do not grant you any right, title, or interest in the Service, Site, or the content in the Service (other than your personal information and any other content you post to the Service). The Software and other technology we use to provide the Service are protected by applicable intellectual property and other laws.

If you give feedback on the Service, such as recommendations for improvements or features, you hereby assign to CaptureProof all right, title and interest in and to such feedback, and that feedback may be implemented as part of the Service without compensation to you.

All brand, product and service names and other brand features used in the Service that identify CaptureProof or the Service are the trademarks or service marks of CaptureProof or its licensors. Nothing in the Service or these Terms shall be deemed to confer on any person any license or right on the part of CaptureProof or any licensor with respect to any such brand features.


WARRANTY DISCLAIMER

USE OF THE SERVICE IS AT YOUR OWN RISK. THE SERVICE ARE PROVIDED ON AN "AS IS," "WHERE IS" AND "AS AVAILABLE" BASIS. CAPTUREPROOF AND ITS AFFILIATES, SUPPLIERS AND PARTNERS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

CAPTUREPROOF AND ITS AFFILIATES, SUPPLIERS AND PARTNERS MAKE NO WARRANTY, REPRESENTATION OR PROMISE THAT (A) THE SERVICE WILL MEET YOUR REQUIREMENTS; (B) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE; OR (C) THAT THERE WILL BE NO ERRORS IN THE SERVICE. ANYTHING OBTAINED THROUGH USE OF THE SERVICE IS OBTAINED AT YOUR OWN DISCRETION AND RISK AND CAPTUREPROOF SHALL NOT BE RESPONSIBLE FOR ANY DAMAGE CAUSED TO YOUR COMPUTER OR DATA OR FOR ANY BUGS, VIRUSES, TROJAN HORSES OR OTHER DESTRUCTIVE CODE, OR FOR ANY OTHER LOSSES YOU MAY INCUR, RESULTING FROM YOUR USE OF THE SERVICE.

SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE OTHER LEGAL RIGHTS, WHICH VARY FROM STATE TO STATE.


LIMITATION OF LIABILITY

TO THE FULLEST EXTENT PERMITTED BY LAW, (A) IN NO EVENT WILL CAPTUREPROOF, OR ITS AFFILIATES, DIRECTORS, OFFICERS, INVESTORS, EMPLOYEES, AGENTS, ADVERTISERS, LICENSORS, SUPPLIERS, OR SERVICE PROVIDERS, BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF USE, DATA, BUSINESS, OR PROFITS), REGARDLESS OF LEGAL THEORY, WHETHER OR NOT CAPTUREPROOF HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE; AND (B) CAPTUREPROOF'S TOTAL LIABILITY TO YOU FOR DAMAGES, LOSSES, AND CAUSES OF ACTION UNDER ANY THEORY OF LIABILITY SHALL IN NO EVENT EXCEED $100.


INDEMNITY

You agree to indemnify, defend, and hold harmless CaptureProof, its affiliates and their respective directors, officers, employees and agents from and against any losses, costs, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of any claims, actions, suits or proceedings related to your use of the Service, your violation of these Terms or of any rights of any third party, or any content or other information you submit to the Service. Your indemnification obligation will survive the termination of these Terms and your use of the Service.


TERMINATION AND SUSPENSION

We may terminate or suspend your permission to use the Service immediately and without notice upon any violation of these Terms, your failure to pay any fees when due, upon the request of law enforcement or government agencies, after extended periods of inactivity, for unexpected technical issues or problems, or in the event you engage in fraudulent or illegal activities. We also reserve the right to refuse, restrict, discontinue or terminate the Service (or any portions, components or features of the Service) to you or any other person or entity, for any reason or for no reason whatsoever, at any time, without notice or liability. If we terminate your use of the Service for any of these reasons or otherwise for cause, we will not refund any fees you may have paid.


AVAILABILITY

You acknowledge that temporary interruptions in the availability of the Service may occur from time to time, including the malfunction of equipment, periodic updating, maintenance or repair of the Service or other actions that CaptureProof, in its sole discretion, may elect to take. Under no circumstances will CaptureProof be held liable for any damages due to such interruptions or lack of availability.


ADDITIONAL TERMS

Portions of the Service may be accompanied by additional terms that apply to specific features or areas of the Service. Those additional terms supplement these terms with respect to your use of those features or areas. (e.g. Authorized Use Policy, Privacy Policy, and Guardian Authorization)


GOVERNING LAW AND DISPUTE RESOLUTION

These Terms are governed by laws of the state of California, without respect to its conflict of laws principles. The sole jurisdiction and venue for any claim arising from the Service and these Terms shall be the state and federal courts located in San Francisco, California and each party hereby consents to the exclusive jurisdiction and venue of such courts.

You agree that if you want to bring a legal claim against us under these Terms, you must file your claim lawsuit within one year after the date on which you discovered or reasonably should have discovered the event that gave rise to your claim.

TO THE EXTENT PERMITTED BY LAW, THE PARTIES AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS, WHETHER IN ARBITRATION OR IN COURT, WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS OR REPRESENTATIVE ACTION OR AS A NAMED OR UNNAMED MEMBER IN A CLASS, CONSOLIDATED, REPRESENTATIVE OR PRIVATE ATTORNEY GENERAL ACTION, UNLESS BOTH YOU AND CAPTUREPROOF SPECIFICALLY AGREE TO DO SO IN WRITING.

If you do not wish to be bound by the foregoing class-action waiver, you must notify CaptureProof in writing within 30 days of the date that you accept these Terms. Your written notification must be mailed to: CaptureProof, Inc., ATTN: legal 95 Third St, Suite 270, San Francisco, CA 94105.


NOTICES

Notices to you may be sent via email or provided through links displayed on the Site. You understand and agree that notices and other information ("Communications") may be provided by CaptureProof to you by electronic means (i.e., via email or by posting the information on the Site). The categories of Communications that may be provided by electronic means include:

  • These Terms and any amendments, modifications, or supplements;
  • Any breach notifications, as required under HIPAA;
  • Disclosures or notices provided in connection with the Service, including any required by federal or state law (including initial disclosures, periodic statements, initial and revised privacy notices; opt-out notices and change-in-terms notices);
  • Any other communication related to the Service.

All Communications will be deemed to have been received by you after it is posted on the site for 5 days, whether or not you have retrieved the Communication from the Site. An electronic Communication by email is considered to be sent at the time that it is directed by CaptureProof’s email server to your email address, whether or not your receive it. You agree that these are reasonable procedures for sending and receiving electronic Communications.

You agree to promptly update your account records with CaptureProof if your email address changes so that CaptureProof may contact you electronically. You understand and agree that if we send you an electronic Communication but you do not receive it because the email address on file is incorrect, out of date, blocked by your service provider or you are otherwise unable to receive electronic Communications, CaptureProof will be deemed to have provided the Communication to you.

Although we reserve the right to provide Communications in paper format at any time, you agree that we are under no obligation to do so. All Communications in either electronic or paper format will be considered to be "in writing." You should print a paper copy of these Terms and any Communication that is important to you and retain the copy for your records. If you do not wish to receive these Terms or the Communications electronically, you may not use the Service.

If you have opened an account with us and you wish to withdraw your consent to have Communications provided electronically, you must close your account and stop using the Service. There are no fees to close your account, but a return data-handling fee may apply.


APPLE INC. APP STORE

The terms of this Agreement (“Terms”) apply to your use of the Service, including iOS applications available via the Apple, Inc. (“Apple”) App Store (the “Application”), but the following additional terms also apply to the Application:

End-User License Agreement (EULA)

  • Both you and CAPTUREPROOF acknowledge that the Terms are concluded between you and CAPTUREPROOF only, and not with Apple, and that Apple is not responsible for the Application or the Content
  • The Application is licensed to you on a limited, non-exclusive, non-transferable, non-sublicensable basis, solely to be used in connection with the Service for your private, personal, non-commercial use, subject to all the terms and conditions of these Terms as they are applicable to the Service;
  • You will only use the Application in connection with an Apple device that you own or control;
  • You acknowledge and agree that Apple has no obligation whatsoever to furnish any maintenance and support services with respect to the Application;
  • In the event of any failure of the Application to conform to any applicable warranty, including those implied by law you may notify Apple of such failure. Upon notification, Apple’s sole warranty obligation to you will be to refund you the purchase price, if any, of the Application;
  • You acknowledge and agree that CaptureProof, and not Apple, is responsible for addressing any claims you or any third party may have in relation to the Application
  • You acknowledge and agree that, in the event of any third party claim, that the Application or your possession and use of the Application infringes that third party’s intellectual property rights, CaptureProof and not Apple, will be responsible for the investigation, defense, settlement and discharge of any such infringement claim;
  • You represent and warrant that you are not located in a country subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “terrorist supporting” country, and that you are not listed on any U.S. Government list of prohibited or restricted parties;
  • Both you and CaptureProof acknowledge and agree that, in your use of the Application, you will comply with any applicable third party terms of agreement which may affect or be affected by such use; and
  • Both you and CaptureProof acknowledge and agree that Apple and Apple’s subsidiaries are third party beneficiaries of these Terms, and that upon your acceptance of these Terms, Apple will have the right (and will be deemed to have accepted the right) to enforce these Terms against you as the third party beneficiary hereof.

To the extent that the additional terms of the End-User License Agreement conflict with the Terms, the EULA shall control with respect to your use of the Service via the Application.


CONTACT US:

If you would like to contact us to provide feedback, comments or requests for technical support, and/or complaints or claim with respect to the EULA you should contact us through our customer support department at help@captureproof.com or call our support line at 415.770.2020

The below, Business Associate Agreement, binds only Covered Entities, including Health Care Providers and the health care organization to which they belong. The Business Associate Agreement does not apply to Users who are patients.

This is the standard Business Associate Agreement (BAA) that CaptureProof offers to all Covered Entity Users. We are willing to negotiate terms of the Business Associate Agreement with any Covered Entity. In order to negotiate new terms to a BAA, we are willing to do so at a fixed fee of USD $3000.

We recognize that many Covered Entities have their own contracting requirements, and that our click-through BAA is not a one-size-fits-all document. We offer the ability for customers to negotiate our standard form BAA with us, within certain boundaries and on the terms and conditions set forth below. We will aim to be as flexible as we can, but we also recognize that, because of the wide variance in risk tolerances and different sensitivities attached to different types of health information, our product, and the terms under which it is offered, will not be suitable for all organizations. Subject to the payment of the $3,000 non-refundable fee, we will engage in good faith negotiations with you to put in place a BAA specific to your entity. However, as with any contractual negotiations, we cannot guarantee that an agreement will be reached.

Email: legal@captureproof.com for further information.


BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement is between CAPTUREPROOF, Inc. and the covered entity User who purchases CaptureProof’s 'Service' as defined in the Terms and Conditions. This Business Associate Agreement is incorporated by reference into the Terms and Conditions of Service when applicable. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.

If you are entering into this Agreement on behalf of a business or medical practice, you represent that you have the authority to bind said business to this Agreement.

THIS BUSINESS ASSOCIATE AGREEMENT is dated on the day of acceptance of the "Terms and Conditions" or when the user begins to use the Service, whichever is first. This agreement is entered into between the User(hereafter referred to as "Covered Entity") and CAPTUREPROOF, Inc. (hereafter referred to as "Business Associate").

WHEREAS, Covered Entity is subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA") and amendments thereto set forth in the American Recovery and Reinvestment Act (the "HITECH Amendments") and the HIPAA Privacy, Security and Breach Notification Rules (the "HIPAA Rules");

WHEREAS, Business Associate is a business associate of Covered Entity under HIPAA, the HITECH Amendments, and the HIPAA Rules.

NOW THEREFORE, the parties agree to the terms of this Business Associate Agreement as follows:

  1. ENGAGEMENT. Business Associate is engaged to provide asynchronous telemedicine services to Covered Entity under the terms and conditions of a Services Agreement that shall be contemporaneously adopted and incorporated herein by reference.
  2. RELATIONSHIP OF PARTIES. Business Associate shall provide services pursuant to the Services Agreement as an independent contractor. Any persons employed by Business Associate or otherwise retained by Business Associate, are not in any way, directly or indirectly, expressly or by implication, employees of Covered Entity, nor shall they be deemed employees of Covered Entity for purposes of withholding income taxes, coverage of any employee benefit program, any tax or contribution levied by the Federal Social Security Act or any corresponding State law with respect to employment compensation for employment, or for purposes of workers' compensation coverage. Business Associate has the sole responsibility for paying such employees and making deductions required by law, reporting compensation of such employees as required by law and generally determining any and all appropriate forms of compensation and fringe benefits for them.
  3. COMPLIANCE WITH HIPAA RULES.
    1. Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: covered entity, business associate, breach, data aggregation, designated record set, disclosure, electronic protected health information, health care operations, individual, limited data set, minimum necessary, notice of privacy practices, personal representative, protected health information, required by law, Secretary, security incident, subcontractor, unsecured protected health information, and use.
    2. Applicability of Business Associate Requirements. In accordance with the HITECH Amendments, HIPAA Rules are applicable to Business Associate.
    3. Protected Health Information. In the course of acting pursuant to this Agreement, Business Associate may receive or create protected health information ("PHI") in its capacity as a business associate of Covered Entity. As a result, Business Associate must utilize appropriate safeguards to prevent the use and disclosure of PHI other than as provided for by this Business Associate Agreement.
    4. (a) To this end, Business Associate agrees as follows:
      • (i) Business Associate agrees not to use or further disclose PHI other than as permitted or required by this Agreement or as required by law;
      • (ii) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement;
      • (iii) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Business Associate Agreement or in violation of the HIPAA Rules.
      • (iv) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware; including breaches of unsecured protected health information and any security incident of which it becomes aware;
      • (v) Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
      • (vi) Business Associate agrees to provide access to PHI in a designated record set, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Covered Entity or, as directed by Covered Entity, to an individual (including the individual's personal representative) in order to meet the requirements of the HIPAA Privacy Rule which govern an individual's right to access to his or her own PHI.
      • (vii) Business Associate agrees to make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity in accordance with the HIPAA Privacy Rule, at the request of Covered Entity or the individual, and in the time and manner designated by Covered Entity.
      • (viii) Business Associate agrees to make its internal practices, books, and records relating to the use or disclosure of PHI pursuant to this Agreement available to Covered Entity or the Secretary for purposes of determining compliance with the HIPAA Rules.
      • (ix) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity, in a time and manner designated by Covered Entity, as necessary to satisfy Covered Entity's obligations under the Privacy Rule to provide an accounting of disclosures of PHI upon request by an individual.
      • (x) Business Associate agrees, upon request by an individual for a restriction upon disclosure of PHI, to comply with the requested restriction if, except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or healthcare operations and the PHI pertains solely to items or services for which Covered Entity has already been paid out-of-pocket in full.
      • (xi) Business Associate agrees to only use or disclose PHI if the use or disclosure is limited to a limited data set, or if it is limited to the minimum necessary to accomplish the intended purpose of the use or disclosure.
    5. (b) Pursuant to the HIPAA Rules, Covered Entity shall inform Business Associate of privacy practices and restrictions as follows:
      • (i) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with the HIPAA Privacy Rule, as well as any changes to such notice.
      • (ii) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's permitted or required uses or disclosures of PHI.
      • (iii) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with the HIPAA Privacy Rule, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
    6. Permitted Uses and Disclosures. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services as specified in this Business Associate Agreement, provided such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of Covered Entity. Covered Entity shall not request Business Associate to use or disclosure PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity or that would violate Covered Entity's minimum necessary policies and procedures. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may provide data aggregation services relating to the health care operations of Covered Entity.
    7. HIPAA Security Rule. In accordance with the HITECH Amendments, the HIPAA Security Rules are applicable to Business Associate if Business Associate creates, receives, maintains or transmits electronic PHI. As a result, if Business Associate creates, receives, maintains or transmits electronic PHI, Business Associate must, in accordance with the HIPAA Security Rule:
      • (a) Comply with the security standards;
      • (b) Implement administrative safeguards;
      • (c) Implement physical safeguards;
      • (d) Implement technical safeguards;
      • (e) Comply with the organizational requirements;
      • (f) Implement security policies and procedures; and
      • (g) Comply with the documentation requirements.
    8. Breach of Unsecured PHI. If there is a breach of unsecured PHI, Business Associate shall notify Covered Entity of the breach and identify for Covered Entity the individuals whose unsecured PHI was, or is reasonably believed to have been, breached within 10 days of the discovery of the breach. The notice to Covered Entity shall include:
      • (a) A brief description of what happened including the date of the breach and the date of discovery of the breach;
      • (b) A description of the types of unsecured PHI involved;
      • (c) A description of the steps that the individuals should take to protect themselves from harm; and
      • (d) A brief description of what Business Associate is doing to investigate, mitigate loss, and protect against further breaches.
    9. Survival. The rights and obligations under this Section 4 shall survive termination of this Agreement.
  4. NOTICE. All notices under this Business Associate Agreement shall be in writing and shall be sufficient in all respects if delivered personally, by nationally recognized overnight delivery service, by registered or certified mail, postage prepaid, by confirmed fax, or by other electronic means, provided that the delivery can be confirmed, addressed as follows:
  5. TERM. The Term of this Business Associate Agreement shall be one year, unless sooner terminated under the provisions set forth herein. Following expiration of such initial term, this Business Associate Agreement will automatically renew for successive terms of twelve (12) months each unless either party gives written notice to the other party not less than thirty (30) days prior to the termination of the initial or any extended term.
  6. TERMINATION.
    1. Termination. Except as provide below, this Business Associate Agreement may be terminated at the end of the current term upon thirty (30) days written notice.
    2. Termination for Cause. Notwithstanding the above, upon Covered Entity's knowledge of a material breach by Business Associate of Section 3 of this Business Associate Agreement, Covered Entity may:
      • (a) Provide an opportunity for Business Associate to cure the breach or end the violation. Should Covered Entity provide Business Associate an opportunity to cure the breach or end the violation of Section 3 and Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, Covered Entity shall terminate this Agreement immediately.
      • (b) Immediately terminate this Business Associate Agreement if Business Associate has breached a material term of Section 3 of this Business Associate Agreement and cure is not possible; or
      • (c) If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
  7. RETURN OR DESTRUCTION OF RECORDS. Upon termination of this Agreement for any reason, Business Associate shall destroy or return to Covered Entity all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that destroying or returning the information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI. The obligations of Business Associate under this Section 7 shall survive the termination of this Agreement.
  8. INDEMNIFICATION. Business Associate shall indemnify and hold harmless, Covered Entity, its directors, officers, agents, and employees from and against any and all liability, damage, loss, cost, or expense resulting from any claims made or suits brought for personal injury or property damage by third parties, due to or arising out of Business Associate's acts or omissions pursuant to this Business Associate Agreement. Covered Entity shall indemnify and hold harmless, Business Associate, its directors, officers, agents, and employees from and against any and all liability, damage, loss, cost, or expense resulting from any claims made or suits brought for personal injury or property damage by third parties, due to or arising out of Covered Entity's acts or omissions pursuant to this Business Associate Agreement.
  9. ENTIRE AGREEMENT. This Agreement embodies the entire Agreement between the parties and supersedes all prior agreements, both written and oral, relating to the subject matter hereof. There are no understandings, agreements, representations, warranties, oral or written, express or implied, which have been made by any party hereto except as expressly provided herein.
  10. AMENDMENT, MODIFICATION, REVOCATION, WAIVER. This Agreement can be amended or modified only by a written agreement executed by duly authorized representatives of Business Associate and Covered Entity. No waiver of any provision of this Agreement shall be valid unless in writing and signed by both Business Associate and Covered Entity's duly authorized representatives. The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of the HIPAA Rules and any other applicable law.
  11. INTERPRETATION. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. Any reference in this Agreement to the HIPAA Rules means the law and regulations then in effect.
  12. SUCCESSORS. The covenants, conditions and agreements made and entered into by Business Associate and Covered Entity under this Agreement shall be binding on their respective heirs, personal representatives, administrators, executors, successors and permitted assigns.

IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their duly authorized officers.

Business Associate Addendum

This Business Associate Agreement Addendum is between CAPTUREPROOF, Inc. and the covered entity User who purchases CaptureProof’s "Services' as defined in the Terms and Conditions. This Business Associate Agreement Addendum is incorporated by reference into the Terms and Conditions of Service when applicable. Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Privacy Rule.

If you are entering into this Addendum on behalf of a business or medical practice, you represent that you have the authority to bind said business to this Addendum.

THIS BUSINESS ASSOCIATE AGREEMENT ADDENDUM is dated on the day of acceptance of the "Terms and Conditions" or when the user begins to use the Service, whichever is first. This agreement is entered into between the User (hereafter referred to as "Covered Entity") and CAPTUREPROOF, Inc. (hereafter referred to as "Business Associate").

WHEREAS, Covered Entity is subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA") and amendments thereto set forth in the American Recovery and Reinvestment Act (the "HITECH Amendments") and the HIPAA Privacy, Security and Breach Notification Rules (the "HIPAA Rules");

WHEREAS, Business Associate is a business associate of Covered Entity under HIPAA, the HITECH Amendments, and the HIPAA Rules.

NOW THEREFORE, the parties hereby agree to this Addendum to the Business Associate Agreement to protect personal information transferred from European Union/Swiss Countries in accordance with the Privacy Shield framework developed by the U.S. Department of Commerce in consultation with the European Commission to satisfy the European Commission's Directive on Data Protection.

The parties agree to comply with CaptureProof's Privacy Shield Policy which is incorporated herein by reference. This includes, but is not limited to, assurance from agents that they will safeguard personal information consistent with the Privacy Shield Policy.

IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to be duly executed in its name and on its behalf as of the Effective Date.

Last Modified: October 3, 2017

Privacy Shield Privacy Policy

Last Modified: October 3, 2017

This Privacy Policy (this “Policy”) applies to all personal information received by CAPTUREPROOF, Inc. in the United States from the European Economic Area (EEA) (which includes the member states of the European Union (EU) plus Iceland, Liechtenstein and Norway). This Policy sets out our practices for collecting, using, maintaining, protecting and disclosing that personal information.


DEFINITIONS

For purposes of this Policy, the following definitions shall apply:

"Agent" means any third party that collects or uses personal information under the instructions of, and solely for, CaptureProof or to which CaptureProof discloses personal information for use on CaptureProof’s behalf.

"CaptureProof" means CAPTUREPROOF, Inc and any of its subsidiaries, predecessors and successors in the United States.

"Personal information" or "information" means any information or set of information that identifies and/or could be used by or on behalf of CaptureProof to identify (together with other information) a living individual. Personal information does not include information that is anonymized or aggregated.


PRIVACY SHIELD PRIVACY PRACTICES

CaptureProof complies with the Privacy Shield as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. CaptureProof has certified that it adheres to these frameworks’ Privacy Shield Privacy Principles, which are the basis for the principles of this Policy. To learn more about the Shield program, and to view CaptureProof’s certification, visit https://www.privacyshield.gov


NOTICE

CaptureProof collects IP address, email address, name and other contact information. We use a third party provider to collect your payment information. We also collect other information required to configure, use, and receive support for the services, the time you visited, and browser type.

We may disclose personal information data analytics companies. Google may use the data collected to contextualize and personalize the ads of its own advertising network.

Where CaptureProof receives personal information from its subsidiaries, affiliates or other entities in the EEA, CaptureProof will use that information in accordance with the notices those entities provided to the individuals to whom that personal information relates and the choices made by those individuals.


OUR WEBSITE

CaptureProof’s website uses cookies. A cookie is a piece of data stored on a site visitor’s hard drive to help improve access to the site and identify repeat visitors. The information collected from cookies may be used to monitor browsing preferences. Usage of a cookie is in no way linked to any personal information.


CHOICE

CaptureProof offers individuals the opportunity to choose whether their personal information to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual - unless the use or disclosure is otherwise permitted or required by the Privacy Shield Principles. You may opt out of Google Analytics by visiting the Google Analytics opt-out page. You may opt out of Mixpanel Analytics by visiting the Mixpanel opt-out page. You may opt out of Yandex by visiting the Yandex opt-out page. Opting out of these services may limit your ability to use the Services.


DATA INTEGRITY

CaptureProof uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. CaptureProof takes reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete and current.

ONWARD TRANSFERS

CaptureProof obtains assurances from its agents that they will safeguard personal information consistently with this Policy and use any information for the limited and specified purposes. Examples of appropriate assurances that may be provided by agents include the following: a contract obligating the agent to provide at least the same level of protection as is required by the relevant Privacy Shield Principles, and the agent being subject to EU Directive 95/46/EC (the EU Data Protection Directive), its own Privacy Shield certification, or another European Commission adequacy finding. CaptureProof remains liable for the acts and omission of its third party agents.


ACCESS AND CORRECTION

Upon request, CaptureProof will grant individuals reasonable access to personal information that it holds about them. In addition, CaptureProof takes reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. However, in accordance with Privacy Shield Principles, an individual's right to access and correct, amend or delete information may be limited where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy or where the rights of persons other than the individual would be violated.

In order to request such access and/or correction, please email: security@captureproof.com

CaptureProof will need to verify your identity prior to granting any such access to personal information held.


SECURITY

CaptureProof takes reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. CaptureProof has put in place appropriate physical, technical and administrative safeguards to secure the information from loss, misuse, unauthorized access or disclosure, alteration, or destruction online.


ENFORCEMENT

CaptureProof conducts self-assessed compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that CaptureProof determines is in violation of this policy will be subject to disciplinary action.


DISPUTE RESOLUTION

Any questions regarding the use or disclosure of personal information should be directed to CaptureProof at the address given below. CaptureProof will investigate and attempt to resolve complaints regarding use and disclosure of personal information by reference to the principles contained in this Policy. You can contact us using the following information:

CaptureProof HQ
℅ Privacy Officer, Meghan Conroy
95 Third St, Suite 270, San Francisco, CA 94105
United States of America
security@captureproof.com
415-770-2020

CaptureProof has further committed to refer unresolved privacy complaints under the Privacy Shield to an independent dispute resolution mechanism, established by the European Union Data Protection Authority (DPA). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by CaptureProof, please contact them for more information and to file a complaint. The EU DPA panel may be contacted at ec-dppanel-secr@ec.europa.eu and the EU DPA may be contacted directly via the information provided at http://ec.europa.eu/justice/data-protection/bodies/authorities/third-countries/index_en.htm. Fax: (32-2)296 80 10. Telephone: (32-2)295 17 86. Mail: Data protection panel secretariat, Rue de Luxembourg 46 (01/126), B-1000 Brussels, BELGIUM.

The DPA dispute resolution process shall be conducted in English. In addition, the United States Federal Trade Commission is the statutory body that has jurisdiction to hear any claims against CaptureProof regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy. If CaptureProof does not resolve the complaint, you can submit the matter to arbitration to a single arbitration of the Privacy Shield Panel. The remedies from this arbitration are limited to individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual.


LIMITATIONS & AMENDMENTS

Adherence by CaptureProof to the Privacy Shield Principles may be limited (a) to the extent required to respond to a legal obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.

This Policy may be amended from time to time, in a manner consistent with the requirements of the Privacy Shield Principles. CaptureProof will post any revised policy here and we encourage visiting the CaptureProof website periodically to check for updates.

Last Modified: October 3, 2017

Security & Privacy Policy

Last Modified: October 3, 2017


SECURITY OVERVIEW

CaptureProof is HIPAA-compliant. We provide this overview so that you can better understand the security measures we've put in place to protect the information that you store using CaptureProof.


SECURE STORAGE & RESERVED INSTANCES

All data stored in our databases is symmetrically encrypted using AES 256 keys. Amazon Web Services stores data over several large-scale data centers. You can find more information about Amazon Web Services' security at the Amazon Web Services' website. Encryption keys are stored using further encryption.


SECURE TRANSFERS

Your files are sent from CaptureProof’s mobile and web apps to our servers over a secure channel using SSL encryption, the standard for secure Internet network connections.


USER ACCOUNTS

User accounts are password protected. Upon successful entry of a unique username, password and authentication token, the user then gains access to his or her account.


YOUR DATA IS BACKED UP

CaptureProof and Amazon Web Services keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss.


PRIVACY

We guard your privacy and work hard to protect your information from unauthorized access. Except as stated in the next sentence, CaptureProof employees are prohibited from viewing the content of files you store in your CaptureProof profile(s), and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in the CaptureProof Privacy Policy (e.g., when legally required to do so). We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.


COMPLIANCE WITH LAWS AND LAW ENFORCEMENT

CaptureProof cooperates with United States law enforcement when it receives valid legal process, which may require CaptureProof to disclose information contained in your CaptureProof profile(s). In the case of being compelled to disclose information as above, CaptureProof will decrypt the data before providing them to law enforcement.


AUDITING

Our auditing process tracks all records that are created, deleted and modified. We also track activity on the site by users, such as, login, page view, viewing images, adding notes and other activity on the site by Patients and Medical Professionals.

You understand that your medical history is entered into the CaptureProof database and that all reasonable measures have been and will be taken to protect the confidentiality of this medical and personal information – in accordance with HIPAA standards. You know that no computer or phone system is completely 100% secure. CaptureProof understands your rights to reasonable privacy in accordance with HIPAA standards and state laws, and in accordance with our Privacy Policy, will not release information to anyone without your written authorization or as required permitted by law, or in accordance with your health insurer's privacy policy if applicable, or as otherwise disclosed via our Privacy Policy.


CAPTUREPROOF, INC. PRIVACY POLICY

CAPTUREPROOF PRIVACY POLICY

Last Modified: October 3, 2017

CaptureProof takes your privacy very seriously. We are committed to protecting the privacy of visitors to the CaptureProof.com web site and mobile application (the "Site"). The purpose of this Privacy Policy is to inform you what kinds of information we may collect about you when you visit the Site or use the service offered on the Site (the "Service"), how we may use that information, to whom we may disclose it, and the choices you have regarding our use of, and your ability to manage and edit, your information. This Privacy Policy applies to the Site and the Service. This Privacy Policy does not apply to other web sites to which we may link.

This Privacy Policy governs information we collect about patients who use the Service ("Patients") and about designated health care professionals who are part of a Patient's health care team ("Medical Professionals").

Patients and Medical Professionals can access the Service through the Sites, via desktop or laptop computer, mobile phone, tablet, or other consumer electronic device. This Privacy Policy governs your use of the Service regardless of how you access the Service, and by using the Service you consent to the collection, transfer, processing, storage, disclosure and other uses of your information described in this Privacy Policy.


INTRODUCTION

The Service is a health records platform that allows Patients to gather, edit, add to, store, and share their protected health information online and to communicate and share that information with designated Medical Professionals. This Service also allows Medical Professionals to gather, edit, add to, store and share protected health information online related to the treatment of Patients and share that information with their Patients and other designated Medical Professionals.

When you use the Service, the Service collects identifying information about you (e.g., name and email address) as well as, if you are a Patient, your protected health information n (e.g., photos, videos, notes, doctor communications, and health history), and, if you are a Medical Professional, your patient communications.


THE INFORMATION WE COLLECT

We may collect and store the following information when you use the Service:


IDENTIFYING INFORMATION

When you register to create an account with the Service, we collect some information about you, such as your name, phone number and email address. If you are a Patient, we also collect information about your gender and date of birth. If you are a Medical Professional, we also may collect information about your medical credentials, such as your medical license number, degree, office number and specialty. We may also collect information Patients choose to provide us regarding their designated Medical Professionals, such as their names and email addresses. Providing a profile picture is optional for both Patients and Medical Professionals.


PROTECTED HEALTH INFORMATION

If you are a Patient, when you use the Service, we collect health information that relates to (a) your past, present or future physical or mental health or condition, and (b) the provision of health care to you. This health information includes notes describing health conditions, communications with your medical clinician, photos of body parts or video of body movements and/or experiences, and any other information you upload to the Service. You can use the Service to enter a wide range of health information into a record. You can give others permission to view, and/or add information in a record. You cannot currently delete any photos, videos and/or chat from your account.


FINANCIAL INFORMATION

When you make payment for your use of the Service, we collect additional financial information as required to process those purchase transactions.


ANALYTICS INFORMATION

When you use the Service, we automatically record information, from the computer, mobile phone or other consumer electronic device you use to access the Service, that device's software, and your activity using the Service (collectively, "Analytics Information"). This may include the device's Internet Protocol ("IP") address, browser type, the web pages you visit on our website, information you search for on our website, locale preferences, identification numbers associated with your device, your mobile carrier, date and time stamps associated with transactions, system configuration information, captured metadata from photos and video concerning your uploaded health information, and other interactions with the Service.

The Service allows you to manage one health record, such as the ones you create for yourself or for your child(ren). You choose what information to put in your records. Examples of the types of information you can store in a record include:

  • medications
  • health history
  • photos
  • videos

HOW WE USE THE INFORMATION WE COLLECT

How we use non-personally identifying information:

We may use Analytics Information to monitor and analyze use of the Service, for the Service's technical administration, to increase the Service's functionality and user-friendliness, and to verify users have the authorization needed for the Service to process their requests.

As of the date this Privacy Policy went into effect, we use Google Analytics. To learn more about the privacy policy of Google Analytics, visit: http://www.google.com/intl/en/policies/privacy/

We may also use, or share with third parties, other non-personally identifying information in the aggregate for the purpose of improving the Service and for business and administrative purposes.

How we use personally identifying information:

We use personally identifying information collected through the Service, including Patients' protected health information:

  • to provide the Service
  • to assemble Patients' health records
  • to send you an email summarizing recent account activity
  • to provide you with important information about the Service, including critical updates and notifications
  • to send you the CaptureProof e-mail newsletter (unless you opt out)
  • to connect your Profile on the Site to other Profiles that you choose

We may also ask you to participate in use surveys, questionnaires or polls, to facilitate feedback and input from our users. When you respond to surveys, questionnaires or polls, this information is collected only as anonymous, aggregated information and is used for statistical purposes only.


HOW THE SERVICE FACILITATES YOUR SHARING OF HEALTH INFORMATION:

A key purpose of the Service is to facilitate the sharing by Patients of health information with Medical Professionals that are designated members of the Patient's health care team. Patients can choose to share specific information (or all information) with a designated Medical Professional.

Patients can share protected health information with designated Medical Professionals once they have established a Medical Professional - Patient relationship as outlined in our Terms of Service. Once data is shared it will remain shared with the Medical Professional. Terminating the connection will prevent the Medical Professional from having access to any subsequent data uploaded and/or shared by the patient.

No Medical Professional who accepts a sharing invitation has the ability to use the Service to share a Patient's health information with third parties, the exception being that Medical Professionals can use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, photos, videos, and other medical information for treatment purposes only without the patient's authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.


TO WHOM WE DISCLOSE THE INFORMATION WE COLLECT:


SERVICE PROVIDERS

We may permit certain trusted third party companies and individuals to access your information in connection with their performance of services to help us maintain, operate, analyze, and improve the Service, including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Service’s features. These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy.


COMPLIANCE WITH LAWS AND LAW ENFORCEMENT REQUESTS; PROTECTION OF CAPTUREPROOF, INC.’S RIGHTS

We may disclose your personally identifying information to third parties when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of CaptureProof or its users; or (d) to protect CaptureProof's property rights. If we provide your personally identifying information to a law enforcement agency as set forth above, when legally required, we will remove CaptureProof's encryption from the files before providing them to law enforcement. However, we will not be able to decrypt any files that you encrypted prior to storing them on the Service.


BUSINESS TRANSFERS

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personally identifying information may be transferred as part of that transaction, but we will notify you of this transfer of your information (for example, via email and/or a prominent notice on the Site). We will also notify you of choices you may have regarding the transfer of your information


DISCLOSURE OF NON-PERSONALLY IDENTIFYING INFORMATION

We may disclose your non-personally identifying information to third parties as described above under "How we use aggregate non-personally identifying information." We do not sell, trade or rent your personal information to third parties.


HOW LONG WE KEEP YOUR PERSONALLY IDENTIFYING INFORMATION

You may review, update, correct or delete the personally identifying information provided in your registration or Profile by changing your Profile settings. If your personally identifiable information changes, or if you no longer desire to use the Service, you may update or delete it by making the change in your Profile settings. In some cases we may retain copies of your information if required by law.

We will retain your information for as long as your account is active or as needed to comply with health laws of your state. If you delete your account we may retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Consistent with these requirements, we will try to delete your information as quickly as possible upon request. Please note, however, that there might be a delay in deleting information from our servers and that backed-up versions might continue to exist after deletion.


HOW WE PROTECT YOUR PERSONAL INFORMATION

We follow generally accepted industry standards to protect your health information and other personally identifying information that we collect about you. We use firewall barriers, SSL 256-bit high-grade encryption techniques and authentication procedures, among others, to maintain the security of your online session and to protect user accounts and systems from unauthorized access. However, no method of transmission over the Internet or method of electronic storage is 100% secure.


MINORS

The Service is not intended for use by individuals under the age of 18. A parent or guardian can create a Profile for a child and grant others access to the data. If a parent or guardian becomes aware that his or her child has provided us with personally identifying information without their consent, he or she should contact us at privacy@captureproof.com. If we become aware that a child has provided us with personally identifying information, we will take steps to delete such information from our files.


REVISIONS OF THIS PRIVACY POLICY

CaptureProof may revise and update this Privacy Policy at any time, without notice to you. We encourage you to periodically check the Site to see if there have been any changes to our Privacy Policy that may affect you.


INTERNET COOKIES

An internet cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. We use cookies to help us identify and track visitors to the Site, their usage of the Site, and their website access preferences. Visitors to the Site who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using the Site, with the caveat that certain features of the Site may not function properly without the aid of cookies.


PATIENT RIGHTS TO PROTECTED HEALTH INFORMATION (PHI):

You have a right to:

1. View your medical records. You can access your medical records that have been provided to CaptureProof within 30 days of your request to do so. You can view your medical records at any time by accessing your account online.

2. Inspect and copy your PHI. You must submit your request to inspect or copy your PHI online to CaptureProof. CaptureProof may impose a fee for the costs of copying, mailing, labor and supplies associated with your request. CaptureProof may deny your request to inspect and/or copy your PHI in certain limited circumstances. If that occurs, CaptureProof will inform you of the reason for the denial, and you may request a review of the denial.

3. Amend your PHI. If you believe your file is incomplete or incorrect, you can request that CaptureProof amend your PHI. CaptureProof may, under certain circumstances, deny your request. If that occurs, you have the right to submit a statement of disagreement for inclusion in your records.

4. Accounting and disclosures. You always have the decision whether or not to give permission for your PHI to be shared before it is used or shared. Your chosen health professionals that use the Service are prohibited from using or sharing your personally identifiable medical records for any purposes that are not part of normal, routine health care processes. You have the right to receive an accounting of all disclosures CaptureProof has made of your PHI. Accordingly, upon request, made in a 12 month period CaptureProof shall provide the patient, at no charge, with a copy of accounting of disclosures.

CaptureProof will provide you a notice that tells you how your PHI has been used and shared. This accounting will be provided without charge for the first request made in a 12-month period. Reasonable cost-based charges can be imposed to provide an additional accounting(s) if the request for the 2nd (3rd..) accounting is within the 12 month period, as permitted by law.

5. Complaint. You may complain to CaptureProof and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated.

If you have any questions about this Privacy Policy, please contact us at privacy@captureproof.com.

Acceptable Use

Last Modified: October 3, 2017

Many people use CaptureProof, and we are proud of the trust placed in us. In exchange, we expect you to use the CaptureProof services (the "Service") responsibly.

As a CaptureProof account holder you agree to comply with this Acceptable Use Policy (this "Policy") and will be liable for all activities and content you post and for violation of this Policy.


PROHIBITED USES

You agree not to misuse the Service. For example, you must not, and must not attempt to, use the Service to do any of the following:

  • probe, scan, or test the vulnerability of any system or network;
  • breach or otherwise circumvent any security or authentication measures;
  • access, tamper with, or use non-shared areas of the Service, shared areas of the Service you have not been invited to, or CaptureProof’s (or our service providers’) computer systems;
  • interfere with or disrupt any user, host, or network, for example by sending a virus, overloading, flooding, spamming, or mail-bombing any part of the Services;
  • plant malware or otherwise use the Services to distribute malware;
  • access or search the Services by any means other than our publicly supported interfaces (for example, "scraping");
  • send unsolicited communications, promotions or advertisements, or spam;
  • send altered, deceptive or false source-identifying information, including "spoofing" or "phishing";
  • publish anything that is fraudulent, misleading, or infringes another’s rights;
  • capture any screenshots or recordings of any part of the site;
  • use any dictation service/feature on your mobile device to verbally communicate any Protected Health Information
  • promote or advertise products or services other than your own without appropriate authorization;
  • impersonate or misrepresent your affiliation with any person or entity;
  • publish or share materials that are unlawfully pornographic, obscene or indecent, or that advocate bigotry, religious, racial or ethnic hatred or gratuitous violence;
  • violate any applicable local or federal law in any way, or violate the privacy rights of others, or defame others;
  • misrepresent the source of anything you post, including impersonation of another individual or entity;
  • provide or create links to external sites that violate this Policy;
  • include content that is protected by intellectual property laws, rights of privacy or publicity, or any other applicable law, unless you own or control the rights thereto or have received all necessary consents;
  • harm or exploit minors in any way;
  • invade anyone’s privacy by attempting to harvest, collect, store, or publish private or personally identifiable information, such as passwords, account information, credit card numbers, addresses, or other contact information without their foreknowledge and willing consent;
  • threaten, stalk, defame, defraud, degrade, victimize, or intimidate an individual or group of individuals for any reason, including on the basis of age, gender, disability, ethnicity, sexual orientation, race, or religion; or incite or encourage anyone else to do so; or
  • attempt to impersonate a captureproof employee, agent, manager, host, administrator, another user, or any other person through any means.

CaptureProof is not intended for use by minors, unless Profile is created by parent or guardian, grant others access to the data.

CaptureProof is not responsible for the content or activities in any CaptureProof profile. The decision to share or create content is yours. We advise you to use your judgment.

CaptureProof reserves the right to amend or change this Acceptable Use Policy at any time. CaptureProof may place a special notice on the CaptureProof website, update the date of this Acceptable Use Policy, or communicate significant changes by email. Your continued use of the Service following such notification constitutes your acceptance of any such changes. We encourage you to periodically review this Acceptable Use Policy to ensure you are in compliance.

Some information you provide or upload to the Service may be stored outside of the country in which you reside.

All activity on the Service is also governed by the CaptureProof Terms of Service.


REPORT VIOLATIONS OF THIS POLICY

If you see content that violates this Acceptable Use Policy, we encourage you to report it to CaptureProof for review. Please contact us at security@captureproof.com.

Thank you for using CaptureProof and honoring this Acceptable Use Policy.

Standard Contractual Clauses

Last Modified: October 3, 2017

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

This Standard Contractual Clause Agreement is between CAPTUREPROOF, Inc. and the User who purchases CaptureProof’s "Service" as defined in the Terms and Conditions. This Standard Contractual Clause Agreement is incorporated by reference into the Terms and Conditions of Service when applicable.

If you are entering into this Agreement on behalf of a business or medical practice, you represent that you have the authority to bind said business to this Agreement.

This STANDARD CONTRACTUAL CLAUSE AGREEMENT is dated on the day of acceptance of the "Terms and Conditions" or when the user begins to use the Service, whichever is first. This agreement is entered into between the User (hereafter referred to as "data importer") and CAPTUREPROOF, Inc. (hereafter referred to as "data exporter") each a "party"; together "the parties",

THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.


Clause 1

Definitions

For the purposes of the Clauses:

  • (a) "personal data", "special categories of data", "process/processing", "controller", "processor", "data subject" and "supervisory authority" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ;
  • (b) "the data exporter" means the controller who transfers the personal data;
  • (c) "the data importer" means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • (d) "the sub-processor" means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) "the applicable data protection law" means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • (f) "technical and organizational security measures" means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.


Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • (b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  • (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the data exporter about:
    • (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    • (ii) any accidental or unauthorized access; and
    • (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
  • (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • (h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  • (i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.


Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.


Clause 11

Sub-processing

  • The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  • The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  • The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely Ireland.
  • The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

  • The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  • The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses:
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter
The data exporter is the User who is using CaptureProof to securely communicate using photos and videos in line with the CaptureProof Terms of Service.
Data importer
The data importer is providing services to allow health care providers and patients (Users) to securely communicate with using photos and videos.
Data subjects
The personal data transferred concern the following categories of data subjects:
User’s business and patients.
Categories of data
The personal data transferred concern the following categories of data:
Electronic protected health information and other personal data collected relevant to the Users for the use of CaptureProof.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): Electronic protected health information and other personal data collected relevant to the Users for the use of CaptureProof.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
CaptureProof securely stores and sends data between User devices (web, mobile), so that all data is encrypted on-the-go and at-rest, and is not stored locally on any devices used to access the platform.


Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses:

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) can be found here in CaptureProof’s Security & Privacy White Paper: http://captureproof.com/home/PDFs/HIPAA-White-Paper.pdf


1 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defense, public security, the prevention, investigation, detection and prosecution of criminal offenses or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognized sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.