DPF Notice

Sanguina Data Privacy Framework Policy

 

Effective Date: March 12, 2025

 

This Data Privacy Framework (“DPF”) Policy describes how Sanguina collects, uses, and discloses certain personally identifiable information that we receive in the United States (“U.S.”) from the European Union ("EU"), and the United Kingdom (“UK”). This Policy supplements our Sanguina U.S. and EU/UK Privacy Notices located at https://sanguina.com/pages/privacy-policy-effective and https://sanguina.com/pages/eu-uk-privacy-policy. Unless specifically defined in this Policy, capitalized terms in this Policy have the same meaning as in the Sanguina Privacy Notices.

 

Sanguina complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Sanguina has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/. To view the entire DPF List, visit https://www.dataprivacyframework.gov/list.

 

For purposes of enforcing compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Sanguina is subject to the investigatory and enforcement authority of the US Federal Trade Commission.

 

Personal Data Collection and Use

 

Our Sanguina U.S. Privacy Notice and our EU/UK Privacy Notice describe the categories of Personal Data that we may collect as well as the purposes for which we use that Personal Data. Please note that we may collect the following categories of Personal Data: name, email address, username and password, images of fingernails, location (such as city), age, gender, date of birth, physical activity data, other health information individuals choose to provide, communications from or about individuals, results of analyses within our App, other data communicated to us through the App or through submitted questions of surveys, and App usage data. We may collect Personal Data associated with the use of our Website or App, including IP address, data and time of access, pages and content viewed, language preferences, websites linked to or from, whether emails or other communications are received or opened and links clicked on within those emails, information from mobile devices or computers about interactions with the Website or App, including unique device identifier, mobile network information, type of device used and the operating system on that device, browser type, a list of files downloaded or pages viewed, and any errors encountered.

 

We process Personal Data for the following purposes: provide our Website and App and associated products and services, including analyzing likelihood of anemia and circulation; provide data to third parties utilizing or directing others to utilize our technologies, such as pharmaceutical companies, academic or research institutions, or medical device providers; support clinical trials and other medical studies; set up and manage accounts and subscriptions; facilitate, record, and store communications; manage our business relationships; address inquiries submitted to us; develop analytics to understand our audiences; develop business strategies and marketing plans; provide information about new or related products or services we offer; maintain, analyze, and improve User experience on our Website and App; communicate with Users and provide technical support; monitor and enforce our contracts and legal terms; detect and prevent fraud; fulfill the purpose for which Users provided information to us; for other purposes as required by law; and for other legitimate purposes as set forth in our US Privacy Notice.

 

Sanguina will only process Personal Data in ways that are compatible with the purpose for which Sanguina collected it, or for purposes the individual later authorizes. Before we use Personal Data for a purpose that is materially different than the purpose for which we collected it or that an individual later authorized, we will (at a minimum) provide the opportunity to opt out. Sanguina maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

 

Data Transfers to Third Parties

 

We may transfer Personal Data to our third-party agents, service providers, or other third parties who perform functions on our behalf. As further described in our US Privacy Notice and EU/UK Privacy Notice, the types of third parties to which we disclose personal information and the purposes for such disclosures include:

 

Third Parties. We may share personal data with third parties utilizing or directing others to utilize our technologies, such as pharmaceutical companies, academic or research institutions, or medical device providers. For example, if such a third party utilizes a White Label App, the information provided to the app is available to such third parties.

 

Affiliated Organizations.  We may share personal information with our parent organizations, subsidiaries, affiliates, joint ventures, or other organizations or entities under common control with us.

 

Other Third Party Sharing. We work with third parties to help us provide our Website and App and to support internal operations. In some cases, they may use your information subject to their own privacy policies and to comply with their own legal and regulatory obligations. We work with different types of third parties, presently including:

-        Data hosting, storage and cloud service providers;

-        Payment processors;

-        Platform and/or application security service providers;

-        Technical and customer support providers;

-        Marketing and analytics providers; and

-        Other third parties.

 

Professional Advisors, Law Enforcement and Regulators. We share information with our professional advisors who provide legal, compliance, auditing, accounting, banking, consulting, or other professional services, and with regulators, law enforcement, or government agencies, including to:

-        Comply with our legal and regulatory obligations, including those compliance obligations of federal, state or local regulators; 

-        Protect our interests, property or legal rights, or those of our customers or third parties;

-        Respond to a subpoena, court order, or similar lawful request from public authorities, including to meet national security or law enforcement requirements, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of this DPF Policy, our Privacy Notices, or other applicable terms; and

-        For other legal purposes, such as to enforce our terms and conditions, or to exercise or defend legal claims.

 

Transaction Impacting the Organization as a Whole. In the event of a transaction or reorganization impacting us as an entity or organization, we may share personal information. We may share information in connection with, or during the diligence or negotiation of, any merger, sale of company stock or assets, financing, acquisition, restructuring, divestiture or dissolution of all or a portion of our business, or other similar event.

 

Other Data Exchanges. As permitted by law, or if you consent, we may share information we collect in exchange for monetary or other consideration.

 

Other Disclosures. In addition to the above disclosures, we may disclose personal information in the event that we believe such disclosure is (i) necessary to provide our products and services or operate our business; (ii) in accordance with purposes we describe when you share it with us; (iii) permitted by law; or (iv) with your consent or at your direction.

 

We may disclose aggregated or deidentified information that does not identify any individual without restriction. Sanguina may make additional disclosures as indicated in our US Privacy Notice and our EU/UK Privacy Notice.

 

We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and to stop and remediate any unauthorized processing. As required by law, Sanguina remains liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless another party is responsible for the event giving rise to the damage.

 

Access Rights

 

Pursuant to the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, EU and UK individuals have the right to obtain our confirmation of whether we maintain Personal Data relating to you in the United States. Upon request, we will provide you with access to the Personal Data that we hold about you. You may also correct, amend, or delete the Personal Data we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should direct their query to support@sanguina.com.  If requested to remove data, we will respond within a reasonable timeframe as required by law.

 

We will provide an individual with opt-out choices, or opt-in choices for sensitive data (including personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), before we share data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your Personal Data, please submit a written request to support@sanguina.com. Sanguina may limits its response to your exercise of rights as permitted by law.

 

Questions or Complaints

 

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Sanguina commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, or UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact support@sanguina.com.

 

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, if a privacy complaint or dispute relating to Personal Data received by Sanguina, Inc. in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.

Binding Arbitration

 

If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.