European Union Privacy Policy

Last updated: November 11, 2020

This Privacy Policy describes Our policies and procedures for the collection, use and disclosure of Your information when You use the Doxy.me Service or visit this web site from the European Union. It also explains legal basis for Doxy.me’s GDPR compliance, Your privacy rights, and how the applicable law protects You.

Simply put, 

  • We only collect enough information for You to use the Doxy.me Service and some of that information is deleted instantly once the Session (an audio/video conference) concludes;
  • We do not sell Your information;
  • You have the right to delete all information in Your account;
  • The Session is not recorded or otherwise stored on Our servers; 
  • If You have any questions regarding the Service and how it uses Your Personal Data, You may contact Us;
  • We do not directly collect any data that might be considered health information;
  • Data transfers from the EU to the U.S. are legally protected using legal documents and frameworks.

We use Your Personal Data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this EU Privacy Policy. This policy is maintained by the doxy.me legal department.

Definitions

Regardless of how You use this website or the Doxy.me Service, this section defines certain terms that are used throughout this policy.

For the purposes of this policy:

  • You means the individual accessing or using the Doxy.me Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. You must be at least 18 years of age in order to use the Service.
  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Doxy.me, LLC, 3445 Winton Pl, Ste 120, Rochester, NY 14623.
  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
  • Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
  • Personal Data is any information that relates to an identified or identifiable individual.
  • Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing (among other things) the details of Your browsing history and/or connection information when using the Service.
  • Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • User is someone accessing the Website as a guest, a Provider, or a Patient.
  • Protected Health Information (PHI) means any health-related information as defined by applicable law.

Terms specific to the Doxy.me products are:

  • Service or Doxy.me Service refers to the doxy.me software products accessible from the Website.
  • Provider means a doctor, medical group, or other healthcare professional who has signed up as a “Provider” on the Doxy.me Service.
  • Patient refers to an individual who is using the “Patient” component of the Service using a unique URL sent by the Provider to view the Waiting Room (prior to the Session). 
  • Account means a unique account created for You to access our Service or parts of our Service. This may also be referred to as Your Clinic.
  • Website refers to doxy.me, accessible from http://doxy.me
  • Session is secure audio and/or video communication between the Patient and the Provider—the key feature of the Doxy.me Service.
  • Waiting Room is the web page that is seen by Patients prior to the beginning of a video session. The Provider may change the look and feel of the Waiting Room and upload Provider-specific content.
  • Provider Link is the unique URL (web address) that the Patient uses to enter the Provider’s Waiting Room prior to a Session. An example is https://yourclinic.doxy.me/DrSmith

Usage Data

Usage Data is collected automatically when accessing the Service and visiting this Website.

Usage Data may include information such as Your Device’s Internet Protocol address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data. However, this Usage Data is de-identified and anonymized and not linked to a particular data. As such, it is not considered personal information as defined by the GDPR; it is incidental to providing the Service.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Cookie Policy

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. 

Any use of Cookies – or of other tracking tools – by Us or by the owners of third-party services used by Us serves the purpose of providing the Service as requested by You. If You opt to disable all or certain cookies, Your experience may be diminished You may not be able to use the Services.

To learn more about controlling and deleting cookies, visit this external website: https://www.aboutcookies.org/

Please view the Doxy.me Cookie Policy at https://doxy.me/en/cookie-policy

Children’s Privacy

Our Service is not intended to be used by anyone under the age of 18. As the Services are self-administered and unmonitored by Us, it is up to both the Provider and Patient to ensure that only adults over 18 use the Services. 

Provider Personal Data

This section applies only if You sign up and have been given access to a Provider account. Some features are not activated automatically and require explicit authorization by You.

Types of Data Collected—Provider

Personal Data

We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. In addition, and anything else You provide in the Waiting Room will be seen by Patients when they “enter” the Waiting Room. Such information includes:

  • Email address
  • First name and last name
  • Specialty* 
  • Position or title*
  • National Provider Identifier (NPI)*
  • States licensed to practice*
  • Mobile number*
  • Country, phone number **

* This information is optional.

** Only required if using Stripe payment services; this information is not stored in the Service.

By using the Service, You allow Us to contact You by email regarding Service features, changes, maintenance, and other products that may be introduced from time-to-time. In addition, if You enable email notifications within the Service, We will send You an email notifying You that a Patient is waiting in the Waiting Room.

If You wish to be notified by text message that a Patient is waiting in the Waiting Room, You may optionally provide Your mobile number.

All Your data are processed in secure and HIPAA-compliant cloud services using HealthCare Blocks. This allows Us to focus on creating solutions where high security and privacy are enabled by default. We use industry-best security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of all Your data. 

Single Sign-On

You may elect to log in to the Doxy.me Service via a third-party authentication service. This is called Single Sign-On (SSO) and means that You must first authenticate to that third-party identity provider prior to accessing the Service. Facebook and Google identity connectors are built into the Service for the You to optionally use. Also, doxy.me offers a custom feature whereby You may specify Your own SSO service. 

By using SSO, You will be transferred to an authentication agent for that particular identity provider where Your login credentials (usually a name and password) are used to verify Your identity. doxy.me does not have access to credentials used by a third-party identity provider. Once You have authenticated via SSO, a token is returned to Us indicating that Your identity has been verified and You will be granted access to the Service.

Invitations

You may invite Patients to Sessions by the following methods:

  • Email sent by the Service
  • Email sent by Your computer or smartphone email system
  • Email sent by a web service (e.g., Gmail, Hotmail)
  • Mobile text message
  • Calendar 

Any information You enter into the invitation will be used to create and send the message. Once that task is completed, the information is no longer used and is permanently deleted.

File Transfer

If You choose to send a file to the Patient, that file will be automatically deleted from Our server 15 minutes after the transfer completes. Conversely, if a Patient sends You a file, it will be automatically deleted 15 minutes after the transfer completes.

Photo Capture

If You capture a photo of the Patient, that image will be sent securely and then destroyed after 15 minutes.

Chats

Any chats between You and the Patient are temporarily stored in Your computer memory, not on ddoxy.me servers. Your chat history stays after the Session ends so You may copy to an internal system. Once the browser is closed, the chat history is permanently deleted.

Patient Payment Information

If You choose to ask the Patient to pay You during the Session, You may use the third-party Stripe credit card payment system. Prior to requesting payment, You must setup a Stripe account in the settings section of Your Account. The Patient will receive a payment pop-up screen asking to provide their name and credit card details. All credit card transactions are handled by Stripe. doxy.me does not capture or utilize any information entered in the payment pop-up screen. For more information, please visit https://stripe.com/

Service Payment Information

If You choose to upgrade the Service for a fee, You have the option to pay via the Stripe third-party credit card payment system. All credit card transactions are handled by Stripe. Doxy.me does not capture or utilize any information entered in the payment pop-up screen but does receive payment information from Stripe when the transaction is completed.

Teleconsent Appointment Consent Form

You may ask or require a Patient to sign a Teleconsent Appointment Consent Form. The purpose of the form is to convey what Telehealth communication is, Patient rights, and obligations for each party. Doxy.me provides a template form or, depending on Your Account type, You may upload Your own form. 

After the Patient signs the form, it should be downloaded by both You and Your Patient as it is not stored by the Service and will be permanently deleted. 

Session Privacy

At any time during the Session, You may disable the audio, video, or both. Doing so may prevent effective communication with the Patient. However, there may be times when You wish to disable the audio or video for personal reasons.

You may terminate the Session at any time.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service, including to monitor the usage of our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To provide You with news, special offers and general information about other goods, services and events which We offer that are similar to those that You have already purchased or enquired about unless You have opted not to receive such information.
  • To manage Your requests: To attend and manage Your requests to Us.

We may share Your personal information in the following situations:

  • With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
  • For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
  • With Affiliates: We may share Your information with Our affiliates, in which case We will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
  • With Business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
  • With other users: when You share personal information or otherwise interact in the public areas (such as the doxy.me community support, https://discuss.doxy.me) with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.

Retention of Your Personal Data

We will retain Your Personal Data only for as long as is necessary for the purposes set out in this EU Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain Usage Data for internal analysis purposes. Usage Data are generally retained for a shorter period of time, except when this data are used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company’s operating offices and in other places where data processing systems are located. This means that information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those in Your jurisdiction.

Your consent to this EU Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

We will take all steps reasonably necessary to ensure that Your data are treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place regarding the security and privacy of Your Personal Data and other information.

Disclosure of Your Personal Data

Business Transactions

If We are involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different privacy policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

We may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation;
  • Protect and defend Our rights or property;
  • Prevent or investigate possible wrongdoing in connection with the Service;
  • Protect the personal safety of users of the Service or the public; or
  • Protect against legal liability.

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially standard means to protect Your Personal Data, We cannot guarantee its absolute security.

 

Patient Personal Data

This section only applies if You have received a unique web link (such as https://yourclinic.doxy.me/DrSmith) by a Provider and wish to communicate with the Provider by video conference using the Service. Some features are not activated automatically and require explicit authorization by You.

Types of Data Processed—Patient

Name to Enter Waiting Room 

A Patient does not need an account or register with doxy.me in order to use the Service.

A Provider will email or text You a Provider Website link in order to enter the Waiting room. When You click on that link, it will take You to the welcome screen and You will be asked to enter Your name and click a “Check In” button. 

Your name (which can just be Your first name) is securely passed to the Provider and not otherwise stored or used by the Service.

Your name is only seen by the Provider and used for an initial identification. There is no verification of the entry, nor is there a requirement that You use Your full name. 

Session Privacy

At any time during the Session, You may disable the audio, video, or both. Doing so may prevent effective communication with the Provider. However, there may be times when You wish to disable the audio or video for personal reasons.

You may also terminate the Session at any time.

File Transfer

If You choose to send a file to the Provider, that file will be sent securely and then destroyed after 15 minutes. 

Photo Capture

If Your Provider chooses to capture a photo of You, that image will be sent securely and then destroyed after 15 minutes.

Chats

Any chats between You and the Provider are temporarily stored in computer memory, not on doxy.me services. Once the browser is closed, the chat history is permanently deleted.

Payment Information

If You choose to pay the Provider during the Session, a credit card authorization screen will pop-up asking You to provide Your name and credit card details. All credit card transactions are handled by Stripe, a third-party. Doxy.me does not capture or utilize any information You enter in the payment pop-up screen. For more information, please visit https://stripe.com/

Teleconsent Appointment Consent Form

Your Provider may ask You to sign a Teleconsent Appointment Consent Form. The purpose of the form is to inform You of what Telehealth communication is, and Your rights and obligations. You should read the form completely and not hesitate to ask Your Provider for any clarifications. 

If You are required to sign the form, Your signature will be electronically captured by using Your mouse and be embedded in the form. The form may be downloaded by both You and Your Provider and is not stored by the Service.

Screenshare

The Service provides a feature whereby You may share all or part of Your computer screen with the Provider. You will be sent a message to confirm that You wish to share Your screen. 

There are obvious privacy issues associated with sharing one’s screen. It is up to You to ensure that no sensitive or confidential information (other than that which You wish to show the Provider) be viewable during the screensharing session.

For instance, if You do not wish the Provider to see Your email system or other open windows, it would be best to terminate those applications prior to the screenshare.

Additional Information

The GDPR

This section has been prepared based on the Regulation (EU) 2016/679 otherwise known as the General Data Protection Regulation or the “GDPR”. Any capitalized terms in this GDPR section not defined elsewhere in this policy have the same meaning as defined in Article 4 of the GDPR.

In addition to the obligations in the Privacy Shield section below, doxy.me processes Personal Data as a Data Processor on behalf of the Provider who may also be referred to as the Data Controller that may include one or more Data Subjects (as these terms are defined in the GDPR).

Doxy.me’s obligations include, but are not limited to:

  • Article 28, Section 1: providing sufficient guarantees to controller that it has implemented appropriate technical and organizational measures to ensure the protection of the rights of the data subject. 
  • Article 28, Sections 2 and 4: notifying the controller prior to engaging in another processor as related to the Services. Doxy.me will post any additional processor’s information on this Privacy Policy. The Provider grants doxy.me a general authorization to enable an additional processor without prior consent. The Provider must object to the additional processor within sixty (60) days of when the additional processor was engaged.
  • Article 28, Section 3: providing a data processing agreement to the Provider upon request.
  • Article 29: only processing Personal Data on instructions from the Provider.
  • Article 32, Section 1: implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect the ongoing confidentiality, integrity, availability and resilience of processing systems and services and other obligations stated in this article.
  • Article 32, Section 2: using industry best methods and the measures described in Annex 3 to prevent personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 
  • Article 33, Section 2: notifying the Provider without undue delay and at most 72 hours after becoming aware of a Personal Data Breach.
  • Articles 44, 45, and 46: to the extent any processing or sub-processing of Personal Data takes place in any country outside the EEA, ensure that the country is an Adequate Country.

Methods of processing

We take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of Personal Data.

Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In some cases, Personal Data may be accessible to certain types of persons in charge, involved with the operation of doxy.me (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, communications agencies) appointed, if necessary, as Data Processors by Us. The updated list of these third-parties are listed below.

Legal basis of processing

We may process Personal Data relating to You if one of the following applies:

  • You have given Your consent for one or more specific purposes.;
  • provision of Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof;
  • processing is necessary for compliance with a legal obligation to which We are subject;
  • processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Us;
  • processing is necessary for the purposes of the legitimate interests pursued by the Us or by a third party.

In any case, We will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Place

The Data is processed at Our operating offices, secure data centers in the United States, and in Our third-party secure data centers whose location may be found by visiting their respective websites.

Depending on Your location, data transfers may involve transferring the Your Personal Data to a country other than Your own. 

You are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by Us to safeguard Your Personal Data.

To find out more about the place of processing of such transferred Data, You may check the section below containing details about the processing of Personal Data.

Retention time

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.

Therefore:

  • Personal Data collected for purposes related to the performance of a contract between Us and You will be retained until such contract has been fully performed.
  • Personal Data collected for the purposes of the Our legitimate interests shall be retained as long as needed to fulfill such purposes (such as billing and contract information). You may find specific information regarding the legitimate interests pursued by Us within the relevant sections of this policy.

We may be allowed to retain Personal Data for a longer period whenever You have given consent to such processing, as long as such consent is not withdrawn. This would typically require a contractual obligation negotiated by both You and Us. Furthermore, We may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

Once the retention period expires, Personal Data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The purposes of processing

Personal Data is collected to allow Us to provide Our Services, comply with legal obligations, respond to enforcement requests, protect its rights and interests (or those of our users or third parties), detect any malicious or fraudulent activity, as well as the following: Analytics, Registration and authentication, Handling payments, Hosting and backend infrastructure, Managing contacts and sending messages, Traffic optimization and distribution, User database management, Access to third-party accounts, Infrastructure monitoring, Operations, Data transfer outside the EU, Commercial affiliation, Backup saving and management, Contacting the User, Displaying content from external platforms, Tag Management, Content performance and features testing (A/B testing) and Advertising.

EU-U.S. Privacy Shield Framework

The following information presented is required by the Framework. For this section, “Owner” refers to doxy.me; and “User” and “Users” refer to any person with a doxy.me account or using the Doxy.me Service.

Owner/Provider
Doxy.me

Purpose
Further information about Personal Data

Personal Data collected
Please see the specific sections above “Types of Data Collected-Provider” and “Types of Data Collected-Patient.”

Privacy Policy
The Owner participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and Switzerland to the United States. The policies and rights outlined below are therefore equally and explicitly applicable to Users from Switzerland, except if stated otherwise. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view the Owner’s certification, please visit https://www.privacyshield.gov/ (or find the direct link to the certification list of Privacy Shield participants maintained by the Department of Commerce https://www.privacyshield.gov/list).

What does this mean for the European User?

The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.

This, most importantly, includes the right of individuals to access their personal data processed by the Owner.

The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, the Owner is subject to the investigatory and regulatory enforcement powers of the FTC, if not stated otherwise in this privacy policy.

The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Dispute resolution under the Privacy Shield

In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.

In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.

In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs), the Swiss Federal Data Protection and Information Commissioner (FDPIC), and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.

Under certain conditions – available for the User in full on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint) – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Choice Principle

The User has the choice to not agree to disclose personal information when first creating account by accepting the Owner’s terms of service and this Privacy Policy. The User further can contact support@doxy.me anytime and remove their affirmation of this choice.

The Rights of Users

Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
  • Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
  • Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
  • Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
  • Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
  • Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to processing

Where Personal Data are processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this policy.

Regarding the July 16, 2020 Court of Justice of the European Union (CJEU) Decision

On July 16th 2020, the Court of Justice of the European Union (CJEU) invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework. In the case known as “Schrems II”, the CJEU considered that US law does not provide essentially equivalent protection for fundamental rights to data protection (due to lack of proportionate governmental access to data and the appropriate redress for the EU individuals in the US). 

However, doxy.me remains in the program and continues to abide by its intent and rules. The decision by the CJEU does not relieve participants of their obligations under the EU-U.S. Privacy Shield Framework.

For more information, please read the joint statement issued on August 10, 2020 from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders (https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european) regarding the EU-U.S. Privacy Shield Framework.

The U.S. Department of Commerce has filed a formal response with some initial observations and guidance concerning the relevance of the contested areas of U.S. law. With that guidance, doxy.me believes that transfers to the U.S. should not automatically be seen as constituting high risk processing under the GDPR. Instead, it should be determined whether such transfers could result in a high likelihood of harm (such as the possibility of government access). Given the nature of the data being transferred in the Service, We believe that no harm will result in entering a name and email address into the Doxy.me Service.

To be clear: the CJEU ruling doesn’t change Our firm commitment to protect Your data. Nor does it change our security operations that have protected Your data since doxy.me began its operations.

Personal Data transfer outside the European Union

We are allowed to transfer Personal Data collected within the EU to third countries (i.e. any country not part of the EU) only pursuant to a specific legal basis. Any such Data transfer is based on one of the legal bases described below.

Other legal basis for Data transfer abroad (Doxy.me)

If no other legal basis applies, Personal Data may be transferred from the EU to third countries only if at least one of the following conditions is met:

  • the transfer is necessary for the performance of a contract between You and Us or of pre-contractual measures taken at Your request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the You and Us and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for establishment, exercise or defense of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. In such cases, We will inform You about the legal bases the transfer is based upon.

Personal Data transfer abroad based on consent 

If this is the legal basis, Personal Data of Users shall be transferred from the EU to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
In such cases, the Owner shall inform Users appropriately and collect their explicit consent via doxy.me.

Data transfer from the EU and/or Switzerland to the U.S based on Privacy Shield

If this is the legal basis, the transfer of Personal Data from the EU or Switzerland to the U.S. is carried out according to the EU – U.S. and Swiss – U.S. Privacy Shield (please see note above about the current status of the Privacy Shield framework).

In particular, Personal Data is transferred to services that self-certify under the Privacy Shield framework and therefore guarantee an adequate level of protection of such transferred Data. All services are listed within the relevant section of this document and those that adhere to Privacy Shield can be singled out by checking their privacy policy and possibly also by specifically checking for Privacy Shield adherence in the official Privacy Shield List. Privacy Shield also specifically guarantees rights to Users which can be found in its most current form on the website run by the US Department of Commerce.

Personal Data may be transferred from within the EU or Switzerland to the U.S. to services that are not, or not anymore, part of Privacy Shield, only based on other valid legal grounds. You may ask Us to learn about such legal grounds.

Sub-Processors

Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

For a list of sub-processors, please visit https://doxy.me/en/sub-processor-list/ 

Changes to this Privacy Policy

We may update this policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page. Such changes are effective when they are posted on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the “Last updated” date at the top of this policy.

You are advised to review this policy periodically for any changes. 

Contact Us

If You have any questions about this EU Privacy Policy, please contact us:

By email: support@doxy.me

Menu