Carestream Privacy Notice

Carestream Health, Inc. and its subsidiaries (collectively, Carestream) are committed to protecting personal information. This Privacy Notice is intended to give you confidence in the privacy and security of any personal information that is entrusted to Carestream.

This Privacy Notice explains our practices regarding the “Personal Information” we collect from healthcare professionals, commercial customers, website visitors and other individuals with whom we interact.

For information about how we protect the privacy of patient information that we receive from our customers for processing, please see our Privacy Statement for Patient Information.

For information about how we protect the privacy of job applicant, employees and others with whom we have a human resources relationship, please contact privacy@carestream.com for a copy of the Carestream Human Resources Privacy Statement.

This Privacy Notice was last updated on December 20, 2022

Our Collection, Use and Disclosure of Personal Information
Your Privacy Rights
Cookies and Online Privacy
Forums and Other Public Areas
Profiling and Automated Decision Making
International Transfers
Information Security
Data Retention
Privacy Policies of Third Parties
Job Applicants
Changes to this Privacy Notice
How to Contact Us

Supplemental Privacy Statements

: Carestream Privacy Statement for Patient Information; Important Information Residents of the EEA, Switzerland and the UK; Important Information for Residents of California; Important Information for Residents of Brazil; Your Privacy Choices

1. Our Collection, Use and Disclosure of Personal Information

Carestream generally collects personal information from and about healthcare providers and other professionals who work for our customers.

Personal Information is any information that can be used to identify, locate or contact you. It also includes other information that may be associated with your Personal Information. The chart below describes the categories of personal information we collect, the sources of that information, the reasons we collect it, and the types of people to whom we may disclose the information.

Please note that we may use and disclose any personal information for our “Everyday Business Purposes” ¹ as permitted by law. We may also disclose any personal information to our affiliates and to the service providers and contractors that need to use the information to provide services to us. We have contracts with these companies that require them to protect our information and to comply with law. We may also disclose any information when required by law, such as to law enforcement agencies or to parties in litigation, or to the company you work for, when we are providing services to that company.

Category and Sources of PI	Purposes for Collecting this PI	Disclosures of this PI
Business Contact Information This is the type of information on your business card, such as your name and title, company affiliation, mailing address, email address and telephone number. We collect this type of information from you and from publicly available sources, such as hospital websites and social media sites. We may also receive information from event and trade shows organizers.	We use this type of information to identify you and communicate with you, including: To send transactional messages (such as confirmations) To send marketing communications, surveys and invitations To personalize our communications and provide customer service	We disclose this type of information to services providers and contractors and to: Entities that deliver our communications, such as telecommunications carriers, couriers or the postal service Social media companies such as LinkedIn which use the data only to identify which of our customers use their platforms so that we can deliver ads to you on the platform
Business Customer Information We collect “B2B” personal information about business professionals associated with our commercial customers, suppliers and partners in the context of our relationships we have with these companies. This includes: Information about your authority to use or products and place orders with us Transaction records, including product usage, customer service, training and related records Professional interests and credentials Relationship information, including marketing and communication preferences Visitor logs We collect this type of information from you and from your company. We may receive your data from third parties, such as trade associations or trade shows.	We use this type of information: To fulfill our business relationship with you and/or our customer To develop and maintain our relationship with you and our customer, including sending your marketing communications as permitted by law and subject to your preferences For internal business purposes, such as finance, quality control, training, reporting and analytics For risk management, fraud prevention and similar purposes For recordkeeping and compliance, including dispute resolution	We may disclose this type of information to: our service providers and contractors the company you work for, and other companies (such as your company’s affiliates and service providers), as needed for the commercial relationship (such including your information on purchase documents that you authorize)
Unique Identifiers Such as: System identifiers Device identifiers Advertising ID We collect this type of information from your devices and from our online partners, such as third parties, who place cookies containing advertising IDs on your devices for us.	We use this type of information: To identify you or your device, including to associate you with different devices that you may use For record-keeping and reporting, including for data matching For metrics and analytics, For online ad delivery and personalization	We disclose this type of information to service providers and contractors that fulfil orders and support our information technology and security programs, including companies that who assist with fraud prevention, detection and mitigation. Advertising ID is shared with third party network advertising partners.
Account Access Information Such as: Usernames and/or passwords Account recovery information (such as security questions and answers) We collect this type of information from you, when establish an account or change your password. We may create this information for you, such as if we assign you a username or account number or issue you a temporary password.	We use this type of information: To identify and authenticate you To enable you to engage in transactions with us (such as interacting with us online) For security and similar purposes	We disclose this type of information to service providers and contractors that assist with our information technology and security programs.
Online & Technical Information Such as: IP Address Device identifiers Device characteristics, including precise geolocation data Server and application logs Data from cookies, pixel tags and other online tools We collect this type of information from your computer or devices when you interact with our platforms, websites and applications. For example, when you visit our websites, our server logs record your IP address and other information. We may also receive this information from third parties, including computer security services and advertising partners. Please see Cookies and Online Privacy to learn more.	We use this type of information: For system administration, technology management, including optimizing our websites and applications, For information security and cybersecurity purposes, including detecting threats For other authorized purposes, such as if you consent to our use of precise geolocation data to deliver content to you based on your location For recordkeeping, including logs and records that maintained as part of Transaction Information To better understand our customers and prospective customers and to enhance our Relationship Information, including by associating you with different devices and browsers For online targeting and advertising purposes	We may disclose this type of information to our service providers and contractors who support our information technology programs or host our websites and to third party network advertising partners.
Audio Visual Information Such as: Call center recordings Voicemails CCTV recordings We collect this type of information from you and automatically, such as when we record calls to our call center and use CCTV cameras in our facilities.	We use this type of information: For internal business purposes, such as call recordings used for training, coaching or quality control For premises security purposes and loss prevention	We may disclose this type of information to our service providers and contractors that support our information technology and security programs, and our loss prevention programs.
Compliance data Such as: Records that demonstrate compliance with applicable laws, such as tax laws, occupational safety laws or privacy laws Records related to our internal compliance programs, such as data related to anti-money laundering and intellectual property programs Records relating to complaints and internal investigations, We collect this type of information from you and from third parties, including companies that help us conduct internal investigations.	We use this type of information: To comply with and demonstrate compliance with applicable laws For legal matters, including litigation and regulatory matters, including for use in connection with civil, criminal, administrative, or arbitral proceedings, or before regulatory or self-regulatory bodies, including service of process, investigations in anticipation of litigation, execution or enforcement of judgments and orders For internal business purposes, such as risk management, audit, internal investigations, reporting, analytics	We may disclose this type of information to our service providers and contractors, including our lawyers, auditors and consultants, and to: Customers, in connection with their audits of Carestream Other entities (including government agencies, courts and opposing law firms, consultants, process servers and parties to litigation) in connection with legal matters as required or permitted by law.

Category and Sources of PI

Purposes for Collecting this PI

Disclosures of this PI

Business Contact Information

This is the type of information on your business card, such as your name and title, company affiliation, mailing address, email address and telephone number.

We collect this type of information from you and from publicly available sources, such as hospital websites and social media sites. We may also receive information from event and trade shows organizers.

We use this type of information to identify you and communicate with you, including:

To send transactional messages (such as confirmations)
To send marketing communications, surveys and invitations
To personalize our communications and provide customer service

We disclose this type of information to services providers and contractors and to:

Entities that deliver our communications, such as telecommunications carriers, couriers or the postal service
Social media companies such as LinkedIn which use the data only to identify which of our customers use their platforms so that we can deliver ads to you on the platform

Business Customer Information

We collect “B2B” personal information about business professionals associated with our commercial customers, suppliers and partners in the context of our relationships we have with these companies. This includes:

Information about your authority to use or products and place orders with us
Transaction records, including product usage, customer service, training and related records
Professional interests and credentials
Relationship information, including marketing and communication preferences
Visitor logs

We collect this type of information from you and from your company. We may receive your data from third parties, such as trade associations or trade shows.

We use this type of information:

To fulfill our business relationship with you and/or our customer
To develop and maintain our relationship with you and our customer, including sending your marketing communications as permitted by law and subject to your preferences
For internal business purposes, such as finance, quality control, training, reporting and analytics
For risk management, fraud prevention and similar purposes
For recordkeeping and compliance, including dispute resolution

We may disclose this type of information to:

our service providers and contractors
the company you work for, and other companies (such as your company’s affiliates and service providers), as needed for the commercial relationship (such including your information on purchase documents that you authorize)

Unique Identifiers

Such as:

System identifiers
Device identifiers
Advertising ID

We collect this type of information from your devices and from our online partners, such as third parties, who place cookies containing advertising IDs on your devices for us.

We use this type of information:

To identify you or your device, including to associate you with different devices that you may use
For record-keeping and reporting, including for data matching
For metrics and analytics,
For online ad delivery and personalization

We disclose this type of information to service providers and contractors that fulfil orders and support our information technology and security programs, including companies that who assist with fraud prevention, detection and mitigation.

Advertising ID is shared with third party network advertising partners.

Account Access Information

Such as:

Usernames and/or passwords
Account recovery information (such as security questions and answers)

We collect this type of information from you, when establish an account or change your password.

We may create this information for you, such as if we assign you a username or account number or issue you a temporary password.

We use this type of information:

To identify and authenticate you
To enable you to engage in transactions with us (such as interacting with us online)
For security and similar purposes

We disclose this type of information to service providers and contractors that assist with our information technology and security programs.

Online & Technical Information

Such as:

IP Address
Device identifiers
Device characteristics, including precise geolocation data
Server and application logs
Data from cookies, pixel tags and other online tools

We collect this type of information from your computer or devices when you interact with our platforms, websites and applications. For example, when you visit our websites, our server logs record your IP address and other information. We may also receive this information from third parties, including computer security services and advertising partners.

Please see Cookies and Online Privacy to learn more.

We use this type of information:

For system administration, technology management, including optimizing our websites and applications,
For information security and cybersecurity purposes, including detecting threats
For other authorized purposes, such as if you consent to our use of precise geolocation data to deliver content to you based on your location
For recordkeeping, including logs and records that maintained as part of Transaction Information
To better understand our customers and prospective customers and to enhance our Relationship Information, including by associating you with different devices and browsers
For online targeting and advertising purposes

We may disclose this type of information to our service providers and contractors who support our information technology programs or host our websites and to third party network advertising partners.

Audio Visual Information

Such as:

Call center recordings
Voicemails
CCTV recordings

We collect this type of information from you and automatically, such as when we record calls to our call center and use CCTV cameras in our facilities.

We use this type of information:

For internal business purposes, such as call recordings used for training, coaching or quality control
For premises security purposes and loss prevention

We may disclose this type of information to our service providers and contractors that support our information technology and security programs, and our loss prevention programs.

Compliance data

Such as:

Records that demonstrate compliance with applicable laws, such as tax laws, occupational safety laws or privacy laws
Records related to our internal compliance programs, such as data related to anti-money laundering and intellectual property programs
Records relating to complaints and internal investigations,

We collect this type of information from you and from third parties, including companies that help us conduct internal investigations.

We use this type of information:

To comply with and demonstrate compliance with applicable laws
For legal matters, including litigation and regulatory matters, including for use in connection with civil, criminal, administrative, or arbitral proceedings, or before regulatory or self-regulatory bodies, including service of process, investigations in anticipation of litigation, execution or enforcement of judgments and orders
For internal business purposes, such as risk management, audit, internal investigations, reporting, analytics

We may disclose this type of information to our service providers and contractors, including our lawyers, auditors and consultants, and to:

Customers, in connection with their audits of Carestream
Other entities (including government agencies, courts and opposing law firms, consultants, process servers and parties to litigation) in connection with legal matters as required or permitted by law.

¹ Everyday Business Purposes encompasses the Business Purposes (as defined by California law) and following related purposes for which any personal information may processed:

To provide the information, product or service requested by the individual or as reasonably expected given the context in which with the personal information was collected (such customer credentialing, providing customer service and preference management, providing product updates, bug fixes or recalls, and dispute resolution)
For identity and credential management, including identity verification and authentication, system and technology administration
To protect the security and integrity of systems, networks, applications and data, including detecting, analyzing and resolving security threats, and collaborating with cybersecurity centers, consortia and law enforcement about imminent threats
For fraud detection and prevention,
For legal and regulatory compliance, including all uses and disclosures of personal information that are required by law or for reasonably needed for compliance with company policies and procedures, such as: anti-money laundering programs, security and incident response programs, intellectual property protection and anti-piracy programs, and corporate ethics and compliance hotlines,
For corporate audit, analysis and reporting,
To enforce our contracts and to protect against injury, theft, legal liability, fraud or abuse, to protect people or property, including physical security programs
To de-identify the data or create aggregated datasets, such as for consolidating reporting, research or analytics,
To make back-up copies for business continuity and disaster recovery purposes, and
For corporate governance, including mergers, acquisitions and divestitures.

Please note that we may also use and disclose information about you that is not personally identifiable. For example, we may publish reports or create products that contain de-identified, aggregated or statistical data. These reports and products do not contain any information that would enable the recipient to contact, locate or identify you.

Carestream does not sell any personal information for monetary consideration.

2. Your Privacy Rights

Carestream respects your rights to access, correct and request erasure or restriction of your personal information as required by law. Depending on your country or state or residence, these rights may include

The right to be informed about our collection, use and disclosure
The right to know if we maintain your personal information, and if we do, to access that information (subject to the rights of others) and to request that we provide your information in a portable format
The right to ask us to correct your information if it is incomplete or incorrect
The right to object to our processing of your personal information, including the rights to object to:
- the sale of your personal information,
- the sharing or use of your personal information for certain types of online targeted advertising,
- the use of profiling or automated decision-making which might significantly affect you,
- certain secondary uses and disclosures of sensitive personal information, and,
- if we are processing your personal information based on your consent, to withdraw your consent at any time

The right to ask that we delete your personal information.

Depending on where you reside, you may have additional rights under applicable law. To learn more and to exercise your rights, please visit Your Privacy Choices or contact us via email at privacy@carestream.com. We will need to confirm your identity before we can fulfill most requests, as we need to be sure that your personal information is not disclosed to an unauthorized recipient.

Please understand that these rights are subject to some limitations. For example, we may require documentation to support certain corrections to your information, and we generally cannot restrict or delete personal information in those situations where our retention is required for our internal business purposes or to comply with law.

We will not retaliate against you if you exercise your privacy rights.

If we have collected or received your personal information in our capacity as a service provider to a Carestream customer, that company can assist you with requests related to exercising your privacy rights, as Carestream cannot fulfill these requests directly. We suggest you reach out to such company to learn more about its privacy practices and make requests to exercise your rights. Carestream supports our clients as needed to help them respond to such requests.

3. Cookies and Online Privacy

Online Data Collection

When you visit our website or use our mobile applications, we collect personal information and other data by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons.

Cookies are small text files that websites send to your computer, or other Internet-connected device, to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. In many cases, the information we collect using cookies is only used in a non-identifiable way, without any reference to Personal Information. For example, we use information we collect about all website users to optimize our websites and to understand website traffic patterns.

In some cases, we do associate the information we collect with your Personal Information. This Privacy Notice governs how we use that information when we associate it with your Personal Information. We use cookies and other technologies for the following purposes:

Keeping track of the materials you upload and download;
Remembering you when you login to the places on our site which require membership;
Remembering your country and language preferences;
Helping us understand the size of our audience and traffic patterns, and to manage and present site information;
Delivering information specific to your interests; and
Managing site information displayed on your computer.

Pixel tags and web beacons are tiny graphic images placed on website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.

We collect many different types of information from server logs and other technologies. For example, we may collect information from the device you use to access our website, i.e., your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs also record the IP address of the device you use to connect to the Internet. An IP address is a unique identifier that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to Carestream and the website you visit after you leave our site.

Third Party Advertising Companies

We have relationships with third party advertising companies to place advertisements on this website and other websites, and to perform tracking and reporting functions for this website and other websites. These third party advertising companies may place cookies on your computer when you visit our website or other websites so that they can display targeted advertisements to you.

To opt-out of having your information used or shared for online targeting advertising, you can adjust the settings on your browser. Visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available. You can also use cookie management tools, such as Ghostery or Privacy Badger, to block tracking cookies across all websites.

For more information about third party advertising, you can also e visit the Network Advertising Initiative (NAI) at https://thenai.org/. To opt out of being targeted by many third party advertising companies visit: https://thenai.org/opt-out/ or https://preferences-mgr.trustarc.com/.

Google Analytics

Google Analytics is a web analytics tool provided by Google, Inc. that helps website owners understand how visitors engage with their website. Carestream uses Google Analytics to view a variety of reports about how visitors interact with our websites so that we can improve them. Google Analytics uses cookies and other tools, which generate information about your use of our website (including your IP address). This information is transmitted to and stored by Google on servers in the United States. Google uses this information to evaluate your use of our website, report on website activity and provide other services to us. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google may combine this information with other data held by Google pursuant to Google’s privacy policy available on Google’s website.

To opt-out of having your information used for Google Analytics, please see Your Privacy Choices. For more information on how Google Analytics uses data, please visit “How Google uses data when you use our partners’ sites or apps”, located at: www.google.com/policies/privacy/partners/.

Social Media Interactions

Our websites may enable you to interact with us and others via social media platforms, such as Facebook, Twitter, and Instagram. While we respect all social media platform’s privacy policies, we may collect Personal Information about you and your friends if you choose to use these tools. We use the information to facilitate an interactive social experience.

We may display interest-based ads to you when you are using platforms such as Facebook and Google. These platforms allow us to personalize the ads that we display to you. We do not share any of your Personal Information with these platforms, although we may convert your email address into a unique number which can be matched by the platform with its user to allow delivery of the advertising. Although we do not provide any personal information to these platforms, they may gain insights about individuals who respond to the ads we serve.

4. Forums and Other Public Areas

Our products may provide forums and other public areas where professionals can communicate. Prior to posting in these areas, please read our Terms of Use carefully. All the information you post will be viewable to anyone with access to the area, and any Personal Information you include in your posting may be read, collected, and used by others. Please use caution when posting any Personal Information and do not post any patient-identifiable health information in our forums.

5. Profiling and Automated Decision-Making

We may use analytics to understand how individuals interact with us and our products, such for product development purposes. We also use analytics for compliance, security and fraud prevention purposes. However, we do not use profiling or automated decisions-tools to make decisions that produce legal or similarly significant legal effects for you; any such decisions are made only based on human review.

6. International Transfers

Your personal information may be transferred to, stored at or processed in the United States or other countries which may not have equivalent privacy or data protection laws. However, regardless of where your personal information is transferred, we will protect it in accordance with this Privacy Notice and applicable law.

If you are located outside the United States, we generally use approved Standard Contractual Clauses to authorize the transfers for personal information and to demonstrate that the information remains adequately protected. Please contact us via email at privacy@carestream.com if you would like to learn more about our cross-border transfers.

7. Information Security

We have implemented reasonable technical, physical and administrative safeguards to help protect your personal information against unauthorized access or loss. For example, when we ask users to provide payment information (such as credit card number), the data is protected during transmission to us using industry-standard encryption.

8. Data Retention

We will retain your personal information for as long as the information is needed for the purposes listed above and for any additional period that may be required or permitted by law, such as for business, legal, accounting, or reporting requirements or pursuant to client contract requirements.

If you would like us to delete your personal information collected directly by Carestream, please contact us via email at privacy@carestream.com. If we do not have a legal basis for retaining your information, we will delete it as required by applicable law.

9. Privacy Policies of Third Parties

Our websites may contain links to other companies’ websites. This Privacy Notice only addresses the use and disclosure of information by Carestream, Inc. and its affiliates. Other websites that may be accessible through this website have their own privacy policies and data collection, use and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by all third parties prior to providing them with information or taking advantage of an offer or promotion.

10. Job Applicants

If you have applied for employment with Carestream, the Personal Information submitted with your job application will be used only for recruitment and other customary human resources purposes. Please contact privacy@carestream.com for a copy of our human resources privacy statement.

11. Changes to this Privacy Notice

From time to time, we may update this Privacy Notice to reflect new or different privacy practices. We will place a notice online when we make material changes to this the Privacy Notice. Additionally, if the changes will materially affect the way we use or disclose previously-collected Personal Information, we will notify you about the change by sending a notice to the primary email address associated with your account.

12. How to Contact Us

Please contact us if you have any questions or comments about our privacy practices or this Privacy Notice. You can always reach us online at: privacy@carestream.com. You can also reach us via mail to:

Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608

Carestream Privacy Statement for Patient Information

Carestream is committed to protecting the privacy and security of all personal information that we process in order to provide services to our healthcare professional customers and their patients. This notice explains our practices with regard to the personal information we receive from our customers as a data processor.

Carestream will collect and process patient personal information only as instructed by our customers. We will not use or disclose patient information for our own purposes. Carestream will at all times maintain reasonable and appropriate security controls to protect patient information.

Carestream will disclose patient information to our customers and to other entities (including other healthcare professionals) when instructed by our customers. We may disclose patient information to our affiliates and approved data processors as needed to provide the services that our customers have requested. These entities are all contractually bound to limit use of your personal information as needed to perform the services. We may also disclose patient information when required by law.

For patients based in the United States, patient information is classified as protected health information under the US health privacy law known as the Health Insurance Portability and Accountability Act (“HIPAA”). Carestream will collect and process protected health information only as required or permitted by our business associate agreements and applicable laws, including HIPAA. Carestream will at all times maintain reasonable and appropriate security controls to protect the information as required by HIPAA.

For patients based outside of the United States, your personal information is always processed in accordance with applicable law. Patient information may be transferred to Carestream affiliates and data processers in the United States and elsewhere in the world. Carestream will always protect the privacy and security of patient information, regardless of where it is processed. Patient information transfers from the European Economic Area and other countries with data transfer restrictions authorized by approved model contracts or other appropriate mechanisms.

If you have questions about your privacy rights, please contact your healthcare provider. If you believe that Carestream has not handled your personal information properly, you may also contact Carestream’s Privacy Office at: privacy@carestream.com.

Important Information for EEA, Swiss and UK Residents

Carestream Health is providing this supplemental privacy notice to give individuals in the European Economic Area (EEA) the additional information required by the EU General Data Protection Regulation and related laws. These provisions, together with the statements in the Carestream Privacy Notice, explain our practices with regard to EEA, Swiss and UK personal data.

1. Information about Carestream

This notice is being provided by Carestream Health, Inc. and its affiliates. Carestream Health, Inc. is based in the United States. Our representative in the EEA is:

Carestream Health Netherlands, B.V.
Bramenberg 12
3755 BZ Eemnes
Netherlands

You may contact the Carestream Global Privacy Office by emailing privacy@carestream.com or by writing to:

Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608

2. The Purposes and Legal Basis for Processing, including Legitimate Interests

Carestream’s Privacy Notice explains the reasons why we process your Personal Information. We only process Personal Information when we have a legal basis for the processing, such as:

To fulfill a contract with you or with your company (including providing support and service);
For closely-related purposes, such as payment processing, account management, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance; and
With your consent (or provided you have not objected, as may be applicable), to respond to requests for information and to provide you with marketing communications.

We may also process your Personal Information for the purposes of our legitimate interests, provided that such processing shall not outweigh your rights and freedoms. In particular, we may process your Personal Information as needed to:

Provided you have not objected, send you our own marketing materials;
Protect you, Carestream or others from threats (such as security threats or fraud);
Comply with the laws that are applicable to us around the world,
Enable or administer our business, such as for quality control, analytics, consolidated reporting, and product development;
Manage corporate transactions, such as mergers or acquisitions; and
Understand and improve our business or customer relationships generally.

3. Automated Decision-Making and Profiling

We may use analytics for product development purposes, such as to understand product usage, or for security purposes, such as to identify unauthorized login attempts. We will not make automated-decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.

4. When You are Required to Provide Personal Information to Carestream

In most cases, you are not required by law to provide any Personal Information to Carestream. You are required to provide certain Personal Information to enable us to enter into a contract with you, so that you can use our products and services. Our registration forms indicate which data elements are required for our contracts. If you do not provide these data elements, we cannot do business with you.

5. Your Rights

As noted in the Carestream Privacy Notice, you always have the right to object to our marketing communications. To opt-out of emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. To revoke permissions that you may have given to send text messages, text STOP in response to any message.

Carestream also respects your rights to access, correct and request erasure or restriction of their Personal Information as required by law. This means:

You generally have a right to know whether or not Carestream maintains your Personal Information. If we do have your personal information, we will provide you with a copy (subject to the rights of others). If your information is incorrect or incomplete, you have the right to ask us to update it.
You have the right to object to our processing of your Personal Information. If we are processing your Personal Information based on your consent, you have the right to withdraw your consent at any time.
You may ask us to delete or restrict your Personal Information.

To exercise these rights, please contact the Carestream Global Privacy Office, and a member of our Privacy Team will assist you. Please understand that we may need to verify your identify before we can process your request. If Carestream is processing your Personal Information as a data processor, we will refer you to our customer (such as your healthcare professional) for assistance with these requests. Carestream supports its customers in responding to requests as required by law.

If you believe that we have processed your Personal Information inappropriately, you may also contact the Carestream Data Protection Officer or other supervisory authority. You may reach our Data Protection Officer by writing to the DPO at the Carestream Global Privacy Office address set forth above.

6. International Transfers

As noted in the Carestream Privacy Statement, your Personal Information may be transferred to, stored at or processed in the United States and other countries which may not have equivalent privacy or data protection laws.

We generally use approved Standard Contractual Clauses to assure that Personal Information is adequately protected when it is transferred out of the European Economic Area or Switzerland, but we may also make transfers to recipients with approved Binding Corporate Rules or other approved mechanism.

Please contact the Carestream Global Privacy Office if you would like more information about cross-border transfers or to obtain a copy of the Standard Contractual Clauses.

7. Data Retention

We will retain your Personal Information for as long as the information is needed for the purposes set forth in Section 3 above and for any additional period that may be required or permitted by law. You may request that we delete your Personal Information by contacting Carestream Privacy Office. Unless we have a compelling interest in retaining your information, it will be deleted it within 30 days of your request.

Important Information for California Residents

The Carestream Privacy Notice (our “Privacy Policy”) provides most of the information required by the California Consumer Privacy Act and the California Privacy Rights Act (collectively, the “CPRA”). This supplemental privacy notice gives California residents the additional information required by the CPRA.

1. Your California Privacy Rights

The CPRA provides California residents with specific privacy rights:

The right to know what personal information and sensitive personal information we collect
The right to access your personal information
The right to correct inaccurate personal information
The right to request that we delete your personal information
The right to know what categories of personal information are sold to third parties and to opt-out of that sale
The right to know what categories of personal information are shared with third parties for cross-contextual behavioral targeting and to opt-out that sharing
The right to limit the use and disclosure of sensitive personal information, and
The right not to be retaliated against for exercising your privacy rights

Personal information of children under 16 cannot be sold without affirmative consent. We do not sell or share any children’s information.

If you are a California resident, you may exercise your rights by:

Visiting our privacy rights portal at Your Privacy Choices
Emailing privacy@carestream.com
Writing to us at:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608

If you would like to designate an agent, please send an email from your own email address to privacy@carestream.com indicating the name and email address of your agent. We will respond to that person’s requests using both your email address and the agent’s email address.

If you are exercising CPRA access or deletion rights on behalf of another person, please understand that what will need to verify your authority with the person you seek to represent.

We will not retaliate against you if you exercise your rights under CPRA.

2. Additional CPRA Right to Know Disclosures

Carestream uses and discloses the following categories of personal information described in our Privacy Policy.

Carestream uses and discloses the following categories sensitive personal information as described in more detail in the Privacy Policy. We do not process any sensitive personal information for the purpose of informing characteristics about you.

Category of Sensitive Personal Information	Purposes for Use and Disclosure	Can I limit this Use and Disclosure?
Government-issued Identification Numbers	We use and disclose Government-issued Identification Numbers in connection with payments made to professionals for tax reporting and compliance.	No
Account log-in credentials	We use and disclose Account Access Information as needed to allow you to access your account, for account security purposes.	No
Financial account or payment card numbers	We use and disclose financial account and payment card numbers as needed to process transactions	No
Precise Geolocation Data	If you authorize our use of precise geolocation data in our mobile apps, we will use it to deliver content to you based on your location.	Yes, you can disable sharing location data with us by changing the setting on your mobile device

We do not collect other categories of sensitive personal information, such as biometric identifiers, the contents of mail, email or texts, or non -public information about your race, ethnicity, health, sex life or sexual orientation.

3. Sale of Personal Information and Sharing of Personal Information for Cross-Contextual Behavioral Targeting; Collection of Personal Information by Third Parties

Carestream does not sell any personal information for monetary consideration.

Some Carestream websites allow third party advertising partners to utilize cookies, web beacons or other technologies to deliver ads to you on our sites and to deliver our advertisements to you on other sites. These third parties may collect information about your online activities on our websites, and they may use persistent identifiers to track you and over time and across different websites and other online services. To learn more about You can opt-out of our sharing of your data for cross contextual behavior advertising, please see Cookies and Online Privacy.

4. Financial Incentives

Carestream does not offer financial incentives for the collection or sale of personal information. We may offer individuals the opportunity to receive free content (such as white papers or reports) if they register with their email. If you ask us to delete your information, we will not be able to receive new content, but you can continue to use content that was sent to you previously.

5. How to Contact Us and Our Chief Privacy Officer

Please contact us if you have any questions or comments about our privacy practices or this Privacy Statement. You can always reach us via email at privacy@Carestream.com. You can also reach us via mail at the postal address provided above.

Important Information for Brazilian Residents

Carestream Health is providing this supplemental privacy notice to give individuals in Brazil the additional information required by Federal Law No. 13,709/2018 - General Data Protection Law of Brazil ("LGPD"). These provisions, together with the statements in the Carestream Privacy Notice, explain our practices for personal data subject to LGPD (“Brazilian Data”).

1. Information about Carestream

This notice is being provided by Carestream Health, Inc. (the controller) and its affiliates.

Carestream Health, Inc. is based in the United States. Our representative in the EEA is:

Carestream Health, Inc.
150 Verona Street
Rochester, NY 14608

Our Brazilian affiliate is:

Carestream Health
Rua Pequetita - 215 - 3º andar - Vila Olímpia
São Paulo, SP 04552-060

You may contact the Carestream Global Privacy Office and our Data Protection Officer by emailing privacy@carestream.com or by writing to:

Carestream Health
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608

2. The Purposes and Legal Basis for Processing, including Legitimate Interests

Carestream’s Privacy Notice explains the reasons why we process Brazilian Data. We only process Brazilian Data when we have a legal basis for the processing, such as for the following types of processing activities:

To fulfill a contract with you or with your company (including providing support and service);
For closely related purposes, such as payment processing, account management, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance; and
With your consent (or provided you have not objected, as may be applicable), to respond to requests for information and to provide you with marketing communications.

We may also process your personal data for the purposes of our legitimate interests (or for the legitimate interests of your company), provided that such processing shall not outweigh your rights and freedoms. In particular, we may process Brazilian Data as needed to:

Provided you have not objected, send you our own marketing materials;
Protect you, Carestream or others from threats (such as security threats or fraud);
Comply with the laws that are applicable to us around the world,
Enable or administer our business, such as for quality control, analytics, consolidated reporting, and product development;
Manage corporate transactions, such as mergers or acquisitions; and
Understand and improve our business or customer relationships generally.

3. Automated Decision-Making and Profiling

We may use analytics for product development purposes, such as to understand product usage, or for security purposes, such as to identify unauthorized login attempts. We will not make automated decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.

4. When You are Required to Provide Personal Data to Carestream

In most cases, you are not required by law to provide any personal data to Carestream. You are required to provide certain personal data to enable us to enter into a contract with you, so that you can use our products and services. Our registration forms indicate which data elements are required for our contracts. If you do not provide these data elements, we cannot do business with you.

5. Your Rights

Carestream also respects the rights of Brazilian residents to access, correct and request erasure or restriction of their personal data as required by LGPD. This means:

You have a right to know if Carestream maintains your personal data
If we do have your personal data, you have the right to have access to the data
You have the right ask us to correct or update incomplete, inaccurate or outdated information
You have the right to ask us to anonymize, block or eliminate any unnecessary or excessive personal data, or any personal data processed in non-compliance with LGPD
You have the right to data portability, in accordance with national authority regulations
You have the right to receive information about the public and private entities with which we have shared your personal data
If we are processing your personal data on the basis of your consent, you also have the right to (1) be informed about the possibility of not providing consent and consequences of not providing consent, (2) revoke your consent, and (3) ask us to delete your personal data, subject to our rights to retain data as provided by LGPD.

To exercise these rights, please contact the Carestream Global Privacy Office, and a member of our Privacy Team will assist you. Please understand that we may need to verify your identify before we can process your request. Additionally, your rights may be subject to some limitations as provided by LGPD. If we deny your request, will explain the reasons for the denial.

If Carestream is processing your personal data as a data processor, we will refer you to our customer (such as your healthcare professional) for assistance with these requests. Carestream supports its customers in responding to requests as required by law.

If you believe that we have processed your personal data inappropriately, you may also contact the Carestream Data Protection Officer or other supervisory authority. You may reach our Data Protection Officer by writing to the DPO at the Carestream Global Privacy Office address set forth above.

6. Data Sharing

As noted in the Carestream Privacy Statement, we only share Brazilian Data:

With our affiliates, who use the personal data for the purposes set forth above.
With our service providers (data processors) or others as needed to provide the services to you
If you are affiliated with one of our customers, we may share your personal data with that customer
With your consent, such as when you take advantage of a partner offer, or
As permitted by LGPD (such as in connection with the sale of business assets) or required by law.

7. International Transfers

As noted in the Carestream Privacy Statement, your personal data may be transferred to, stored at, or processed in the United States and other countries which may not have equivalent privacy or data protection laws. However, Carestream provides that Brazilian Data are always processed in compliance with LGPD.

Carestream generally uses standard contractual clauses to assure that Brazilian Data are adequately protected when it is transferred out of Brazil, but we may also make transfers to recipients with approved global corporate rules or as otherwise permitted by law.

8. Data Retention

We will retain your personal data for as long as the information is needed for the purposes set forth in Section 3 above and for any additional period that may be required or permitted by law. You may request that we delete your personal data by contacting Carestream Privacy Office. If we do not have a legal basis for retaining your information, we will delete it in accordance with applicable law.

Your Privacy Choices

Welcome to the Carestream privacy rights portal. This page tells you how to exercise your privacy rights with respect to the personal information that we collect for our own business purposes.

DO NOT SELL. You have the right to opt-out of our sale of your personal Information, however, Carestream does not sell your personal information for monetary consideration.

DO NOT SHARE. You have the right to opt-out of our sharing of your information for cross contextual behavioral advertising. You can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. Please see Cookies and Online Privacy for additional information on how to opt-out of sharing.

ONLINE TARGETED ADVERTISING. You have the right to object to our use of your information for online targeted advertising. You can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. Please see Cookies and Online Privacy for additional information on how to opt-out of sharing.

PROFILING AND AUTOMATED DECISION-MAKING. You have the right to object to our use of profiling and/or automated decision that significantly affects you, however, Carestream does not use any profiling or automated decision making tools that significantly affect individuals.

MARKETING OPT-OUTS. You have the right to opt-out of our marketing and commercial communications. To exercise this right:

To opt-out of emails, click the link labeled “unsubscribe” at the bottom of any email we send you.
To revoke permissions that you may have given to send text messages, text STOP in response to any message.

If you have more than one email address or if you have changed your email address, please email privacy@carestream.com for assistance with changing your marketing preferences. Also, please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account.

: SENSITIVE PERSONAL INFORMATION. California residents have the right to limit secondary uses and disclosures of sensitive personal information. In general, Carestream only uses and discloses sensitive personal information as needed to fulfill the purpose for which it was collected. However, if you have authorized us to collect and use your precise geolocation data in our mobile apps, you have the right to withdraw this permission at any time by changing the permission settings on your mobile device. Please email privacy@Carestream.com if you have a specific question about our use of your sensitive personal information.; ACCESS REQUESTS. You have the right to request a copy of the personal information that Carestream maintains about you. To exercise this right, please email to privacy@carestream.com with your request. We will provide you with access to your information as required by law. In some cases, we may need to contact you to verify your identity.; CORRECTION REQUESTS. You have the right to request that we update or correct your personal information. To exercise this right, please email your specific request to privacy@carestream.com. We will process your request as required by law. In some cases, we may need to contact you to verify your identity.; DELETION REQUESTS. You have the right to request that we delete or anonymize your personal information. To exercise this right, please email your specific request to privacy@carestream.com. We will process your request as required by law. In some cases, we may need to contact you to verify your identity. Please understand that Carestream cannot delete personal information in those situations where our retention is required for our Carestream’s internal business purposes or otherwise permitted by law (such as for fraud prevention or legal compliance).; INQUIRIES AND COMPLAINTS. You have the right to ask us about our privacy practices or to lodge a complaint if you believe that we have violated your privacy rights or failed to properly secure your personal information. To exercise these rights, please email your specific question or concern to privacy@carestream.com. We take all complaints seriously, and we will do our best to be responsive to your concerns.

California residents: please read the Important Information for California Residents for specific information about your California Privacy Rights and for alternative methods for submitting California Privacy Rights requests.

Medical Imaging

Non-Destructive Testing (NDT)

Contract Manufacturing

Company

Support

Logistics