Carestream Health, Inc. and its subsidiaries (collectively, Carestream) are committed to protecting personal information. This Privacy Notice is intended to give you confidence in the privacy and security of any personal information that is entrusted to Carestream.
This Privacy Notice explains our practices regarding the “Personal Information” we collect from healthcare professionals, commercial customers, website visitors and other individuals with whom we interact.
For information about how we protect the privacy of patient information that we receive from our customers for processing, please see our Privacy Statement for Patient Information.
For information about how we protect the privacy of job applicant, employees and others with whom we have a human resources relationship, please contact privacy@carestream.com for a copy of the Carestream Human Resources Privacy Statement.
This Privacy Notice was last updated on December 20, 2022
Supplemental Privacy Statements
Carestream generally collects personal information from and about healthcare providers and other professionals who work for our customers.
Personal Information is any information that can be used to identify, locate or contact you. It also includes other information that may be associated with your Personal Information. The chart below describes the categories of personal information we collect, the sources of that information, the reasons we collect it, and the types of people to whom we may disclose the information.
Please note that we may use and disclose any personal information for our “Everyday Business Purposes” 1 as permitted by law. We may also disclose any personal information to our affiliates and to the service providers and contractors that need to use the information to provide services to us. We have contracts with these companies that require them to protect our information and to comply with law. We may also disclose any information when required by law, such as to law enforcement agencies or to parties in litigation, or to the company you work for, when we are providing services to that company.
Category and Sources of PI | Purposes for Collecting this PI | Disclosures of this PI |
---|---|---|
Business Contact Information This is the type of information on your business card, such as your name and title, company affiliation, mailing address, email address and telephone number. We collect this type of information from you and from publicly available sources, such as hospital websites and social media sites. We may also receive information from event and trade shows organizers. |
We use this type of information to identify you and communicate with you, including:
|
We disclose this type of information to services providers and contractors and to:
|
Business Customer Information We collect “B2B” personal information about business professionals associated with our commercial customers, suppliers and partners in the context of our relationships we have with these companies. This includes:
We collect this type of information from you and from your company. We may receive your data from third parties, such as trade associations or trade shows. |
We use this type of information:
|
We may disclose this type of information to:
|
Unique Identifiers Such as:
We collect this type of information from your devices and from our online partners, such as third parties, who place cookies containing advertising IDs on your devices for us. |
We use this type of information:
|
We disclose this type of information to service providers and contractors that fulfil orders and support our information technology and security programs, including companies that who assist with fraud prevention, detection and mitigation. Advertising ID is shared with third party network advertising partners. |
Account Access Information Such as:
We collect this type of information from you, when establish an account or change your password. We may create this information for you, such as if we assign you a username or account number or issue you a temporary password. |
We use this type of information:
|
We disclose this type of information to service providers and contractors that assist with our information technology and security programs. |
Online & Technical Information Such as:
We collect this type of information from your computer or devices when you interact with our platforms, websites and applications. For example, when you visit our websites, our server logs record your IP address and other information. We may also receive this information from third parties, including computer security services and advertising partners. Please see Cookies and Online Privacy to learn more. |
We use this type of information:
|
We may disclose this type of information to our service providers and contractors who support our information technology programs or host our websites and to third party network advertising partners. |
Audio Visual Information Such as:
We collect this type of information from you and automatically, such as when we record calls to our call center and use CCTV cameras in our facilities. |
We use this type of information:
|
We may disclose this type of information to our service providers and contractors that support our information technology and security programs, and our loss prevention programs. |
Compliance data Such as:
We collect this type of information from you and from third parties, including companies that help us conduct internal investigations. |
We use this type of information:
|
We may disclose this type of information to our service providers and contractors, including our lawyers, auditors and consultants, and to:
|
1 Everyday Business Purposes encompasses the Business Purposes (as defined by California law) and following related purposes for which any personal information may processed:
Please note that we may also use and disclose information about you that is not personally identifiable. For example, we may publish reports or create products that contain de-identified, aggregated or statistical data. These reports and products do not contain any information that would enable the recipient to contact, locate or identify you.
Carestream does not sell any personal information for monetary consideration.
Carestream respects your rights to access, correct and request erasure or restriction of your personal information as required by law. Depending on your country or state or residence, these rights may include
Depending on where you reside, you may have additional rights under applicable law. To learn more and to exercise your rights, please visit Your Privacy Choices or contact us via email at privacy@carestream.com. We will need to confirm your identity before we can fulfill most requests, as we need to be sure that your personal information is not disclosed to an unauthorized recipient.
Please understand that these rights are subject to some limitations. For example, we may require documentation to support certain corrections to your information, and we generally cannot restrict or delete personal information in those situations where our retention is required for our internal business purposes or to comply with law.
We will not retaliate against you if you exercise your privacy rights.
If we have collected or received your personal information in our capacity as a service provider to a Carestream customer, that company can assist you with requests related to exercising your privacy rights, as Carestream cannot fulfill these requests directly. We suggest you reach out to such company to learn more about its privacy practices and make requests to exercise your rights. Carestream supports our clients as needed to help them respond to such requests.
Online Data Collection
When you visit our website or use our mobile applications, we collect personal information and other data by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons.
Cookies are small text files that websites send to your computer, or other Internet-connected device, to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. In many cases, the information we collect using cookies is only used in a non-identifiable way, without any reference to Personal Information. For example, we use information we collect about all website users to optimize our websites and to understand website traffic patterns.
In some cases, we do associate the information we collect with your Personal Information. This Privacy Notice governs how we use that information when we associate it with your Personal Information. We use cookies and other technologies for the following purposes:
Pixel tags and web beacons are tiny graphic images placed on website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.
We collect many different types of information from server logs and other technologies. For example, we may collect information from the device you use to access our website, i.e., your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs also record the IP address of the device you use to connect to the Internet. An IP address is a unique identifier that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to Carestream and the website you visit after you leave our site.
Third Party Advertising Companies
We have relationships with third party advertising companies to place advertisements on this website and other websites, and to perform tracking and reporting functions for this website and other websites. These third party advertising companies may place cookies on your computer when you visit our website or other websites so that they can display targeted advertisements to you.
To opt-out of having your information used or shared for online targeting advertising, you can adjust the settings on your browser. Visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available. You can also use cookie management tools, such as Ghostery or Privacy Badger, to block tracking cookies across all websites.
For more information about third party advertising, you can also e visit the Network Advertising Initiative (NAI) at https://thenai.org/. To opt out of being targeted by many third party advertising companies visit: https://thenai.org/opt-out/ or https://preferences-mgr.trustarc.com/.
Google Analytics
Google Analytics is a web analytics tool provided by Google, Inc. that helps website owners understand how visitors engage with their website. Carestream uses Google Analytics to view a variety of reports about how visitors interact with our websites so that we can improve them. Google Analytics uses cookies and other tools, which generate information about your use of our website (including your IP address). This information is transmitted to and stored by Google on servers in the United States. Google uses this information to evaluate your use of our website, report on website activity and provide other services to us. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google may combine this information with other data held by Google pursuant to Google’s privacy policy available on Google’s website.
To opt-out of having your information used for Google Analytics, please see Your Privacy Choices. For more information on how Google Analytics uses data, please visit “How Google uses data when you use our partners’ sites or apps”, located at: www.google.com/policies/privacy/partners/.
Our websites may enable you to interact with us and others via social media platforms, such as Facebook, Twitter, and Instagram. While we respect all social media platform’s privacy policies, we may collect Personal Information about you and your friends if you choose to use these tools. We use the information to facilitate an interactive social experience.
We may display interest-based ads to you when you are using platforms such as Facebook and Google. These platforms allow us to personalize the ads that we display to you. We do not share any of your Personal Information with these platforms, although we may convert your email address into a unique number which can be matched by the platform with its user to allow delivery of the advertising. Although we do not provide any personal information to these platforms, they may gain insights about individuals who respond to the ads we serve.
Our products may provide forums and other public areas where professionals can communicate. Prior to posting in these areas, please read our Terms of Use carefully. All the information you post will be viewable to anyone with access to the area, and any Personal Information you include in your posting may be read, collected, and used by others. Please use caution when posting any Personal Information and do not post any patient-identifiable health information in our forums.
We may use analytics to understand how individuals interact with us and our products, such for product development purposes. We also use analytics for compliance, security and fraud prevention purposes. However, we do not use profiling or automated decisions-tools to make decisions that produce legal or similarly significant legal effects for you; any such decisions are made only based on human review.
Your personal information may be transferred to, stored at or processed in the United States or other countries which may not have equivalent privacy or data protection laws. However, regardless of where your personal information is transferred, we will protect it in accordance with this Privacy Notice and applicable law.
If you are located outside the United States, we generally use approved Standard Contractual Clauses to authorize the transfers for personal information and to demonstrate that the information remains adequately protected. Please contact us via email at privacy@carestream.com if you would like to learn more about our cross-border transfers.
We have implemented reasonable technical, physical and administrative safeguards to help protect your personal information against unauthorized access or loss. For example, when we ask users to provide payment information (such as credit card number), the data is protected during transmission to us using industry-standard encryption.
We will retain your personal information for as long as the information is needed for the purposes listed above and for any additional period that may be required or permitted by law, such as for business, legal, accounting, or reporting requirements or pursuant to client contract requirements.
If you would like us to delete your personal information collected directly by Carestream, please contact us via email at privacy@carestream.com. If we do not have a legal basis for retaining your information, we will delete it as required by applicable law.
Our websites may contain links to other companies’ websites. This Privacy Notice only addresses the use and disclosure of information by Carestream, Inc. and its affiliates. Other websites that may be accessible through this website have their own privacy policies and data collection, use and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by all third parties prior to providing them with information or taking advantage of an offer or promotion.
If you have applied for employment with Carestream, the Personal Information submitted with your job application will be used only for recruitment and other customary human resources purposes. Please contact privacy@carestream.com for a copy of our human resources privacy statement.
From time to time, we may update this Privacy Notice to reflect new or different privacy practices. We will place a notice online when we make material changes to this the Privacy Notice. Additionally, if the changes will materially affect the way we use or disclose previously-collected Personal Information, we will notify you about the change by sending a notice to the primary email address associated with your account.
Please contact us if you have any questions or comments about our privacy practices or this Privacy Notice. You can always reach us online at: privacy@carestream.com. You can also reach us via mail to:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
Carestream is committed to protecting the privacy and security of all personal information that we process in order to provide services to our healthcare professional customers and their patients. This notice explains our practices with regard to the personal information we receive from our customers as a data processor.
Carestream will collect and process patient personal information only as instructed by our customers. We will not use or disclose patient information for our own purposes. Carestream will at all times maintain reasonable and appropriate security controls to protect patient information.
Carestream will disclose patient information to our customers and to other entities (including other healthcare professionals) when instructed by our customers. We may disclose patient information to our affiliates and approved data processors as needed to provide the services that our customers have requested. These entities are all contractually bound to limit use of your personal information as needed to perform the services. We may also disclose patient information when required by law.
For patients based in the United States, patient information is classified as protected health information under the US health privacy law known as the Health Insurance Portability and Accountability Act (“HIPAA”). Carestream will collect and process protected health information only as required or permitted by our business associate agreements and applicable laws, including HIPAA. Carestream will at all times maintain reasonable and appropriate security controls to protect the information as required by HIPAA.
For patients based outside of the United States, your personal information is always processed in accordance with applicable law. Patient information may be transferred to Carestream affiliates and data processers in the United States and elsewhere in the world. Carestream will always protect the privacy and security of patient information, regardless of where it is processed. Patient information transfers from the European Economic Area and other countries with data transfer restrictions authorized by approved model contracts or other appropriate mechanisms.
If you have questions about your privacy rights, please contact your healthcare provider. If you believe that Carestream has not handled your personal information properly, you may also contact Carestream’s Privacy Office at: privacy@carestream.com.
Carestream Health is providing this supplemental privacy notice to give individuals in the European Economic Area (EEA) the additional information required by the EU General Data Protection Regulation and related laws. These provisions, together with the statements in the Carestream Privacy Notice, explain our practices with regard to EEA, Swiss and UK personal data.
1. Information about Carestream
This notice is being provided by Carestream Health, Inc. and its affiliates. Carestream Health, Inc. is based in the United States. Our representative in the EEA is:
Carestream Health Netherlands, B.V.
Bramenberg 12
3755 BZ Eemnes
Netherlands
You may contact the Carestream Global Privacy Office by emailing privacy@carestream.com or by writing to:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
2. The Purposes and Legal Basis for Processing, including Legitimate Interests
Carestream’s Privacy Notice explains the reasons why we process your Personal Information. We only process Personal Information when we have a legal basis for the processing, such as:
We may also process your Personal Information for the purposes of our legitimate interests, provided that such processing shall not outweigh your rights and freedoms. In particular, we may process your Personal Information as needed to:
3. Automated Decision-Making and Profiling
We may use analytics for product development purposes, such as to understand product usage, or for security purposes, such as to identify unauthorized login attempts. We will not make automated-decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.
4. When You are Required to Provide Personal Information to Carestream
In most cases, you are not required by law to provide any Personal Information to Carestream. You are required to provide certain Personal Information to enable us to enter into a contract with you, so that you can use our products and services. Our registration forms indicate which data elements are required for our contracts. If you do not provide these data elements, we cannot do business with you.
5. Your Rights
As noted in the Carestream Privacy Notice, you always have the right to object to our marketing communications. To opt-out of emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. To revoke permissions that you may have given to send text messages, text STOP in response to any message.
Carestream also respects your rights to access, correct and request erasure or restriction of their Personal Information as required by law. This means:
To exercise these rights, please contact the Carestream Global Privacy Office, and a member of our Privacy Team will assist you. Please understand that we may need to verify your identify before we can process your request. If Carestream is processing your Personal Information as a data processor, we will refer you to our customer (such as your healthcare professional) for assistance with these requests. Carestream supports its customers in responding to requests as required by law.
If you believe that we have processed your Personal Information inappropriately, you may also contact the Carestream Data Protection Officer or other supervisory authority. You may reach our Data Protection Officer by writing to the DPO at the Carestream Global Privacy Office address set forth above.
6. International Transfers
As noted in the Carestream Privacy Statement, your Personal Information may be transferred to, stored at or processed in the United States and other countries which may not have equivalent privacy or data protection laws.
We generally use approved Standard Contractual Clauses to assure that Personal Information is adequately protected when it is transferred out of the European Economic Area or Switzerland, but we may also make transfers to recipients with approved Binding Corporate Rules or other approved mechanism.
Please contact the Carestream Global Privacy Office if you would like more information about cross-border transfers or to obtain a copy of the Standard Contractual Clauses.
7. Data Retention
We will retain your Personal Information for as long as the information is needed for the purposes set forth in Section 3 above and for any additional period that may be required or permitted by law. You may request that we delete your Personal Information by contacting Carestream Privacy Office. Unless we have a compelling interest in retaining your information, it will be deleted it within 30 days of your request.
The Carestream Privacy Notice (our “Privacy Policy”) provides most of the information required by the California Consumer Privacy Act and the California Privacy Rights Act (collectively, the “CPRA”). This supplemental privacy notice gives California residents the additional information required by the CPRA.
1. Your California Privacy Rights
The CPRA provides California residents with specific privacy rights:
Personal information of children under 16 cannot be sold without affirmative consent. We do not sell or share any children’s information.
If you are a California resident, you may exercise your rights by:
Carestream Health, Inc.
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
If you would like to designate an agent, please send an email from your own email address to privacy@carestream.com indicating the name and email address of your agent. We will respond to that person’s requests using both your email address and the agent’s email address.
If you are exercising CPRA access or deletion rights on behalf of another person, please understand that what will need to verify your authority with the person you seek to represent.
We will not retaliate against you if you exercise your rights under CPRA.
2. Additional CPRA Right to Know Disclosures
Carestream uses and discloses the following categories of personal information described in our Privacy Policy.
Carestream uses and discloses the following categories sensitive personal information as described in more detail in the Privacy Policy. We do not process any sensitive personal information for the purpose of informing characteristics about you.
Category of Sensitive Personal Information | Purposes for Use and Disclosure | Can I limit this Use and Disclosure? |
---|---|---|
Government-issued Identification Numbers |
We use and disclose Government-issued Identification Numbers in connection with payments made to professionals for tax reporting and compliance. |
No |
Account log-in credentials |
We use and disclose Account Access Information as needed to allow you to access your account, for account security purposes. |
No |
Financial account or payment card numbers |
We use and disclose financial account and payment card numbers as needed to process transactions |
No |
Precise Geolocation Data |
If you authorize our use of precise geolocation data in our mobile apps, we will use it to deliver content to you based on your location. |
Yes, you can disable sharing location data with us by changing the setting on your mobile device |
We do not collect other categories of sensitive personal information, such as biometric identifiers, the contents of mail, email or texts, or non -public information about your race, ethnicity, health, sex life or sexual orientation.
3. Sale of Personal Information and Sharing of Personal Information for Cross-Contextual Behavioral Targeting; Collection of Personal Information by Third Parties
Carestream does not sell any personal information for monetary consideration.
Some Carestream websites allow third party advertising partners to utilize cookies, web beacons or other technologies to deliver ads to you on our sites and to deliver our advertisements to you on other sites. These third parties may collect information about your online activities on our websites, and they may use persistent identifiers to track you and over time and across different websites and other online services. To learn more about You can opt-out of our sharing of your data for cross contextual behavior advertising, please see Cookies and Online Privacy.
4. Financial Incentives
Carestream does not offer financial incentives for the collection or sale of personal information. We may offer individuals the opportunity to receive free content (such as white papers or reports) if they register with their email. If you ask us to delete your information, we will not be able to receive new content, but you can continue to use content that was sent to you previously.
5. How to Contact Us and Our Chief Privacy Officer
Please contact us if you have any questions or comments about our privacy practices or this Privacy Statement. You can always reach us via email at privacy@Carestream.com. You can also reach us via mail at the postal address provided above.
Carestream Health is providing this supplemental privacy notice to give individuals in Brazil the additional information required by Federal Law No. 13,709/2018 - General Data Protection Law of Brazil ("LGPD"). These provisions, together with the statements in the Carestream Privacy Notice, explain our practices for personal data subject to LGPD (“Brazilian Data”).
1. Information about Carestream
This notice is being provided by Carestream Health, Inc. (the controller) and its affiliates.
Carestream Health, Inc. is based in the United States. Our representative in the EEA is:
Carestream Health, Inc.
150 Verona Street
Rochester, NY 14608
Our Brazilian affiliate is:
Carestream Health
Rua Pequetita - 215 - 3º andar - Vila Olímpia
São Paulo, SP 04552-060
You may contact the Carestream Global Privacy Office and our Data Protection Officer by emailing privacy@carestream.com or by writing to:
Carestream Health
Privacy Office/Legal Department
150 Verona Street
Rochester, NY 14608
2. The Purposes and Legal Basis for Processing, including Legitimate Interests
Carestream’s Privacy Notice explains the reasons why we process Brazilian Data. We only process Brazilian Data when we have a legal basis for the processing, such as for the following types of processing activities:
We may also process your personal data for the purposes of our legitimate interests (or for the legitimate interests of your company), provided that such processing shall not outweigh your rights and freedoms. In particular, we may process Brazilian Data as needed to:
3. Automated Decision-Making and Profiling
We may use analytics for product development purposes, such as to understand product usage, or for security purposes, such as to identify unauthorized login attempts. We will not make automated decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.
4. When You are Required to Provide Personal Data to Carestream
In most cases, you are not required by law to provide any personal data to Carestream. You are required to provide certain personal data to enable us to enter into a contract with you, so that you can use our products and services. Our registration forms indicate which data elements are required for our contracts. If you do not provide these data elements, we cannot do business with you.
5. Your Rights
As noted in the Carestream Privacy Notice, you always have the right to object to our marketing communications. To opt-out of emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. To revoke permissions that you may have given to send text messages, text STOP in response to any message.
Carestream also respects the rights of Brazilian residents to access, correct and request erasure or restriction of their personal data as required by LGPD. This means:
To exercise these rights, please contact the Carestream Global Privacy Office, and a member of our Privacy Team will assist you. Please understand that we may need to verify your identify before we can process your request. Additionally, your rights may be subject to some limitations as provided by LGPD. If we deny your request, will explain the reasons for the denial.
If Carestream is processing your personal data as a data processor, we will refer you to our customer (such as your healthcare professional) for assistance with these requests. Carestream supports its customers in responding to requests as required by law.
If you believe that we have processed your personal data inappropriately, you may also contact the Carestream Data Protection Officer or other supervisory authority. You may reach our Data Protection Officer by writing to the DPO at the Carestream Global Privacy Office address set forth above.
6. Data Sharing
As noted in the Carestream Privacy Statement, we only share Brazilian Data:
7. International Transfers
As noted in the Carestream Privacy Statement, your personal data may be transferred to, stored at, or processed in the United States and other countries which may not have equivalent privacy or data protection laws. However, Carestream provides that Brazilian Data are always processed in compliance with LGPD.
Carestream generally uses standard contractual clauses to assure that Brazilian Data are adequately protected when it is transferred out of Brazil, but we may also make transfers to recipients with approved global corporate rules or as otherwise permitted by law.
8. Data Retention
We will retain your personal data for as long as the information is needed for the purposes set forth in Section 3 above and for any additional period that may be required or permitted by law. You may request that we delete your personal data by contacting Carestream Privacy Office. If we do not have a legal basis for retaining your information, we will delete it in accordance with applicable law.
Welcome to the Carestream privacy rights portal. This page tells you how to exercise your privacy rights with respect to the personal information that we collect for our own business purposes.
If we have collected or received your personal information in our capacity as a service provider to a Carestream customer, that company can assist you with requests related to exercising your privacy rights, as Carestream cannot fulfill these requests directly.
If you have more than one email address or if you have changed your email address, please email privacy@carestream.com for assistance with changing your marketing preferences. Also, please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account.
California residents: please read the Important Information for California Residents for specific information about your California Privacy Rights and for alternative methods for submitting California Privacy Rights requests.