At Topbox, we take great efforts to ensure that your personal information is safe and is used properly.
This policy is intended to inform you (collectively “Consumers” or “Users”) about Topbox’s collection, use and disclosure of information that we receive through the services that we provide to our Clients and through our corporate websites, topbox.io, topboxanalytics.com and topbox.ai (“Websites”). We process your Personal Data (as defined below) subject to the terms of this policy. By using the Topbox Websites, you consent to the data practices described in this statement.
Personal Data refers to data that personally identifies an individual such as name, physical address, email address, phone number. We may collect Personal Data from Users in a number of ways, including but not limited to, when Users visit our Websites, register on the Websites, subscribe to our content, fill out a form, and in connection with other activities, services, features or resources we make available on our Websites. Additionally, when you or someone on your behalf contacts our Clients, we may receive certain Personal Data that may be used by Topbox to provide our Services to you.
Information about your computer hardware and software may be automatically collected by Topbox. This information can include: your IP address, browser type, type of computer, internet service provider, domain names, access times and referring website addresses. This information is used for the operation of our Websites and Services, to maintain their quality, for B2B marketing, and to provide general statistics regarding use of the Topbox Websites and Services.
Topbox’s Role as a Service Provider
Topbox’s analytics software is used by our Clients to improve their customers’ experiences and improve their business operations (the “Services”). Topbox provides the Services via a hosted platform and through employees and contractors that are located in the United States. Topbox acts as a processor of data received from our Clients. Clients are responsible for managing the data that they deliver for processing using the Services. Our Clients determine the categories of Personal Data that are provided to Topbox. Topbox does not know the categories of Personal Data to be processed or the purpose of the processing unless such information is provided by its Clients or prospective clients.
Topbox relies upon our Clients to obtain any consent from consumers that may be required to authorize Topbox’s privacy practices regarding Topbox’s collection and use of the Personal Data and Protected Health Information (“PHI”) received from our Clients. Topbox is not responsible for the policies or practices of our Clients or prospective clients with respect to the Personal Data those entities collect or provide to Topbox.
Third Party Websites
Topbox encourages you to review the privacy statements of websites you choose to link to from Topbox so that you can understand how those websites collect, use and share your information. Topbox is not responsible for the privacy practices, statements or content on websites outside of the Topbox websites.
The Topbox websites may use "cookies" to help personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Topbox Services or Websites you visit.
Topbox does not currently acknowledge or take action based on Do No Track headers.
Use and Disclosure of Protected Data
We share a commitment with Covered Entities to protect the privacy and confidentiality of PHI that we obtain subject to the terms of a Business Associate Agreement (“BAA”). PHI includes all individually identifiable health information that can be used to identify an individual and was created, used or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
Topbox may receive PHI within the data provided by our Clients to the extent such use of PHI is permitted or required by the BAAs and not prohibited by law. We may use PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BAAs and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BAAs with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also disclose your Protected Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government or public authorities request.
We use appropriate safeguards to prevent the use or disclosure of Personal Data and PHI (collectively, “Protected Data”) other than as provided for in our BAAs. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic information that we create, receive, maintain, or transmit on behalf of our customers. Such safeguards include:
• Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
• Providing appropriate training for our staff to assure that our staff complies with our security policies;
• Making use of appropriate encryption when transmitting Protected Data;
• Utilizing appropriate storage, backup, disposal and reuse procedures to protect Protected Data;
• Utilizing appropriate authentication and access controls to safeguard Protected Data;
• Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
• Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the Protected Data we hold on behalf of our customers is available when needed.
However, despite our efforts, no security controls are 100% effective and Topbox cannot ensure or warrant the security of your Protected Data.
Mitigation of Harm
In the event of a use or disclosure of Protected Data that may not be consistent with the requirements of our BAAs, we will mitigate, to the extent practicable, any harmful effect resulting from such use or disclosure. Such mitigation will include:
• Reporting any security incident of which we become aware to the Covered Entity; and
• Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
Access to Protected Health Information
As provided in our BAAs, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.
Correcting, Updating or Deleting Your Personal Data
Topbox has no direct relationship with the Consumers whose Personal Data it processes on behalf of our Clients. If you would like to access, correct, amend, or delete your user information submitted through a Client, please contact that Client directly. If the Client requests Topbox to remove the data, we will respond to their request within a reasonable timeframe.
If you would like to access, correct, amend or delete any of your personally identifiable information collected or held by Topbox, contact us using one of the methods listed in this policy. We will respond to such requests within a reasonable timeframe.
Please note that in certain circumstances we may be required by law to retain your personal information, or may need to retain your personal information in order to continue providing a service.
EU-US & Swiss-US Privacy Shield Information
Topbox Privacy Office
12000 Trailridge Drive
Potomac, Maryland 20854
Topbox provides recourse to you if you believe that Topbox has failed to comply with the Privacy Shield Principles regarding your Personal Data. You can contact us with details of your complaint at firstname.lastname@example.org. If you do not receive a response from us within 45 days or if you feel that our response to your complaint is unsatisfactory you can refer your complaint to a free, independent dispute resolution mechanism: BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. Please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Under certain conditions, you may invoke binding arbitration for complaints before the Privacy Shield Panel that have not been resolved by any other dispute resolution procedures. More information can be found here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Children Under 13
Topbox does not knowingly collect Personal Data from website visitors who are under the age of 13. If you believe your child has provided Personal Data, please contact us at email@example.com.
Sharing Your Personal Data
We do not sell, trade, or rent Personal Data to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us deliver the Services, operate our business and our Websites, or administer activities on our behalf, such as sending out newsletters or surveys to Topbox clients and prospects.
Opt-Out & Unsubscribe
We respect your privacy and give you an opportunity to opt-out of receiving announcements of marketing information. Users may opt-out of receiving marketing communications from Topbox at any time by contacting us at firstname.lastname@example.org.
Changes to this Policy
Your Acceptance of These Terms
By using this Website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Website. Your continued use of the Website following the posting of changes to this policy will be deemed your acceptance of those changes.
12000 Trailridge Drive
Potomac, Maryland 20854
Effective as of July 7, 2018