![[spacer image]](/images/sub_nav_banner_bg.gif){kind=small}
![[spacer image]](/images/spacer.gif){kind=small}
![[spacer image]](/images/spacer_gray.gif){kind=small}
|
|
|
|
|
|
|
|
 SURACELL PRIVACY POLICY  Effective: April 26, 2007 The Company: Suracell is a U.S. based company whose mission is to integrate proven state of the art genetics knowledge and technologies, and individual environmental and lifestyle influences, into customized wellness programs. Suracell's clients submit DNA and Biomarker samples for testing and answer an Environmental and Lifestyle questionnaire, and based on a personalized analysis of these factors, Suracell recommends individualized wellness protocols of nutraceuticals for clients, mediated by their physicians. Personalized programs are delivered over a secured web based platform that meets the industry's highest standards for encryption and information protection. Suracell maintains the highest level of privacy and security supported by the latest and most effective technology, and is fully compliant with privacy laws and regulations, including, but not limited to HIPAA, and is also a TrustE licensee. | |
|
|
Suracell's Commitment to Privacy Suracell believes that consumers can make informed decisions about disclosing personal information only after fully understanding how it collects, maintains and uses such information. This is why Suracell wants you to know what its privacy policy and practices are. Suracell understands that you may be concerned about the privacy of your personal information, and recognizes the importance of strong protections and appropriate management of any information you choose to share with Suracell. That is why Suracell is strongly committed to maintaining your personal information as strictly confidential according to the highest standards of privacy protection. Furthermore, to demonstrate our commitment to safeguarding your privacy, we guarantee that you have full control over the uses of your personal information. The Federal Trade Commission (FTC) established Fair On-line Information Practices that represent the closest thing to an industry regulatory standard for privacy practices. The FTC defines fair information practice as
Suracell's senior management assumes complete responsibility for maintaining full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and any other applicable state and federal privacy laws. Suracell guarantees that in the event that Suracell ever receives, or creates, protected health information, as defined under HIPAA and / or non-public personal information, as defined under GLB, all regulations will be fully complied with. Suracell has established policies and procedures to penalize any compliance failures. Such failures by Suracell employees could result in employment termination or legal action. Suracell's Collection of Information Visitors to its site: Suracell respects the privacy of individuals who visit our web site and for this reason anyone can visit our site without telling us anything about themselves. From time to time our website may be configured to collect web-domain information as part of our analysis of how people use our site. This is a common practice that most companies follow to better understand the aggregate users of their website, and the type of usage. Suracell gathers this information in order to improve its website to better serve its users. This web-domain information does not identify any specific individual. We only gather certain information based upon how visitors access our web-site. For example, this information could include what browser is used and the user's Internet Protocol ("IP") address. An IP address is an identifier for a computer or device on a Transmission Control Protocol/Internet Protocol ("TCP/IP") network, such as the World Wide Web. Networks like the Web use the TCP/IP protocol to route information based on the IP address of the destination. In other words, an IP address is a number that is automatically assigned to your computer whenever you are surfing the web, allowing web servers to locate and identify your computer. Computers require IP addresses in order for users to communicate and browse on the Internet. On an aggregated basis, we may collect anonymous data related to the web pages that are accessed, clicked on, and searched for, and this data may be used by Suracell internally to improve its ability to serve its customers and visitors. Some pages and functions on the Suracell website require use of a technology called "cookies". This is also common practice on most websites. Cookies are small files that the Suracell website places on your hard drive for the purposes of tracking user identification, enhancing functionality and tracking page navigation. Suracell does not gather or store any permanent information from use of cookies during a user's interaction with the Suracell website. You should note that cookies cannot read any information off of your hard drive. Further, your web browser can be configured to allow you to be notified when you are receiving a cookie, and give you the choice to accept it or not. You can also refuse all cookies by turning them off in your browser's internet options. You do not need to have cookies turned on to use any informational area of our web site, but cookies must be turned on to allow product purchases, and to allow registered users of the website to sign in to their Suracell accounts. Any information used by Suracell via use of cookies is collected automatically and requires no action on your part. If you have suggestions about how Suracell can improve its website, we encourage you to send them to webmaster@suracell.com Collection of Personal Information from Customers Suracell does not obtain any personal information without prior customer consent. Suracell does not use disclosed information in any ways other than those specifically authorized by its customers. Furthermore, Suracell does not share or sell any personal information to third parties, unless as described in this privacy statement. When you register on the Suracell website, order Suracell products online, or elect to participate in the Suracell program, Suracell collects "personally identifiable data" that identifies you in some way, such as your mailing address, your telephone number or your answers to the Suracell environmental and lifestyle questionnaire. "Personally identifiable data" can also refer to your biological data, such as any samples you may submit for testing. None of this data is ever shared with any outside individual or business entity unless you have provided us with specific prior permission. Registration: Collection of Customer Information Service Providers Testing and the Suracell Program: If you choose to undertake the Suracell program, Suracell will request that you provide two types of personal information;
Suracell only obtains the personal information that you agree to disclose to us. (See the informed consent form acceptance on the Suracell website, which is required before genetic health information can be generated). Everyone who chooses to share personal information with Suracell nonetheless owns and controls that information. Please note that you will receive the most accurate results if you answer all of the questions in the online questionnaire. Collecting Information From Prospective Partners Suracell will also collect personal information from physicians and health care practitioners who are looking to become partners of Suracell. We will collect their contact information such as name, phone number, address and email. We collect these forms of personal information so we can contact them directly to discuss partnerships. Also, if a partnership materializes out of the collection of this information, the information may be posted publicly on our website in the “Our Partners” section so the clients can find Suracell Partners in their area. If at any point in time the partners want to edit or remove their information from the website and terminate the partnership, they are able to do so by contacting us via telephone at (973) 932-1200 or via email at address contact@suracell.com, or in writing to our mailing address at: Suracell Inc., 184 S. Livingston Avenue #113, Livingston, NJ 07039-3011. How Suracell Keeps your Personal Information Confidential and Secured Immediately upon completion of testing, your specimen(s) are destroyed. This prevents any unauthorized access or usage. Your DNA and Biomarker samples and all other personal health information is kept strictly confidential by "de-personalizing" the data, as explained above, by the use of the test registration number. Tests and assessments are done only on "anonymous" data identified only by the test registration number. Suracell's experts, in other words, do not know whose data they are evaluating. The few highly trained Suracell staff who are authorized to access your personal information, are prohibited from sharing any of that information with anyone, unless under exceptional circumstances, such as when ordered by a court. For example, as with written records, Suracell may be required by law or judicial authority to release your personal information, such as in the event of a court order or search warrant. Suracell will always notify you in advance of making the required disclosure, unless court order prohibits prior notification. All Suracell employees are strictly prohibited from sharing any information with any third party. Furthermore, all Suracell employees are obligated to abide by this Privacy Policy and Practices. Anyone who violates these conditions is subject to disciplinary action, up to and including termination or possible criminal prosecution. Suracell's Use of Personal Information Collected Suracell uses the personal information it collects to generate your personalized wellness program, which involves providing you or your designated physician or health care practitioner with your test results, and your personalized nutraceutical regimen. All personal information that is sent from the laboratories to Suracell and used to determine your individual personalized program is de-identified until the very last step of matching your results and program to your personal information so that it may be properly and securely delivered to you or your physician or health care practitioner. Suracell meets, if not exceeds, industry standards for assuring data integrity and confidentiality. The loss, misuse or alteration of personal information is controlled by various measures. All personal information transmitted online is carried and stored by a data network which is protected by firewalls, password protections and encryptions using Secure Socket Layer ("SSL"/HTTPS) technology that encrypts all data before being transmitted or stored via Suracell's secure network. While transmitting personal information is never absolutely 100% risk free because there is always some risk of loss, misuse or alteration, the risks in transmitting information to Suracell are exceedingly low, and more secure than other common methods of communication such as your use of the telephone or US Postal System. Suracell encourages clients to check and make sure that their personal information is fully accurate Clients may request a copy of information provided and / or contact Suracell to correct errors by emailing contact@suracell.com, or calling 1-973-932-1200. What choices do you have about the collection, use and distribution of your information? Access to and Ability to Correct Personal Data All customers have the right to access their online account at any time in order to correct mistaken information. Upon request, Suracell will provide you with a summary of any or all personal data that you've shared with us. You may contact Suracell at any time via telephone at (973) 932-1200 or via email at address contact@suracell.com, or in writing to our mailing address at: Suracell Inc., 184 S. Livingston Avenue #113, Livingston, NJ 07039-3011. You have the right to request that such information is modified, corrected, updated or removed from our database. We encourage you to correct any inaccuracies, especially because the quality of our advice to you strongly depends on the accuracy of the information provided in your questionnaire. Suracell will only contact you at the email address held on file for you. "Opting-out" of Receiving News and Information from Suracell On the "Billing Address" page that appears when new clients make an online purchase there is a question which asks whether you, as a client, wish to receive news and product updates from Suracell. The default value is "No" ("opt-out"), so if you do not wish to be contacted for these purposes, leave the check box at "no" -- you do not need to do anything further. However, if you choose to select "Yes" ("opt-in"), then at some future time decide you do not wish to be contacted for these purposes, you may sign in and select "My Profile" and update your profile by selecting "No" ("opt-out") to this question. You may also contact Suracell directly to have your profile setting set to "No" ("opt-out"). To do this, you may either call 973-932-1200, or email us at contact@suracell.com, or write to us at our mailing address at: Suracell Inc., 184 S. Livingston Avenue #113, Livingston, NJ 07039-3011. On your request, we will set your profile to "opt-out" and you will not be contacted in any form for the purposes of receiving any news or promotional information. Withdrawal of Consent As with any purchase, you have the right to change your mind and ask for a refund. That is, you have the right to change your mind about whether to have your specimen(s) tested and receive your personal genetic information. If you purchase a Suracell test kit but elect not to take the test, the kit may be returned within 30 days for a full refund. If you take and register a test, but then do not send in your samples, the kit may be returned (minus the used specimen collection items) within 30 days for a refund. If you change your mind after sending in your samples and registering a test kit, you may contact Suracell at any time and your samples will be discarded, testing will not take place, or, if testing has already occurred, your test results will be destroyed and hence made unavailable to yourself or anybody else. If analysis of your test has been completed and the test results already made available, you can request that the results be discarded and erased. If you further decide that you do not want Suracell to retain any information about you or related to you in any way, you can request that Suracell delete all of your records from our database, and this will be done immediately on request. You may contact Suracell at any time via telephone at (973) 932-1200 or via email at address contact@suracell.com, or in writing to our mailing address at: Suracell Inc., 184 S. Livingston Avenue #113, Livingston, NJ 07039-3011. Accountability Suracell has a Security Officer who is accountable to senior management reporting to Suracell's Board of Directors. The Security Officer is responsible for enforcing corporate data security policies and practices, including privacy protection practices. Suracell may, at any time, revise this Privacy Statement by updating this posting. Any revisions will be posted on our homepage so that visitors, as well as customers, are fully informed of our privacy policy and practices. If you have questions or concerns regarding this policy please contact us at: contact@suracell.com or call us at (973) 932-1200. Suracell Data Security Policy and Procedures HIPAA / Gramm-Leach-Bliley Compliance. Suracell senior management assumes complete responsibility in maintaining compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and/or nonpublic personal information, as defined under the Gramm-Leach-Bliley act and other federal or state privacy laws. Suracell senior management guarantees that in the event Suracell ever receives or creates Protected Health Information, as defined under HIPAA, and/or nonpublic personal information, as defined under GLB or state regulations, all such regulations will be complied with. When an individual requests participation in the Suracell Program, they must first certify that they are 18 years of age or older, and that they consent to supply Suracell with personal health information, such as their specimens and answers to the Suracell Environmental and Lifestyle Questionnaire. Suracell only obtains the personal information that you agree to disclose to us. (See the informed consent form acceptance on the Suracell website, which is required to be completed before genetic and biomarker health information can be generated). Everyone who chooses to share personal information with Suracell nonetheless owns and controls that information. Suracell warrants that all personal health and other information in its possession is protected and used in such a way that would not cause any violation of HIPAA privacy regulations, GLB or other federal or state privacy laws. Suracell will at all times maintain and use appropriate safeguards to prevent unauthorized access to, use or disclosure of any personal information, including, but not limited to, personal health related information. Suracell will ensure that any subcontractor or agent with any access to such personal information agrees in writing to the same conditions, restrictions and safeguards that apply to Suracell employees. For example, these policies and procedures are also binding on the testing laboratories and their employees. Suracell will continue to take such action as is necessary to amend corporate policy from time to time as is necessary to fully comply with all current and future requirements of HIPAA, the HIPAA privacy regulations, GLB and other federal and state privacy and consumer rights, laws and regulations. Summary of Privacy and Security Policies Suracell will pursue a corporate strategy of maintaining the highest level of privacy and security supported by the latest and most effective technology, as well as ensure full compliance with federal and state laws and regulations governing the privacy of individual information. Suracell's corporate philosophy on security issues is defined by some of the following corporate policies:
General Network Security Suracell network security is maintained behind a firewall configured to the highest industry standard encryption and protection (firewalls configured to the 128-bit 3DES standard, with an associated Intrusion Detection System). Identifiable attempts to breach Suracell's network security are reported to local, state and federal enforcement authorities. Authentication (Identifying Authorized Communication with Suracell Network) The identity of each individual or process accessing Suracell's internal information resources (all non-consumer access) will be adequately verified for the purpose of making access decisions and providing individual accountability for any and all actions. After identifying themselves to the system (e.g. by entering a user ID), internal corporate system users will be authenticated using "password authentication". Entry of passwords will be visually suppressed and protected from refresh / replay capability. Upon successful authentication, the system will display the date and time of the last successful entry to the system. Suracell's internal systems will protect authentication data (via encrypted password files) to prevent modification or use by any unauthorized user. Authenticated Access External internet access to Suracell business and consumer systems will require authentication via Secure Socket Layer (SSL / HTTPS) protocol for the following functions: Consumers can sign on to the Suracell web-site at any time for the purpose of amending or removing any or all of their stored personal or health related information. The methods of amending or removing personal and health related information are readily available and accessible on the Suracell website. Consumers who have difficulty changing inaccurate information should contact Suracell at: contact@suracell.com or call us at (973) 932-1200. All customer data recorded by Suracell will be encrypted within a master database. All non-consumer database access functions (corporate or partner access) will require the use of digital certificates. Digital certificate authentication standards require that the private key associated with a digital certificate is verified prior to assumption of trust through use of online certificate status checking using OCSP (Online Certificate Status Protocol). Procedures for issuing digital certificates to internal users will ensure that certificates are issued only to the person named or pointed to by the certificate's distinguished name. Consumer access to individual profiles will be via dual authentication, using Signon / Password and a key information identifier. Suracell uses private security certificates issued by Verisign Inc. TRUSTe Privacy Program Suracell is a licensee of the TRUSTe Privacy Program and eHealth Program. TRUSTe is an independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices. This privacy statement covers the site www.suracell.com. Because this web site wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe. If you have questions or concerns regarding this statement, you should first contact Suracell's Security Officer via telephone at (973) 932-1200 or via email at address contact@suracell.com, or in writing to our mailing address at: Suracell Inc., 184 S. Livingston Avenue #113, Livingston, NJ 07039-3011. If you do not receive acknowledgment of your inquiry, or if your inquiry is not satisfactorily addressed, you should then contact TRUSTe through the TRUSTe Dispute Resolution Process at http://www.truste.org/consumers/watchdog_complaint.php. TRUSTe will serve as a liaison with the Web site to resolve your concerns. Accountability Suracell has a Security Officer who is accountable to senior management reporting to Suracell's Board of Directors. The Security Officer is responsible for enforcing corporate data security policies and practices, including privacy protection practices, and all security policies outlined in this document. Any failure by any Suracell employee in maintaining Suracell's strict confidentiality and security policies will result in disciplinary action, including possible termination or, if warranted, criminal prosecution. Any failure by any third party doing business with Suracell (such as a testing laboratory) in maintaining the terms of Suracell's strict confidentiality and security policies will result in a discontinuation of business with that partner, and, if warranted, criminal prosecution. All system Ids will have a designated owner. System Ids will be reviewed every 6 months to verify appropriateness of access, based on a report of users and their authorization levels. This report will be reviewed by Suracell's Security Officer. The system or network will appear to perform the entire user authentication procedure even if the user ID entered is invalid and will not indicate the exact reason for rejecting a logon. A user account will be disabled after 3 consecutive unsuccessful logon or authentication attempts and any associated Remote Access connection will immediately be terminated (this policy excludes "outside" accounts, such as registered customer login accounts). A reset function will require Security Administrator intervention. Maximum authentication time will be limited to 30 minutes, with session termination when exceeded. An explicit "logoff" method will be provided within all online consumer and corporate functions. Disabled accounts will be marked for deletion if remaining disabled for more than 60 days. Password files will be internally encrypted. Password rules will force a new password to be entered for each system user every 30 days. Passwords will be 6 - 8 characters long, and require a combination of letters and numbers (this policy excludes "outside" registered customer login accounts). Password provisioning and granting / denial of access will be via a central provisioning system (Single Sign On access). Access to the SSO system will be limited by policy to a "security officer" authorized by Suracell's CEO or COO. A change of job function (including termination) affecting any Suracell employee or contractor with system access will require an immediate reclassification within the provisioning (SSO) system. Authenticated Access to Other Secure System Functions External internet access to Suracell business and consumer systems will require authentication via Secure Socket Layer (SSL / HTTPS) protocol for the following functions:
Database Access And Security Suracell's corporate and customer data will be "mirrored" to an active online database, as well as backed-up at regular intervals to a secured off-site facility (such as Iron Mountain). When such data records are not accessed for a period of 12 months, they will be archived to an offline database which will be securely stored for a minimum of 7 years. Audit Trail and Function Recording All online functions providing access to corporate and customer data will generate a functional audit trail, accessible to Suracell's Security Officer. Audit trails will record User Id., type, functional activity, data records accessed. Audit trail files will be archived at 6 month intervals and maintained in archive format for a minimum of 7 years. Changes to our Privacy Policy We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of a notice on our home page. Business Transitions In the event Suracell goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal information will likely be among the assets transferred. You will be notified via email and/or prominent notice on our Web site for 30 days of any such change in ownership or control of your personal information. |
|
|
|
|
![[spacer image]](../images/spacer.gif){kind=small} |
|
