Night Shift Privacy Notice

PRIVACY INFORMATION

Advanced Brain Monitoring, Inc. (ABM) is a neuro-diagnostics device company internationally recognized for its innovative technologies. Our products are used by individuals, clinicians, researchers, and in clinical trials to interpret brain and physiological function as they relate to chronic diseases and early stage neurodegeneration, as well as to improve sleep quality and enhance performance. ABM is an ISO 13485 and FDA device manufacturer. We have a global distribution network established in the EU, Asia, and Australia. ABM is based in Carlsbad, CA with a European office in Belgrade, Serbia.

PRIVACY COMMITMENT STATEMENT

ABM is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. Consistent with this commitment, ABM maintains compliance with several regulatory programs. We are dedicated to ensuring compliance with all of our products and services, as well as the underlying processing of personal data on behalf of our customers.

• Health Insurance Portability and Availability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
• The European Union (EU) General Data Protection Regulation (GDPR)
• EU-US and Swiss-US Privacy Shield Frameworks (Privacy Shield)

ABM is HIPAA compliant. HIPAA establishes standards for the security of electronic protected health information. We perform periodic technical and non-technical evaluations that establish the extent to which our security policies and procedures meet the HIPAA security requirements. The U.S. Department of Health and Human Services (HSS) does not currently offer HIPAA certification. Please visit the HHS website to learn more about HIPAA.

ABM is HITECH compliant. HITECH promotes the adoption and meaningful use of health information technology, as well as privacy and security concerns associated with the electronic transmission of health information. HHS does not currently offer HITECH certification. Please visit the HSS website to learn more about HITECH.

ABM maintains Privacy Shield certifications for the EU-US and Swiss-US Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU and Switzerland to the U.S., respectively. Please visit the Privacy Shield Framework website to view our certification and learn more about Privacy Shield.

Compliance with GDPR, which is effective as of May 25, 2018, is an active process and will continue up to and after the enforcement date. The GDPR provides a set of standardized data protection laws across all EU member countries, and is applicable to any organization collecting information from an individual residing in the EU regardless of where the organization is located. The European Commission does not currently offer GDPR certification. Please visit the European Commission website to learn more about GDPR.

Individual Rights

Individuals have personal data rights that include the following:

• Be informed if personal data is being used
• Get copies of personal data
• Get personal data corrected
• Get personal data deleted
• Limit how organizations use personal data
• Portability of personal data
• Object to the use of your data
• Decisions being made about an individual without human involvement
• Access information from a public body
• Raise a concern

NIGHT SHIFT PORTAL PRIVACY INFORMATION

The Night Shift website contains several areas where information is obtained. The following provides detailed information regarding what type of data is collected, how we use the information, and with whom we share the information.

1. Night Shift Portal

The Night Shift software, which is accessed by the Night Shift Portal (NS Portal), produces graphical reports of previously recorded physiological signals obtained during sleep with ABM’s proprietary Night Shift medical device. The software is fully compliant with regulatory guidelines (e.g., HIPAA, 21 CFR Part 11, etc.).

Collecting Information

When an individual utilizes the NS Portal, information is shared with ABM. There are two categories of information that ABM collects:

1. Information the user provides to utilize services
2. Information we obtain to perform services

The following provides detailed information regarding what type of data is collected and how it is used.

1. Information the user provides

   1. Device Registration

      Registration of a Night Shift device is not required to use the NS Portal. However, if a user chooses to register a device we will have the ability to notify him/her of important improvements that could benefit the use of a device (e.g., firmware upgrades or NS Portal enhancements).

      In order to register a device on the NS Portal the user must disclose:

      • Device serial number
      • Email address

      Registering a “Customer Name” is optional. To keep health information anonymous to ABM, we recommend that a name is not entered.

      Personal data that an individual chooses to provide ABM when registering a device is only used to provide technical assistance or communicating product improvements.

   2. Report Generation

      The generation of reports is not required to use a device; however, it is the primary purpose for using the NS Portal. No personal data is required to generate a report, but when a report is generated, the Customer Name, if provided, will appear on the report. As an alternative, if no Customer Name is registered but you wish to personalize a report, a “User Name” may be entered at the time the report is generated and the User Name will appear on the report.

      The report, which may include personal data should it have been provided, is saved to the NS Portal database as an unreadable byte array field. The NS Portal database is used to provide technical assistance should any problems with a device or generating a report be encountered.

2. Information we obtain

   When our services are utilized via the NS Portal, we obtain raw data from an ABM proprietary device via an “.acq” file. The information obtained is used for the sole purpose of generating a report for personal use. The information obtained is identified by the device serial number, which can only be linked to personal data if a device was registered.

   The information ABM gathers from a device includes:

   1. Usage information

      The Night Shift device has been designed to obtain and store various categories of information. The following types of information is obtained by the device:

      • Use (e.g., how many nights the device was used)
      • Sleep (e.g., how many hours a user was asleep)
      • Awake (e.g., how many hours a user was awake)
      • Position (e.g., how much time a user slept on his/her back and how quickly he/she responded to the position avoidance feedback)
      • Snoring (e.g., did the user snore, and if so, how loudly)

      Some of the information recorded on a device is in very small increments (e.g., milliseconds and seconds). The NS Portal simply converts the data obtained by a device into usable increments and presents the information in graphic format as a report.

      The information that resides on a device is stored in an .acq file. Each time ABM’s NS Portal services are used, we save a copy of the .acq file to the NS Portal database as an unreadable byte array field. The NS Portal database is used to provide technical assistance should any problems with a device or generation of a report be encountered.

   2. Connection information

      ABM may automatically collect certain information and store it in log files when our services are utilized, including internet protocol (IP) addresses, referring/exit pages, operating system, browser type, date/time stamp, and clickstream data. We use non-personal information to administer services and analyze trends for service enhancements. We use personal information to provide technical assistance should any problems with a device or generating a report be encountered, and to help protect ourselves from abusive users of our services.

Using Information

We use the information that users provide and we obtain to ensure that the NS Portal is providing value to our customers. Here are some of the ways that we do that:

• Provide technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered
• Validate warranty coverage
• Communicate with customers, via email, regarding important improvements and enhancements to our devices and services
• Monitor types and trends of issues that are experienced when using the NS Portal for use in developing product and service enhancements
• Analyze usage and trends to publish de-identified findings for product marketing purposes and scientific journals
• Verify your identity and prevent fraud or other unauthorized or illegal activity.

Sharing Information

We do not sell, distribute, or lease personal information to third parties, ever. However, we may transfer a report or raw data via .acq file to a third party for the following reason(s):

1. Healthcare provider

   With your permission, we may share your .acq file or report with a healthcare provider in order to qualify your device for insurance reimbursement, or so that your health care provider can monitor therapy compliance.

2. Distributor

   When devices are sold through a distributor, we may share an .acq file with the distributor in order to provide technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered.

2. Electronic Prescription (eRx)

Night Shift devices are only available by prescription in the U.S. For the convenience of our U.S. customers, health care providers may register a provider account in order to generate an eRx, which allows patients to purchase a Night Shift device directly via the ABM web store. To generate an eRX, Providers are required to enter into a Business Associate Agreement (BAA) in recognition of obligations required under HIPAA and HITECH. All information obtained from the provider, including patient prescription information, is stored in ABM’s secure database. We use the information to verify that a customer has a prescription for purchasing a device and refer to prescriptions should a customer desire to purchase an additional device in the future. The eRx services, which are compliant with U.S. rules and regulations, is only available to U.S. customers.

3. Web store

For the convenience of our customers, ABM utilizes a third-party payment gateway via Authorize.Net to facilitate the secure transfer of transactions on out web store. If you use our web store, we do not receive or store any credit card information; however, we store all other data on our secure database. We use the information to verify warranty information and track prescriptions that are uploaded by the customer at the time of the purchase (when an eRx is not used) should the customer desire to purchase an additional device in the future. ABM encourages you to visit Authorize.Net’s website to learn more about its privacy policy so that you can understand how Authorize.Net uses and shares your information. Web store services, which are compliant with U.S. rules and regulations, are only available to U.S. customers.

4. Contact Page

A user may submit personal information via one of three contact pages:

1. Sales/product inquiries
2. Technical support
3. Privacy request

Collecting Information

To submit a request, the user is required to provide the following information:

• Type of request (technical support and privacy request only)
• Name
• Email address
• Country (technical support only)
• Message (sales/product inquiries only)

Using Information

We use the information that a user provides to respond to a request for assistance.

1. Sales/product request

All information included on a sales/product inquiry request is maintained by Zoho, AMB’s third party customer relationship management (CRM) provider. Zoho initiates an email to ABM’s business development group, who reaches out to the individual requesting information. Once patient requests have been satisfied, personal data is deleted from Zoho. Business contacts are saved in Zoho for further business development.

2. Technical support

All information included in a technical support inquiry request is forwarded via nightshift@advanced-sleep.com to ABM’s Night Shift’s customer support group, who reaches out to the individual requesting assistance. The information is logged in a technical call spreadsheet to assist with customer follow-up and providing technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered.

3. Privacy request

All information included on a privacy contact request is forwarded via privacy-group@b-alert.com to ABM’s IT privacy team, who reaches out to the individual requesting assistance. The information is logged in a privacy request spreadsheet.

Sharing Information

We do not sell, distribute, or lease personal information to third parties, ever.

5. Access logs

ABM may automatically collect certain information and store it in log files when our services are utilized, including internet protocol (IP) addresses and a date/time stamp. This information is recorded in the database to administer services, analyze trends for service enhancements, and help protect ourselves from abusive users of our services.

COOKIES

ABM’s website uses cookies. Cookies are small text files that can be used by websites to personalize a user’s online experience and make the experience more efficient. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you. Cookies cannot be used to run programs or deliver viruses to your computer.

GDPR regulations state that we can store cookies on a user’s device if they are strictly necessary for the operation of our site. However, for all other types of cookies we need your permission. ABM employs Cookiebot service to help facilitate obtaining consent for the use of cookies. Cookiebot itself automatically sets up cookies in the user’s web browser when the user visits our website: The first-party cookie, “CookieConsent” which stores the user’s consent, expire automatically for renewal after 12 months from the date of the user’s consent. A user may withdraw a consent at any time by deleting the “CookieConsent” cookie. A user consent is logged and documented by registration of the user’s anonymized IP number, browser user agent, website URL, date and time of consent and a unique, encrypted key that is stored in a data center with Cybot’s cloud vendor, Microsoft Ireland Operations Ltd in Dublin, Ireland.

THIRD PARTY LINKS AND FEATURES

The ABM website may contain links to third-party websites (such as social media sites) and may contain third-party plug-ins (such as the YouTube videos) and functionalities. If you choose to use these sites or features, you may disclose your information not just to those third parties, but also to their users and the public more generally depending on how their services function. ABM is not responsible for the content or practices of those websites or services. The collection, use, and disclosure of your information will be subject to the privacy policies of the third party websites or services, and not ABM’s privacy policy. We urge you to read the privacy and security policies of these third parties.

SECURITY

ABM is committed to ensuring that personal information is secure. We have physical, electronic, and procedural safeguards that comply with regulations to protect personal information. ABM uses industry-standard encryption technology to protect privacy. We limit access of personal information to employees who we believe reasonably need to come into contact with such information to provide products or services in order to do their jobs.

For site security purposes and to ensure that this service remains available to all users, we use software programs to monitor traffic to identify unauthorized attempts to upload or change information or otherwise cause damage. In the event of law enforcement investigations and as part of any required legal process, information from these sources may be used to help identify an individual.

DISCLOSURE

ABM does not sell, distribute, or lease personal information to third parties, ever.

ABM will disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on ABM or the site; (b) protect and define the rights or property of ABM; and (c) act under exigent circumstances to protect the personal safety of ABM website users, or the public.

RETENTION AND STORAGE

ABM retains personal information for no longer than necessary for the purpose for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it.

All information is stored on secured servers owned and operated by ABM. We use third party vendors to support our services, which includes an IT Security Consultant. We store backups off site with third party storage provider to ensure data security in case of an emergency or catastrophe. All IT services are governed by a written contract.

ASSIGNMENT

If ABM is acquired by or merges with another entity, our assets, including all proprietary intellectual property and information embedded in our services and any personal information stored in our databases, will likely be transferred to the new entity. By utilizing our services you acknowledge and agree that ABM may assign assets and any information stored therein in the event of such a transaction.

CONTACT US

In addition to understanding what information we collect, how we use it, with whom we share it, and how long we retain it, as detailed above, individuals have other rights as identified in the “Individual Rights” section. Should you desire to exercise one of these rights, or have any questions regarding our privacy policy, please use the Privacy Contact page to submit a request.

Please note: ABM does not have the right to copy, correct, delete, limit, or transmit any personal data without first obtaining identity verification. Should you submit a data request via the Privacy Contact page, an ABM representative will contact you to begin the process of identity verification before any action can be taken.