CCPA Policy

California Privacy Notice

 

Effective Date: January 22, 2020

This notice reflects our good faith understanding of the law and our data practices as of the date posted (set forth above), but the CCPA’s implementing regulations recently became final and there remain differing interpretations of the law.  Accordingly, we may from time-to-time update information in this and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

 

This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (“CCPA”) as a supplement to BodyMed and its affiliates (“Company“us” “we” “our”) other privacy policies or notices.  In the event of a conflict between any other Company policy, statement or notice and this Notice, this Notice will prevail as to California Consumers and their rights under the CCPA.  Please see also any general privacy policy or notice posted or referenced on our websites, apps, products, or services including, without limitation, our Privacy Policy here.

This Notice covers our collection, use, disclosure, and sale of California Consumers’ “Personal Information” (“PI”) as defined by the CCPA, except to the extent such PI is exempt from the notice obligations of the CCPA for the twelve months preceding the Effective Date.  For more information on our practices governed by privacy laws regulating protected health information, see here. This Notice also covers rights California Consumers have under the CCPA, as well other notices to Californians required by other laws.  

Consistent with the CCPA, job applicants, current and former employees and independent contractors (“Personnel”), and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered “Consumers” for purposes of this California Privacy Notice or the rights described herein. However, our Personnel may obtain a separate privacy notice that is applicable to them by contacting Data-Prviacy@bodymedproducts.com . Publicly available information is also not treated as PI under the CCPA, so this notice is not intended to apply to that data and your Consumer privacy rights do not apply to that data.

 

To aid in readability, in some places we have abbreviated or summarized CCPA terms or language, but a full copy of the CCPA is available for your review, and in some places in this Notice we may cite and/or link to specific CCPA sections for your reference.  Terms defined in the CCPA that are used in this Notice shall have the same meaning as in the CCPA. 

 

You can click on the following blue links to navigate to the different sections in this Notice.

 

Table of Contents

 

  1. PI We Collect

 (A) Sources of PI

 (B) Use of PI

  1. Sharing of PI

 (A) Disclosures>

 (B) Sales

  1. California Privacy Rights

 (A) The Right to Know

   i. Information Rights

   ii. Obtaining Copies of PI

 (B)Do Not Sell

 (C)Delete

 (D)Non-Discrimination and Financial Incentive Programs

 (E) Authorized Agents

 (F) Limitation of Rights

  1. Additional California Notices

 (A) Third Party Marketing and Your California Privacy Rights

 (B) Online Privacy Practices

   i. Tracking and Targeting

   ii. California Minors

(C) eCommerce

  1. Contact Us


1. PI WE COLLECT

 


A. Sources of PI

Based on our current data practices, we give you notice that we collect the following types of PI about California Consumers.

Category of PI

Examples of PI

Do we Collect?

1.     Identifiers

(as defined in CCPA §1798.140(o)(1)(A))

This may include but is not limited to: a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

Yes

2.     Personal Records

(as defined in CCPA §1798.140(o)(1)(B))

 

This may include information such as: physical characteristics or description, signature, telephone number, education, employment, employment history, insurance policy number, bank account number, credit card number, debit card number, or any other financial information medical information, or health insurance information.

Yes

3.     Personal Characteristics or Traits (as defined in CCPA §1798.140(o)(1)(C))

This may include, but is not limited to: sex, marital status, religion, veteran status, familial status, race, disability, gender identity, and creed.

No

4.     Customer Account Details / Commercial Information

(as defined in CCPA §1798.140(o)(1)(D))

 

This may include, but is not limited to: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Yes

5.     Biometric Information

(as defined in CCPA §1798.140(o)(1)(E))

This may include but is not limited to: genetic, physiological, behavioral, and biological characteristics, that can be used to establish individual identity, including but not limited to fingerprints, voiceprints, retina scans from which an identifier template can be extracted, and other physical patterns, and sleep, health, or exercise data, that contain identifying info.

No

6.     Internet Usage Information

(as defined in CCPA §1798.140(o)(1)(F))

This may include, but is not limited to: browsing history, search history, and information regarding your interaction with an Internet Web site, application, or advertisement.

Yes

7.     Geolocation Data

(as defined in CCPA §1798.140(o)(1)(G))

This may include, but is not limited to: precise physical location or movements and travel patterns.

No

8.     Sensory Data

(as defined in CCPA §1798.140(o)(1)(H))

This may include, but is not limited to: audio recordings of customer care calls, electronic, visual, thermal, olfactory, or similar information.

No

9.     Professional or Employment Information

(as defined in CCPA §1798.140(o)(1)(I))

This may include, but is not limited to: professional, educational, or employment-related information.

No

10.  Non-public Education Records

(as defined in CCPA §1798.140(o)(1)(J))

This may include but is not limited to: education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

No

11.  Inferences from PI Collected

(as defined in CCPA §1798.140(o)(1)(K))

 

 

This may include, but is not limited to: creating a profile about a Consumer reflecting the Consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

No

 

The chart above reflects that catagories of personal information required by the CCPA.  There may be additional information that we collect that meets the CCPA’s definition of personal information but is not reflected by a category, in which case we will treat it as personal information as required by the CCPA, but will not include it when we are required to describe our practices by category of personal information.

As permitted by applicable law, we do not, deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information, and may elect not to treat publicly available information as PI.  We have no obligation to re-identify information or keep it longer than we need it to respond to your requests.

Return to Navigation

 


B. Use of PI

Generally, we collect, retain, use and share your PI to provide you services and as otherwise related to the operation of our business.  For more specific detail on our collection of PI, see the chart above at PI We Collect. For more detail on our disclosures of PI, see the next section Sharing of PI.

As more fully detailed in the chart above, we may collect, use and share the PI we collect for one or more of the following business purposes:

  • Processing Interactions and Transactions (1798.140(d)(4));
  • Managing Interactions and Transactions (§1798.140(d)(1));
  • Performing Services (§1798.140(d)(5));
  • Research and Development (§1798.140(d)(6));
  • Quality Assurance (§1798.140(d)(7));
  • Security (§1798.140(d)(2));
  • and Debugging (§1798.140(d)(3)).

We may collect, use and share your PI for commercial purposes  such as for interest based advertising. In addition, we may collect, use and share your PI as required or permitted by applicable law.

For more specifics tied to each category of PI, see the chart above.

Return to Navigation


2. SHARING OF PI


A. Disclosures

We may share PI with our service providers, other qualified vendors, including those that facilitate interest-based and other advertising and marketing vendors, including without limitation as follows:

 

Category of PI

Examples of PI

Categories of Recipients of Business Purpose Disclosure, if Applicable

1.     Identifiers

(as defined in CCPA §1798.140(o)(1)(A))

 

This may include but is not limited to: a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers

Not Applicable

2.     Personal Records

(as defined in CCPA §1798.140(o)(1)(B))

 

This may include information such as: physical characteristics or description, signature, telephone number, education, employment, employment history, insurance policy number, bank account number, credit card number, debit card number, or any other financial information medical information, or health insurance information.

Not Applicable

3.     Personal  Characteristics or Traits

(as defined in CCPA §1798.140(o)(1)(C))

This may include, but is not limited to: sex, marital status, religion, veteran status, familial status, race, disability, gender identity, and creed.

Not Applicable

4.     Customer Account Details / Commercial Information

(as defined in CCPA §1798.140(o)(1)(D))

 

This may include, but is not limited to: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

           Service Providers

 

5.     Biometric Information

(as defined in CCPA §1798.140(o)(1)(E))

This may include but is not limited to: genetic, physiological, behavioral, and biological characteristics, that can be used to establish individual identity, including but not limited to fingerprints, voiceprints, retina

Not Applicable

6.     Internet Usage Information

(as defined in CCPA §1798.140(o)(1)(F))

This may include, but is not limited to: browsing history, search history, and information regarding your interaction with an Internet Web site, application, or advertisement

Not Applicable

7.     Geolocation Data

(as defined in CCPA §1798.140(o)(1)(G))

This may include, but is not limited to: precise physical location or movements and travel patterns.

Service Providers

Qualified Marketing Vendors

8.     Sensory Data

(as defined in CCPA §1798.140(o)(1)(H))

This may include, but is not limited to: audio recordings of customer care calls, electronic, visual, thermal, olfactory, or similar information

Not Applicable

9.     Professional or Employment Information

(as defined in CCPA §1798.140(o)(1)(I))

This may include, but is not limited to: professional, educational, or employment-related information.

Not Applicable

10.  Non-public Education Records

(as defined in CCPA §1798.140(o)(1)(J))

This may include but is not limited to: education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

Service Providers

Qualified Marketing Vendors

11.  Inferences from PI Collected

(as defined in CCPA §1798.140(o)(1)(K))

 

 

This may include, but is not limited to: creating a profile about a Consumer reflecting the Consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

           Service Providers

 Qualified Marketing Vendors

 

Notwithstanding anything to the contrary in our other privacy notices, we restrict use of your PI that is shared with our vendors to business purposes, unless otherwise permitted by the CCPA.

 


B. Sale:

We do not believe that in 2019 we “sold” PI.  For more information on your do not sell rights, see the Do Not Sell subsection of the California Privacy Rights section of this Privacy Notice at Section 3.B

Return to Navigation


3. CALIFORNIA PRIVACY RIGHTS

The CCPA is a new law and there remain differing interpretations of it and the regulations that implement it.  Accordingly, we may from time-to-time update information in our notices regarding our data practices and your rights, modify our methods for you to make and for us to respond to your requests, and/or supplement our response(s) to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

We provide California Consumers the privacy rights described in this section.  You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations.  As permitted by the CCPA, any request you submit to us is subject to an identification and residency verification process (“Verifiable Consumer Request”).  We will not fulfill your CCPA request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. 

Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID).  As required by the CCPA we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response.  You are not required to create an account with us to make a Verifiable Consumer Request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your California Consumer privacy rights requests.  In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not.  We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome.  If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision.  You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your financial account number, any health or medical identification number, an account password, or security questions or answers in response to a CCPA request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

Your California Consumer privacy rights are as follows:


A. The Right to Know:


i. Information Rights:

You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:

  • The categories of PI we have collected about you.
  • The categories of sources from which we collected your PI.
  • The business or commercial purposes for our collecting or selling your PI.
  • The categories of third parties to whom we have shared your PI.
  • The specific pieces of PI we have collected about you.
  • A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
  • A list of the categories of PI sold about you in the prior 12 months, or that no sale occurred. If we sold your PI, we will explain:
    • The categories of your PI we have sold.
    • The categories of third parties to which we sold PI, by categories of PI sold for each third party.

To make a request, email us at Data-Privacy@bodymedproducts.com  or call us at 1-800-532-1356. In your request, please include your full name, account number, your street address, city, state, ZIP code, and photo identification with CA address (i.e., CA Driver’s License), and information requested.  For your specific pieces of information, as required by the CCPA, we will apply the heightened verification standards set forth in subsection (ii) below.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.


ii. Obtaining Copies of PI:

You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.  To make a request, please email us at Data-Privacy@bodymedproducts.com or call us at  1-800-532-1356.  In your request, please include your full name, account number, street address, city, state, ZIP code, and photo identification with CA address (i.e., CA Driver’s License), and information requested. 

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.


B. Do Not Sell:

We do not sell your PI as such is defined under the CCPA, and until such time as we change this policy by updating this Privacy Notice, will treat PI collected under that policy as subject to a do not sell request.

We may disclose your PI for the following purposes, which are not a sale:  (i) if you direct us to share PI; (ii) to comply with your requests under the CCPA; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.


C. Delete:

Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining.  Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement.  Note also that we are not required to delete your PI that we did not collect directly from you.  To make a request, To make a request, please email us at Data-Privacy@bodymedproducts.com  or call us at  1-800-532-1356.  In your request, please include your full name, account number, street address, city, state, ZIP code, and photo identification with your address (i.e., CA Driver’s License), and information requested. 


D. Non-Discrimination and Financial Incentive Programs:

We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.


E. Authorized Agents:

If a Consumer chooses to submit a request through an authorized agent, Company requires the Consumer to:

  • Provide the authorized agent written permission to submit a request, a copy of which must be provided to us;
  • Verify that instruction and their own identity directly with us.

If the authorized agent has a power of attorney issued under California Probate Code sections 4000 to 4465, then the written agreement is not necessary. In the absence of any of the two general conditions detailed above, we will reject any request submitted through an agent. In addition, the agent is subject to the verification standards applicable to the type of request(s) made.


F. Limitation of Rights:

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights.  In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

Return to Navigation


4. ADDITIONAL CALIFORNIA NOTICES

In addition to CCPA rights, certain Californians are entitled to certain other notices, including:


A. Third Party Marketing and Your California Privacy Rights:

Separate from your CCPA “Do Not Sell” rights you have the following additional rights regarding disclosure of your information to third parties for their own direct marketing purposes:

We may from time to time elect to share certain “personal information” (as defined by California’s “Shine the Light” law) about you with third parties for those third parties’ direct marketing purposes.  California Civil Code § 1798.83 permits California residents who have supplied personal information, as defined in the statute, to us to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of personal information to third parties for their direct marketing purposes.  If this applies, you may obtain the categories of personal information shared and the names and addresses of all third parties that received personal information for their direct marketing purposes during the immediately prior calendar year (e.g. requests made in 2020 will receive information about 2019 sharing activities).  To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident and provide a current California address for our response.  You may make this request by contacting us at Data-Privacy@bodymedproducts.com or in writing at: 6333 Hudson Crossing Parkway, Hudson, Ohio 44236, (Attention: Privacy Officer). Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code, and photo identification with CA address (i.e., CA Driver’s License).  Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this e-mail address or mail address.

As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.


B. Online Privacy Practices:

For more information on our online practices and your California rights specific to our online services see our online Privacy Policy. Without limitation, Californians that visit our online services and seek or acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:


i. Tracking and Targeting:

When you visit our online services, we and third parties may use tracking technologies to collect usage information based on your device for a variety of purposes, including serving you advertising, based on your having visited our services or your activities across time and third-party locations.  Some browsers may enable you to turn on or off a so-called “Do Not Track” signal.  Because there is no industry consensus on what these signals should mean and how they should operate, we do not look for or respond to “Do Not Track” signals.  For more information on tracking and targeting and your choices regarding these practices, see our online Privacy Policy.


ii. California Minors:

Although our online service(s) are intended for an audience over the age of 18, any California residents under the age of eighteen (18) who have registered to use our online services, and who posted content or information on the service, can request removal by contacting us Data-Privacy@bodymedproducts.com or in writing at: 6333 Hudson Crossing Parkway, Hudson, Ohio 44236, (Attention: Privacy Officer), detailing where the content or information is posted and attesting that you posted it.  We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law.  This removal process cannot ensure complete or comprehensive removal.  For instance, third parties may have republished or archived content by search engines and others that we do not control.


C. eCommerce:

In accordance with California Business and Professions Code § 17538 et al., our online return and refund policy is available here, the legal name under which we conduct business online is BodyMed, and our business address is 6333 Hudson Crossing Parkway, Hudson, Ohio 44236.  Within five (5) days of our receipt of your request, California residents may receive verification of this information by contacting us Data-Privacy@bodymedproducts.com or in writing at: 6333 Hudson Crossing Parkway, Hudson, Ohio 44236, (Attention: Privacy Officer).

Residents of California are also entitled to the following specific Consumer rights information: you may contact the Complaint Assistance Unit of the Division of Consumer Services of the Department of Consumer Affairs by mail at: 1625 North Market Blvd., Suite N 112, Sacramento, California, 95834, or by telephone at (916) 445-1254.  Hearing-impaired users can reach the Complaint Assistance Unit at TDD (800) 326-2297 or TDD (916) 322-1700.  Their website is located at: http://www.dca.ca.gov.

Return to Navigation


5. CONTACT US

For more information on your California privacy rights contact us at 1-833-462-7746, by email at Data-Privacy@bodymedproducts.com, or in writing at: 6333 Hudson Crossing Parkway, Hudson, Ohio 44236, (Attention: Privacy Officer).

Return to Navigation