days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Privacy Policy
Last Modified: March 16, 2021
ECI, which includes Eze Castle Integration, Inc., Eze Castle Integration (Hong Kong) Limited, Eze Castle Integration – Singapore, Pte. Ltd., and Eze Castle Integration – United Kingdom, Ltd. (“ECI”, “we”, “our”, “us”) takes privacy very seriously. The following is our General Privacy Policy (“Privacy Policy”) which explains how we collect, use, process, maintains, and shares Personal Information, as well as your choices regarding the use, access, and correction of your Personal Information. “Personal Information” is information that identifies an individual or relates to an identifiable individual. It does not include data where the identity has been removed (anonymous data). Personal Information may include, but is not limited to, your name, physical addresses, telephone numbers, e-mail addresses, company affiliations and associated interests. It may also include your history of transactional activities that you had on ECI websites. The Personal Information that we collect may vary based on your interaction with our website and requests for our services.
This Privacy Policy is provided in a layered format so you can click through to the specific areas below. Please also use the Definitions to understand the meaning of some of the terms in this Privacy Policy.
- Section I: Important Information and Who We Are
- Section II: Categories of Personal Information We Collect
- Section III: How We Collect Your Personal Information
- Section IV: Legal Basis for Processing (EU/EEA, UK, and Other Applicable Jurisdictions)
- Section V: How ECI Uses and Shares the Information Collected
- Section VI: Cross-Border Transfers (EU/EEA; UK; Other Applicable Jurisdictions Only)
- Section VII: Dispute Resolution
- Section VIII: Data Integrity and Security
- Section IX: Minimization, Retention, and Deletion of Personal Information
- Section X: Your Rights (EU/EEA, UK, and Other Applicable Jurisdictions)
- Section XI: Health Insurance Portability and Accountability Act (HIPAA)
- Section XII: Changes to this Policy
- Section XIII: Questions or Complaints
- Section XIV: Definitions
I. IMPORTANT INFORMATION AND WHO WE ARE
Privacy Policy is on behalf of ECI, Eze Castle Integration (Hong Kong) Limited, Eze Castle Integration – Singapore, Pte. Ltd., and Eze Castle Integration – United Kingdom, Ltd., so when we mention “ECI”, “us”, or “our” in this Privacy Policy, we are referring to the relevant company in ECI responsible for processing information. Eze Castle Integration, Inc. is the controller responsible for this Web site. Privacy Policy applies to the use of ECI’s Web sites, digital properties, products, and services, or when you attend an ECI event, or otherwise interact with us (ECI Services). The ECI Websites, webpages, and the ECI Web Portal (collectively, the “ECI Website(s)” or “Website(s)”) is/are primarily directed to our Customers and prospective Customers in a Business to Business, or B2B, context. Our Customers are rarely, if ever, individual consumers. We also will process our Customer Data (defined below) in accordance with our Customer agreements with each Customer. That Customer Data may contain personal information. Additional information on our Personal Information practices may be provided in supplemental privacy notices or notices provided prior to or at the time of collection. Certain ECI websites, such as the Customer Portal, may have their own privacy notice that describes how we handle Personal Information for those websites specifically. To the extent a notice provided at the time of collection or a website specific privacy notice conflict with this Privacy Policy, such specific notice will control. “With the exception of [Customer Information] (as defined below), this Privacy Policy does not apply to our security and privacy practices in connection with your access to and use of the [ECI Services].” Those security and privacy practices, including how we collect, use, and protect Customer Data (defined below) are outlined in the applicable agreement between the Customer and ECI.
ECI Websites, products, and services are not intended for children. ECI does not permit children to register as Customers on its Websites. Upon being made aware of any collection or receipt of Personal Information pertaining to a child under the legal age of consent in the country where the child is located, that was received without valid consent, ECI will delete from its records.
Additionally, ECI is committed to upholding the US-EU Privacy Shield Principles for all Personal Information it receives from the European Union (“EU”). ECI is registered and self-certifies complies with the US Department of Commerce’s Privacy Shield Program. ECI self-certifies that it adheres to and complies with the Privacy Shield Privacy Principles of Notice, Choice, Onward Transfer Accountability, Security, Data Integrity and Purpose Limitation, Access and Recourse, and Enforcement and Liability (the “Principles”). If there is any conflict between the policies in this Privacy Policy and the Principles, the Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification page, please visit https://www.privacyshield.gov.
We encourage you to read this Privacy Policy together with any other privacy policy or notice we may provide so you are fully aware of how and why we use your personal information. If you have any questions or concerns, to contact us at privacyshield@ECI.com or at this address:
ECI, Inc.
Attn: Data Privacy Manager
55 Church Street, Suite 520
Boston, MA 02108, USA
Should your inquiry or concern remain unresolved, please follow the dispute resolution procedure outlined in Section VII. For EU/EEA residents, including the United Kingdom, you have the right to make a complaint at any time to the Information Commissioners Office, the UK Supervisory Authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your Personal Information changes during your relationship with us.
Finally, this website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
II. WHAT CATEGORIES OF PERSONAL INFORMATION WE COLLECT
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data (for example, your first name, maiden name, last name, username or similar identifier, marital status, title).
- Contact Data (for example, your billing address, delivery address, email address and telephone numbers).
- Financial Data (for example your bank account and payment card details).
- Transaction Data (for example, details about payments to and from you and other details of products and services you have purchased from us).
- Technical Data (for example, your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, device type, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website).
- Usage Data (for example, information about how you use our website, products and service).
- Profile Data (for example, your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses).
- Marketing and Communications Data (for example, your preferences in receiving marketing from us and our third parties, if any, and your communication preferences).
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Information so that it can directly or indirectly identify you, we treat the combined data as Personal Information which will be used in accordance with this privacy notice.
Personal Information does not include, and this Privacy Policy does not cover, data from which individual persons cannot be identified, where the identity of an individual has been irretrievably removed, or situations in which personal information is anonymized.
Special Categories of Data
ECI does not collect Special (or “sensitive”) Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric and genetic information, and health or sex life) from its Visitors or Customers, and asks that its Visitors and Customers not provide their Special Data to ECI. To the extent a Customer collects such Special Data and makes it available to ECI as Customer Data, if any, ECI will process such data using appropriate safeguards and restrictions in accordance with the Customer’s Services Agreement.
WHAT CUSTOMER INFORMATION ECI COLLECTS AND PROCESSES
For certain products, ECI serves as a service provider to its Customers. In our capacity as a service provider, we will receive, store, and/or process Customer Data owned and/or controlled by our Customers. Customer Data is distinguishable from Customer Information because Customer Data is data and information that may reside on ECI, Customer or Third-Party servers, desktops, or systems to which ECI is provided access to perform its processing services. Customer Data may include Third-Party Personal Information about a Customer’s employees, clients, customers, partners, agents, suppliers, or other individuals (collectively “Customer’s Parties”). Customer Data may also be accessible to ECI and the associated Customer via the ECI Web Portal. ECI processes Customer Data according to its Services Agreement with Customer and treats Customer Data as confidential in accordance with the terms of the Services Agreement. ECI is provided access to such information under the direction of its Customers, serves solely in the capacity of a data processor, and has no direct relationship with individuals that are Customer’s Parties.
III. HOW WE COLLECT YOUR PERSONAL INFORMATION
Cookies, Click-Throughs, Beacons, and other automated technologies or interaction.
As is common with most websites and applications, when you go on ECI Websites or interact with our digital properties, including by email, ECI may automatically receive and collect, or facilitate the collection of, your Personal Information on your interactions with us and the ECI Websites or emails, and about your equipment. For example, ECI may collect Personal Information by using first and third party cookies, Flash cookies, HTML5 local storage, server logs, web beacons, clear gifs, click-throughs, and other similar technologies. Personal Information that ECI Websites may automatically receive and collect include, but is not limited to:
- IP address, browser or device type, and network routing information.
- When the webpages were visited, the frequency of visits and the pages visited.
- Website performance data.
- General geo-location data.
Cookies are small files of letters and numbers stored on your browser or device that enable the cookie owner to recognize the device when it visits websites or uses online services. The website you visit may set cookies directly, known as first-party cookies, or may trigger cookies set by other domain names, known as third-party cookies. We may automatically use some cookies that are strictly necessary for the core functionality of the ECI Websites, providing the services you request, enabling communications, and providing a secure digital environment. We request your consent for all of our other cookie uses, which can include:
- ECI Websites may use, or facilitate the use of, other non-essential functionality cookies that enable helpful functions to provide an enjoyable user experience (for example, by recognizing when you return to the ECI Website, enabling us to personalize content for you, remember your preferences, and the like).
- We may also use, or facilitate the use of, analytic or performance cookies, which allow us and our third party service providers to recognize and count the number of Visitors and to see how Visitors move around the ECI Websites when they are using them. This helps us improve how the ECI Websites work by, for example, ensuring that Visitors can easily find what they need on our website. These analytic cookies generally generate aggregate statistics that are not associated with an individualized profile. For example, ECI Websites use Google Analytics to track how often people gain access or visit various pages or features of the ECI Websites. We use this information in the aggregate to understand what pages and features of our ECI Websites’ Visitors find useful. To better understand Google Analytics, and how you can opt-out of the Google Analytics features, we encourage you to visit the following: https://tools.google.com/dlpage/gaoptout/. We do not control third party service provider websites, platforms and applications collecting your Personal Information, in this regard, and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit or application you use when you use or enable these platforms and applications, or leave the ECI Websites.
- Finally (depending on your device or browser settings), we may also use cookies for advertising purposes, which could include helping us collect your Technical, Usage, and Profile Data if you visit other websites employing our cookies, or to allow us to deliver relevant, personalized advertisements and content to you on other third party sites.
ECI may also make use of embedded URLs, pixels, widgets, buttons, web beacons, social media buttons, and tools on the ECI Websites and emails to link to ECI, as well as our service providers’, Marketing Partners’, and other third party websites, services, and platforms. Bear in mind that non-ECI websites and services are outside of ECI’s control. By clicking on the links or tools, you may be allowing a third-party to collect and/or share your Personal Information. When doing so, we may also collect Personal Information that you share with third party sites and platforms depending upon that third party’s privacy practices. We do not control these third party websites, platforms and applications collecting your Personal Information and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit or application you use when you use or enable these platforms and applications, or leave ECI Websites. Your interactions with these features are governed by the privacy notices of the companies that provide them.
Your consent for our collection and use of your Personal Information may be managed in a variety of ways at the operating system level of your device or equipment, through third-party platform extensions, or you can learn how else you can exercise your option not to accept these cookies by clicking here. However, cookies are very important for ECI Websites to properly function and disabling or limiting their use may limit or interfere with Visitors’ experiences or ability to access Website features, functions and customizations.
In compliance with California AB 370, Section 22575, ECI has a responsibility to inform you that ECI Websites do not take any specific automated action in response to browser “Do Not Track” signals or other similar mechanisms (collectively, “DNT Signals”). As specified above, there are certain actions that Visitors can take to restrict or eliminate the use of tracking technologies within the ECI Websites, however no actions are taken automatically in response to DNT Signals.
Some automatically collected information from a Visitor is not personally identifiable, but ECI or its Marketing Partners may aggregate or combine this information with information from other public and authorized non-public sources that, through the combination, could make otherwise anonymous information identifiable as Personal Information, or add to the Personal Information we already have, that we respect and protect.
What you Provide ECI.
ECI collects information a Visitor may make available, provide, and submit to us, if we have a legal reason to collect the information, or because you consented for us to do so for a specific purpose. For example, we may ask for your name, email address, additional contact information, and other Personal Information when you:
- Register to download or receive ECI whitepapers through a web form, e-newsletters, or other publications and/or communications.
- Request support/assistance.
- Sign up for events.
- Apply for a job at ECI.
Keep in mind, before you disclose to use the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that information in accordance with this Privacy Policy. If you choose to provide us with that Personal Information, you represent that you have that other person’s permission to do so.
Information provided by Third Party Partners and Public Sources.
We may receive information about you from various third parties and public sources including, for example, business partners, subcontractors in technical, payment, and delivery services, advertising networks, analytics providers, search information providers, and (for example, if you are applying for a job) credit reference agencies and background checking agencies. We may receive information about you from them as part of the services we provide you or for legal reasons.
If You Are an ECI Customer.
In addition to the above, if you are a Customer of ECI, ECI collects “Customer Information”, which is information that we obtain from a Customer’s online and offline interactions with ECI in or related to the Customer’s use of ECI Websites, services and products, including dedicated ECI Web Portal(s) (see ECI Web Portal Terms of Use). Customer Information may include Personal Information such as:
- A Customer’s name, address, billing information, and employee contact information may be provided to ECI by you for Customer account management purposes.
- Visit and access information to ECI Websites, including access and interaction with a dedicated ECI Web Portal, may be collected.
- In responding to service or help requests, ECI may receive Customer Information to facilitate a resolution, and Customer Information relating to the request may be retained in accordance with, and for a period no longer necessary than for appropriate business needs.
- We may also associate an IP address, cookie, or other personalization mechanism with a specific Customer to help facilitate a smooth experience when you sign up for our services and products, as well as register for and access your Customer account or your dedicated ECI Web Portal, and your return visits.
Customer Information is treated according to the terms of ECI’s Privacy Policy.
IV. LEGAL BASIS FOR PROCESSING (EU/EEA; UK; OTHER APPLICABLE JURISDICTIONS ONLY)
Regardless of your jurisdiction, we will only use your Personal Information when the law allows us to. That said, if you are an individual from the EU/EEA, the United Kingdom, or other applicable jurisdictions, our legal basis for collecting and using the Personal Information will depend on the Personal Information concerned and the specific context in which we collect it. Generally we will not collect or access any Personal Information other than under the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal, regulatory, or self-regulatory obligation.
What we mean by legitimate interests is the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. For example, Personal Information which may be necessary for the daily operation of ECI’s services, handling Customer inquiries, direct marketing of products and services, completing transactions, and making disclosures under the requirements of any applicable law and the provision of ECI’s services and products to its Customers and prospective Customers (and which may be further described in Section V below). Without such information, ECI may be unable to provide its services and products to its Customers. We do not use your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at privacyshield@ECI.com.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need additional details about the specific legal ground we are relying on to process your personal data.
Where we rely upon your consent to process the Personal Information, you have the right to withdraw or decline your consent at any time. Generally we do not rely on consent as a legal basis for processing your Personal Information other than in relation to sending third party direct marketing communications to you via email. You may withdraw consent to marketing at any time by contacting us at privacyshield@ECI.com or by clicking the unsubscribe link in the marketing email. Please note that this does not affect the lawfulness of the processing based on consent before its withdrawal.
ECI also maintains and processes Customer Data that may contain Third-Party Personal Information (“Customer’s Parties”) submitted by its Customers. ECI does not act as a controller with respect to Customer Data when a Customer transfers it to ECI servers or when Customers provide ECI access to the Customers’ servers, desktops or systems. In these instances ECI is acting under the direction of the Customer and solely as a data processor. ECI has no direct relationship with the data subjects whose personal information may be in the Customer Data.
ECI recognizes and respects that your privacy and Personal Information is important, and that under circumstances you can make decisions about the Personal Information collected by ECI. Please keep in mind, though, that if you decide to not provide Data required by ECI in order for us to provide a service or product, your use of the Websites or ECI Services may be limited or impossible to facilitate.
V. HOW ECI USES AND SHARES THE INFORMATION COLLECTED
ECI uses and shares the Personal Information that it collects from its Visitors and Customers, unless otherwise restricted by law, for the following business purposes:
- Provide Services/Products. ECI may use Personal Information to maintain, support, and improve its products and services, deliver and provide the requested products/services, communicate with you about those services (including to request feedback), and comply with and enforce its contractual obligations. This includes, for example, managing transactions, reporting, invoices, renewals, and other operations related to providing services to a Customer. This may also include notifications about product and service changes, updates, fixes, patches, or other similar operational (non-marketing) communications.
- Provide Relevant News and Developments about Similar Products and Services. When you sign up for or inquire about receiving our products and/or services, ECI may use your Personal Information necessary to provide you information about a new or improved similar product or service, major changes to our properties, an upcoming event, or other necessary marketing communications on ECI’s behalf. ECI may share Personal Information with third-party partners to facilitate these communications on our behalf and at our direction.
Opting Out: If you wish to discontinue receiving these marketing messages sent by us or our third party partners acting on our behalf, simply: a) not select the option initially provided to receive such communications, b) follow the unsubscribe link in the direct marketing email, c) email ECI at eci.marketing@eci.com, or d) managing your settings at the ECI Preference Page here. Please note that, in such cases, it will remain necessary for us to process your Personal Information to the extent it is needed to maintain a suppression list, and we may also be required to disclose your opt-out information to third parties so they can suppress your name, from future solicitations. Also, if you are an ECI Customer, you will continue to receive information and communications pertaining to your ECI account and/or ECI Services even where you have opted out of marketing communications. - To Provide Information about different ECI and Third Party Products and Services. When you sign up to use our products and services (including, for example, newsletters or whitepapers), with your consent, we may collect and use your Personal Information to communicate with you about different products and services that may be of interest to you. These may be about products or services provided by the ECI, or by our affiliates, Marketing Partners, service providers, or other third parties. The marketing communications may come from the ECI or from the third parties.
Withdrawing Consent: You can manage which communications you would prefer to receive, or elect to not receive these direct marketing communications, or have your Personal Information not shared with third party partners providing the marketing communications, by: a) not initially selecting the options provided to receive such communications, b) using the unsubscribe link in a direct marketing email, c) emailing ECI at eci.marketing@eci.com, or d) managing your settings at the ECI Preference Page here. Please note that, in such cases, it will remain necessary for us to process your Personal Information to the extent it is needed to maintain a suppression list, and we may also be required to disclose your opt-out information to third parties so they can suppress your name, from future solicitations. Also, if you are a subscriber to our products or services, you will continue to receive information and communications pertaining to your Boston Globe account and/or Boston Globe services even where you have opted out of marketing communications. - Inquiry/Request Response. ECI may use Personal Information when a Customer or Visitor contacts ECI for information or support for its Website, Services, Products, or other information.
- Processing of Orders. ECI may use Personal Information when a Customer is submitting an order or other transaction through the Website or by other means, such as over the phone.
- Monitor Website Usage, Trends, Experience. ECI may use Personal Information to improve its Website, services, and products, or customer relationships and experiences. Personal Information may be used to remember information a Visitor entered on the ECI Website, track page views and click-through links, or provide information a Visitor requested on our Website. ECI may also use Personal Information to tailor interactions with its Website when a Visitor is logged in as a Customer, or when a Customer is accessing the ECI Web Portal.
- Customer Testimonials/Reviews/Exemplars. Occasionally a customer testimonial or exemplar will be posted on the ECI Website. While ECI Customers are primarily businesses, a testimonial may contain Personal Information. ECI will obtain the Customer’s explicit consent to post any personal information (such as their name) along with the testimonial/exemplar prior to such posting.
- Vendors, Consultants, and other Service Providers. We may share your information with third party vendors, consultants, and other service providers who are working on our behalf and require necessary access to your information to carry out that work. These service providers are authorized to use your Personal Information only as necessary to provide services to ECI and/or ECI Services.
- Marketing Research/Statistics. ECI may use or share with Marketing Partners, Personal Information necessary to help ECI and its Marketing Partners to develop new products, services, updates, gauge the effectiveness of our communications and marketing campaigns, generate business or the like. These nonaffiliated companies perform services on our behalf and may at our direction help us communicate with Customers.
- Social Media Platforms. Subject to the third-party social media platform’s terms of use and privacy policies, ECI may use your Personal Information when communicating or otherwise interacting with you through those platforms.
- Government Reporting/Audit/Requests Requirements. ECI may use or share Personal Information in order to satisfy governmental reporting, tax, and other requirements (e.g., import/export), as required by law. This may include having to meet U.S. national security or law enforcement, regulatory, or self-regulatory requirements.
- To verify and/or authenticate an identity, access rights, privileges, etc. For example, ECI may use Personal Information to authenticate and permit online access to Customer account information.
- At Your or Customer’s Direction. ECI may use or share Personal Information as requested or directed by you or a Customer with control over the Personal Information. For example, if a business Customer is merging with a Third-Party business and expressly permits the sharing of information, or if a Customer has a Third-Party vendor or agent authorized to access the information.
- In order to protect the security and integrity of ECI systems, facilities, and business operations, Personal Information may be collected by ECI and shared with relevant non-ECI parties. For example, if you visit an ECI location we may be required to share your name and other Personal Information with security at the location or you may appear on CCTV.
- We may share your Personal Information within ECI and any of our global offices, for the purposes of data processing and storage.
- ECI may transfer your Personal Information to a third-party in the event that ECI is undergoing a reorganization, merger, sale, joint venture, or other assignment of all or a part of its business with that third-party.
- For other business-related purposes permitted or required under applicable local law and regulation or to enforce our agreements, policies, and terms of service
- As otherwise obligated by law. For example, subpoena or similar legal process compliance, if ECI has a good faith belief the disclosure is legally necessary for the protection of rights, safety, or fraud investigations, to protect ECI, you, our Customers, or the public from harm or illegal activities.
- To respond to an emergency which we believe in good faith requires us to assist in preventing the death or serious bodily injury of any person,
- As otherwise needed to fulfill the purposes for which you provided the data or that were described when it was collected.
- If we otherwise notify you and you consent to the sharing.
Except as otherwise provided herein, ECI discloses Personal Information only to Third Parties who reasonably need to know such data in order to provide the agreed services to the Customers, such as cloud hosts, archive centers and wireless telephone providers. Such recipients must agree to abide by confidentiality obligations, respect the security of your Personal Information, and treat in accordance with the law. When entering into an agreement to provide services to any financial institution we contractually agree that Customers’ Personal Information will not be sold. Nor will we share that information with any other party, including affiliates of ECI, for purposes that are not related to providing services to our institution partners or their customers.
ECI also may disclose Personal Information for other purposes or to other Third Parties when a Data Subject has freely provided specific and informed consent to or requested such disclosure. Although consent to such a disclosure or processing may be revoked by the Data Subject, there may be instances where an additional legal basis permits ECI to continue to process and/or disclose the Personal Information.
ECI may be forced to disclose an individual's Personal Information when lawfully compelled by a request made by a recognized public authority or where required to meet national security and or law enforcement requirements.
Your California Privacy Rights
The California Consumer Privacy Act of 2018 (CCPA) is in effect as of January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information:
1. The right to request disclosure of a ECI’s data collection and sales practices in connection with the requesting consumer, including the categories of personal information we have collected, the source of the information, the use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;
2. The right to request a copy of the specific personal information collected about you during the 12 months before the request (together with right #1, a “personal information request”);
3. The right to have such information deleted (with exceptions);
4. The right to request that your personal information not be sold to third parties, if applicable; and [ECI does not sell personal information to third parties]
5. The right not to be discriminated against because they exercised any of the new rights.
You may request the information in writing at:
ECI, Inc.
Attn: General Counsel
55 Church Street, Suite 520
Boston, MA 02108, USA
ccpa@eci.com
HOW ECI USES CUSTOMER DATA
ECI also processes Customer Data which may contain Personal Information as agreed upon in the Customer’s contract or otherwise legally obligated under applicable law. ECI processes the Customer Data but will not control its collection or use practices. It is the Customer’s obligation to provide any notice and/or obtain any consents necessary for ECI to access, use, collect, retain, and/or transfer Customer Data, including potential Special Categories or Sensitive Data.
If you are an individual who interacts with a Customer using our services, then you will be directed to contact our Customer or any inquiries or requests regarding your Personal Information. We receive Customer Data under the direction of our Customers, and have no direct relationship with individuals whose Personal Information we process in connection with our Customer’s use of our services.
VI. CROSS BORDER TRANSFERS (EU/EEA; UK; OTHER APPLICABLE JURISDICTIONS ONLY)
ECI is headquartered in the United States but provides a global platform for its business Customers and partners that are located around the world. Thus ECI takes a global approach to its data privacy and security commitments.
For operational and other legitimate interest reasons, we may process, store, and transfer Personal Information, including that which is in Customer Data, in a country which may be outside of your own, such as the United States, the United Kingdom, Singapore, and/or Hong Kong, with different privacy laws that may or may not be as comprehensive as your own. We may also transfer your Personal Information to third parties described in Section V, which may be located in a different country to you. Where we do so, and where we are required to do so under local law, we will rely on and put in place lawful measures and mechanisms to ensure your Personal Information receives an adequate level of protection whenever it is processed, such as the US-EU Privacy Shield Framework or EU Standard Contractual Clauses.
When ECI shares your Personal Data with Third Parties, that Third Party must agree in writing to use such Personal Information only for the purposes for which they have been engaged by ECI and they must either: (1) comply with the EU-US Privacy Shield Principles or another mechanism permitted by the applicable European data protection law(s) for transfers and processing of Personal Information; or (2) agree to provide adequate protections for the Personal Information that are no less protective than those set out in this Privacy Policy. In cases of onward transfer to Third Parties of Personal Information of EU residents received pursuant to the EU-US Privacy Shield, ECI is potentially liable if the Third Party processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. ECI's liability under this agreement may be governed by the contract in place between the Customer (“data controller”) and ECI (“data processer”).
If you are visiting our websites from the EU/EEA or UK or other regions with laws governing data collection and use, please note that you are acknowledging and agreeing to the transfer of your personal information to the U.S. and other jurisdictions in which we operate. By providing your Personal Information, you consent to any such transfer in accordance with this Privacy Policy.
EU-US PRIVACY SHIELD FRAMEWORK
ECI participates in and has self-certified its compliance with the EU-US Privacy Shield Framework under the US Department of Commerce’s Privacy Shield Program. ECI self-certifies that it adheres to and complies with the Privacy Shield Privacy Principles of Notice, Choice, Onward Transfer Accountability, Security, Data Integrity and Purpose Limitation, Access, and Enforcement and Liability. If there is any conflict between the policies in this Privacy Policy and the Principles, the Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification page, please visit https://www.privacyshield.gov.
As to Personal Information that ECI receives or transfers pursuant to the Privacy Shield, ECI subjects itself to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
All ECI employees who handle Personal Information from EU/EAA member states are required to comply with the Principles and this Policy.
ECI will renew its Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
VII. DISPUTE RESOLUTION
Any (non-EU/EEA; UK) Customers with questions or concerns about the use of their Personal Information should first contact us at privacyshield@ECI.com. Upon receipt of the question or concern we will begin an investigation and attempt to achieve a resolution as soon as reasonably possible. If that Customer's question or concern cannot be satisfied through this process, Customers may bring a complaint before the JAMS ADR service https://www.jamsadr.com/eu-us-privacy-shield.
Dispute Resolution (EU/EEA; UK Only)
compliance with the Privacy Shield Principles, ECI is committed to resolving complaints about our collection or use of your personal information. Individuals in EU/EEA member states with inquiries or complaints regarding our Privacy Policy compliance should first contact us at privacyshield@ECI.com. Upon receipt of the question or concern we will begin an investigation and attempt to achieve a resolution as soon as reasonably possible.
If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact our third party dispute resolution provider JAMS. You can visit https://www.jamsadr.com/adr-spectrum/ for more information or to file a complaint. The services of JAMS are provided at no cost to you. Finally, under certain circumstances explained in more detail at https://www.privacyshield.gov, binding arbitration may be invoked in pursuit of satisfaction of claims brought under this agreement.
Finally, you have the right to make a complaint at any time to the Information Commissioners Office, the UK Supervisory Authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
VIII. DATA INTEGRITY AND SECURITY
ECI uses reasonable efforts to maintain the accuracy and integrity of Personal Information and to update it as appropriate. While no security is impenetrable, ECI implements and maintains commercially appropriate technical, physical, administrative and organizational measures to ensure a level of security appropriate to the risk for ECI’s Processing of the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. For that Personal Information of EU/EEA and UK residents, ECI also takes into account the risk of varying likelihood and severity for the rights and freedoms of natural persons. ECI maintains, monitors, tests, and upgrades information security policies, practices, and systems to assist in protecting the Personal Information that it knowingly collects from you, and to maintain the ongoing confidentiality, integrity, availability and resilience of ECI’s systems and services. ECI personnel receive training, as applicable, to effectively implement ECI privacy policies. ECI also employs access restrictions, limiting the scope of employees who have access to Personal Information and are subject to a duty of confidentiality. Only employees who need the information to perform a specific job are granted access to personally identifiable information and/or Personal Information.
ECI has implemented physical and technical safeguards, online and offline, to protect Personal Information from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Information is stored on a secure network with firewall protection, and access to ECI's electronic information systems requires user authentication via password or similar means. Moreover, the servers on which Personal Information is stored are kept in secure environments. Further, ECI uses secure encryption technology to protect certain categories of Personal Information. For example, Secure Socket Layer encryption is employed on secure pages, such as order forms.
Additionally, ECI has designated an internal team to oversee its information security program, including its compliance with the Privacy Shield Program. The internal team shall review and approve any material changes to ECI’s information security program as necessary. Any questions, concerns, or comments regarding the security practices under this Privacy Policy also may be directed to privacyshield@ECI.com.
Despite these precautions, no data security safeguards guarantee 100% security all of the time. We have put in place procedures to deal with any suspected personal information breach and will notify you and/or any applicable regulator of a breach where we are legally required to do so.
IX. MINIMIZATION , RETENTION, AND DELETION OF PERSONAL INFORMATION
ECI will retain Visitor and Customer information, and where applicable, Customer Data, all of which may include Personal Information not longer than is necessary for the purpose or purposes of its processing, or unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). For example, ECI may retain the Personal Information as necessary to comply with ECI’s legal and contractual obligations, to enforce an agreement, for as long as the applicable Customer’s account is active, for as long as the ECI Web Portal is being used by the Customer, and/or to enable ECI to investigate events and resolve disputes, subject to our compliance with this Privacy Policy.
To determine the appropriate retention period of Personal Information, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and applicable legal requirements. In some circumstances, you can ask us to delete your data: see REQUEST ERASURE below for further information. When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it, or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible. For Personal Information that we process on behalf of our Customers, we retain such Personal Information in accordance with the Services Agreement with them, subject to applicable laws.
In some circumstances we may anonymize your Personal Information (so it can no longer be associated with you) for research, product or services improvement, or statistical purposes in which case we may use this information indefinitely without further notice to you.
X. YOUR RIGHTS (EU/EEA, UK, AND OTHER APPLICABLE JURISDICTIONS)
Under certain circumstances, you have rights under applicable data protection laws with respect to Personal Information we knowingly collected. Please click on the links below to expand and find out more about those rights.
- Choice
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
- Right to withdraw consent
ECI will try to comply with any of these requests pertaining to your Personal Information in accordance with applicable law. Please recognize that ECI may in certain circumstances be unable to provide the access or information sought, or correction or deletion requested. For example, ECI may be unable to fulfil a request if it requires ECI to release commercial confidential information, the disclosure of Personal Information relating to another person that is not the requestor, or would result in impracticability, excessive redundancy, and/or an undue burden or expense to ECI. We may need to verify your identity before acting on your request. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- Choice. ECI enables its Visitors and Customers the ability to determine certain privacy preferences that can serve to modify the Personal Information collected. For example, e-mail marketing preferences, browser cookies, and do-not-track preferences. However, cookies are very important for ECI Websites to properly function and disabling or limiting their use may limit or interfere with Visitors’ experiences or ability to access Website features, functions and customizations, particularly Customer Accounts.
- Right to Access. A Person who has reasonable belief that his or her Personal Information is being processed by ECI has the right to ask ECI for confirmation on whether their Personal Information is being Processed, and access to the Personal Information and related information on that Processing (for example, the Processing purposes, or the Personal Information categories involved).
- Correction. You may request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. In making modifications to your Personal Information, you must provide only truthful, complete, and accurate information. In your request, please be as clear as possible what Personal Information you have provided to ECI and what Personal Information you would like edited and/or updated. If a Customer seeks to request erasure of Personal Information, Customers should submit a written request to their ECI office. If you are not a Customer but know or have a reasonable belief that you provided Personal Information to ECI that you would like deleted, contact ECI by phone (617-217-3006) or email (privacyshield@ECI.com).
- Erasure. You may ask us to delete or remove personal data, as permitted by law. This right may be exercised where there is our processing your information is no longer necessary for the purposes for which it was collected or otherwise processed. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Erasure will be undertaken in the manner described under Section IX. You may edit or update your Personal Information by contacting ECI by phone (617-217-3006) or email (privacyshield@ECI.com).
- Object to processing. You may object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Restriction. You may request restriction of processing of your personal data which enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Transfer. You can request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent. You may withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- Requests for Personal Information. ECI will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise: (a) legally binding request for disclosure of the Personal Information by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from the Data Subject.
CUSTOMER'S PARTY RIGHT TO ACCESS
ECI’S ACCESS TO CUSTOMER DATA IS PRESCRIBED BY THE CUSTOMER ACTING AS THE DATA CONTROLLER, AND LIMITED TO ECI’S ROLE AS A DATA PROCESSOR. AS SUCH, IF ECI RECEIVES A REQUEST FOR HIS/HER/ITS PERSONAL INFORMATION FROM A CUSTOMER'S PARTY, THEN, UNLESS OTHERWISE REQUIRED UNDER LAW OR BY CONTRACT WITH SUCH CUSTOMER, ECI WILL REFER SUCH THE CUSTOMER’S PARTY TO CUSTOMER. PERSONS THAT HAVE SUBMITTED THEIR PERSONAL INFORMATION TO AN ECI CUSTOMER SHOULD CONTACT THE CUSTOMER IN THE FIRST INSTANCE TO UPDATE THEIR DATA AND INFORMATION.
XI. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
Complies with the HIPAA Administrative Safeguards by:
- Conducting annual risk assessments and updating policies as necessary.
- Requires all employees delivering services involving EPHI to complete annual HIPAA training.
- Ensures all vendors/subcontractors comply with all required privacy rules
- Maintaining a robust Business Continuity Plan (BCP).
- Maintaining a robust security/breach incident policy
Complies with the HIPAA Technical Safeguards by:
- When delivering infrastructure services, recommending features to ensure the Confidentiality, Integrity, and Availability (CIA) of ePHI. This includes but is not limited to strong authentication, backups, audit logging, group policies, strong encryption, host/network protection.
- Implements the same features to ensure CIA on all ECI corporate systems.
- Technical controls include but not limited to RBAC, least privilege access, usage of AES 256 encryption for data transmission, Multi-factored authentication methods are in place to safeguard ePHI.
Complies with the HIPAA Physical Safeguards by:
- Using strong encryption (at rest) on all server storage.
- Maintaining physical controls at ECI offices.
- Securing workstations and mobile devices against unauthorized access.
ECI does not collect or store ePHI of Covered Entities on any ECI corporate systems.
ECI employees do not interact with individual patient records without the supervision of the Covered Entity. Any patient ePHI requests should be directed to the Covered Entity and ECI will assist the Covered Entity as necessary.
XII. ACCEPTANCE AND CHANGES TO THIS POLICY
This Privacy Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make employees available of changes to this Privacy Policy either by posting to our intranet, through email, or other means. We will post those changes on our website so that Visitors and Customers are always aware of what information we collect, how we use it, and under what circumstances we disclose it. We reserve the right to modify this Privacy Policy at any time, so please review it frequently. We will also notify you by email or a means of a notice on our Websites [prior to the changes becoming effective] if we make changes that materially affect the way we handle Personal Information. If you do not wish your information to be subject to the revised Privacy Notice, you will need to deactivate with us and stop using ECI websites and services. Your use of ECI websites and services after the posting of such changes will constitute your consent to such changes
By using ECI’s services, www.eci.com, and/or submitting any of your Personal Information to ECI, you agree to the terms of this Privacy Policy. Please do not send us any Personal Information if you do not want that information used in this way.
XIII. QUESTIONS OR COMPLAINTS
You may contact ECI with questions or complaints concerning this Policy at the following address privacyshield@ECI.com or at:
Eze-Castle Integration, Inc.
Attention: General Counsel
100 High Street 16th Floor
Boston, MA 02110, USA
XIV. DEFINITIONS
Capitalized terms in this Privacy Policy have the following meanings:
"Customer" means a prospective, current, or former customer, or client of ECI. The term also shall include any individual agent, employee, representative, customer, or client of an ECI Customer where ECI has obtained his or her Personal Information from such Customer as part of its business relationship with the Customer.
“Customer Data” is data and information that may reside on ECI, Customer or Third-Party servers, desktops, or systems to which ECI is provided access to perform its processing services. Customer Data may include Third-Party Personal Information about a Customer’s Parties.
“Customer Information” is information that ECI may collect from a Customer’s online and offline interactions with ECI in or related to the Customer’s use of ECI Websites, services and products. Examples of such information include a Customer’s name, address, billing information, employee contact information, Website visits, or other such account information. ECI may also associate an IP address, cookie, or other automatic personalization mechanism with a specific Customer.
“Customer’s Party” – Third Parties that are Customer’s employees, clients, customers, partners, agents, suppliers, or other individuals that are unaffiliated with and have no direct relationship to ECI. Customer’s Party data and information may be included in Services Data.
"Data Subject" means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Customers residing in Switzerland, a Data Subject also may include a legal entity.
"Employee" means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of ECI or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area.
“ECI Web Portal” means the Customer web portal provided to certain Customers as part of their products and/or services.
“ECI Website” or “Website” means www.eci.com or any of its inside or inner pages, including but not limited to the ECI Web Portal.
"EU/EEA" refers to any country or member state currently in the European Union (EU) and/or the European Economic Area (EEA).
“Marketing Partner” means trusted Third Parties that conduct joint marketing activities with ECI or provide ECI with services and data for marketing purposes.
“Personal Information” or "Personal Information" (as interchangeable terms) is any information relating to an identified or identifiable natural person. This is any information, recorded in any form, relating to a living person who can be identified, directly or indirectly, by reference to that information. It includes, but is not limited to, an individual's name, country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and/or identification numbers. Personal Information does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term "person" includes both a natural person and a legal entity, regardless of the form of the legal entity.
For California residents, the data elements listed in section 140(o)(1)(A)-(K) of the CCPA, if any such data element identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household are also considered to be personal information.
“Specific Categories” or "Sensitive Data" or “Sensitive Information” (as interchangeable terms) means Personal Information that discloses a Data Subject's medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, genetic or biometric information, or trade union membership.
"Third Party" can mean any individual or entity that is neither ECI nor an ECI employee. For example, it may be an agent, contractor, vendor, partner or representative. The term may also mean any individual or entity that is not associated with the individual or entity with which it is being used in conjunction. For example, if another person is requesting a change to your personal information, that other person would be a considered Third Party (in relationship to you).
“Visitor” is an individual that may or may not be a Customer, who goes on the ECI Website.
To request more information on ECI's Privacy Policy please contact us.
Additionally, you can download ECI's Anti-Slavery Statement here.