Privacy Statement

Personal data, defined

For purposes of this Privacy Statement, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Scope of privacy statement

This Privacy Statement does not apply to any information we collect from any source other than the Site or the information we gather at trade shows or other events. This Privacy Statement does not apply to information input into our Excelsior™ software as a service, which is accessible via the internet. Use of and access to such software as a service, as well as our privacy, security, and other legal obligations relating to the software as a service, are governed by our agreements with our customers. If you wish to use or access our software as a service, please contact us as described in the “Contacting Us” section below.

What information do we collect?

You provide information when you post or transmit content (including any text, graphic, audio, video, or other content) to us, participate in trade shows or other events, respond or subscribe to surveys, newsletters or mailing lists, or otherwise use or access the Site. The information you provide may include your name, address, phone number, email address, company name, job title, IP address, content of messages transmitted to us via the Site, and other information that personally identifies you or can otherwise be linked to you. If required by applicable law, we will seek your explicit consent to process such information collected on this website or volunteered by you.

When you access or use the Site, we may send one or more cookies – small files – to your computer or other device. We may be able to uniquely identify your browser with such cookies. We may use session cookies and persistent cookies. Session cookies provide information to us while your browser is open. Persistent cookies provide information to us after you close your browser and later re-open it. If you disable cookies in your browser, some features of the Site may not function. For more information regarding our use of cookies and similar technologies, see our Cookie Policy.

We may also record certain information that your device sends or makes available whenever you use or access the Site. Such information may include your location, your device and its specifications, your referring page or service and URL, IP address, browser type and language, operating system specifications, pages viewed, the time you spend on each page, the order in which you view pages, the date and time of your use or access, the exit page or service and URL, application crashes, and similar information.

We may also use technology such as web beacons and clear gifs to track your use of and access to the Site. We may also use this technology in emails we send to you to track whether you opened the email.

The law specifies certain lawful bases for which we are allowed to use your personal data. We will rely on one or more of the following legal bases for processing your personal data:

• where you have given consent to the processing of the personal data;

• where it is necessary for compliance with a legal obligation to which we are subject; and/or

• where it is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

What do we use your information for?

We use collected information, and share collected information with categories of recipients including our affiliates, third party IT systems providers (email, server, and administration providers), data storage providers, website hosting providers, and customer relationship management system providers, to operate, maintain and provide the features and functionality of the Site, and to engage in our marketing efforts, including to:

• respond to and process customer and provider inquiries;

• alert you to new features and functionality, or to products and services offered by us or by third parties;

• provide personalized content and information;

• monitor the effectiveness of our marketing activity;

• enforce this Privacy Statement; and

• monitor aggregate use of and access to the Site.

We may also disclose collected information if we believe disclosure is required to comply with applicable law, or to protect us or the Site.

In the event that we are involved in a merger, acquisition, sale, bankruptcy, insolvency, reorganization, receivership, assignment for the benefit of creditors, or the application of laws or equitable principles affecting creditors’ rights generally, or a change of control, there may be a disclosure of your personal data to another entity related to such event.

We may share your information in response to lawful requests by public authorities, including to meet national security or other lawful enforcement requirements.

Please note that you may withdraw your consent to use and/or disclose your personal data at any time, subject to certain restrictions prescribed by applicable law. However, we may not be able provide certain services to you.

What are your controls and choices?

You have the right to exercise certain controls and choices regarding our collection, use and sharing of your information. Your controls and choices include the following:

• you may access, correct, update, and delete your information as described in the “What Data Protection Rights Do You Have?” below;

• you may change your choices for newsletters and alerts as described in the applicable newsletter or alert;

• you may obtain from us information regarding our policies and practices as they relate to the collection, use and disclosure of your information, including those with respect to the transfer and storage of your information outside of your jurisdiction of residence; and

• if applicable, you may request a list of all third parties to which we have disclosed your personal information during the preceding year for direct marketing purposes and a disclosure of the shared information, as described in the “Your California Privacy Rights” section below.

You may, of course, decline to submit personal data to us, in which case we may not be able to provide certain services to you.

We reserve the right to take reasonable steps to verify your identity before making
corrections or deletions.

If you have questions regarding the information about your data that we process or retain, please contact at privacy@meritcro.com

What data protection rights do you have?

Subject to certain exceptions and limitations, by law you have a right to:

• Request access to your personal data. This enables you to receive a copy of the
personal data we hold about you.

• Request correction of the personal data that we hold about you. This enables you to have incomplete or inaccurate data that we hold about you corrected.

• Request erasure of your personal data. This enables you to ask to delete your personal data where there is no legal basis for us continue processing it. This is sometimes referred to as the “right to be forgotten”.

• Request the restriction of processing of your personal data. This enables you to ask us to suspect the processing of your personal data, such as during the period of time it might take us to respond to a claim by you that the data is inaccurate or that our legitimate interest in processing it is outweighed by yours.

• Request us to transfer personal data that you gave us to you in a commonly used
electronic format. This is known as the right to portability.

• Object to processing of your data. This enables you to object to processing of your
personal data which is carried out.

To exercise any of these rights, please contact our Data Protection Officer (DPO) by emailing privacy@meritcro.com. We will respond to your request within one month where it is possible to do so. Where it is not possible to respond on this timescale, we will notify you of this, together with the reasons for delay. Your right to access your personal data is subject to conditions set out in applicable law.

How do we protect your information?

We take the protection of your personal data seriously. We protect such information against loss and theft as well as unauthorized access, disclosure, copying, use, and modification using security safeguards, including physical, organizational, and technological measures, commensurate with the sensitivity of such information. Employees who have access to your information are made aware of the importance of keeping it confidential.

Where we use service providers or otherwise disclose your personal data to unaffiliated third parties in accordance with this Privacy Statement, we require them to have privacy and security standards that are comparable to ours. We use contracts and other measures with such persons to maintain the confidentiality and security of your personal data and to prevent it from being used for any other purpose.

Please be aware that no data security measures can guarantee 100% security. You should also take steps to protect against unauthorized access to information.

For how long will we keep your data?

We will limit access to personal data to authorized persons having a justified need to access such information and limit retention periods to retain data for no longer than is necessary.

Transfer of personal data to a third country

Personal data collected by MERIT CRO may be stored or processed in the United States or in any other country where we or our affiliates, subsidiaries, or third-party service providers maintain facilities. EU data subjects who provide personal data to us consent to the processing and transfer of that data to the United States and around the world.

We may also execute agreements with third parties for the transfer of personal data outside of the EU using European Commission-approved Standard Contract Clauses or other clauses pursuant to applicable law.

Third Party Links

We may offer links to other sites from the Site. We have no control over these external sites or their content and are not responsible for any actions that they may take or any information they may collect. You may arrive at such sites through clicking on an image or graphic, as part of a co-branding arrangement, or simply by selecting a link on another website. You should be aware that this Privacy Statement does not apply to your use of these sites and services. If you provide any information to such sites or services, different rules regarding the collection
and use of your information and other information may apply. Before using these linked sites or services, you may wish to review their privacy policies to understand how they treat privacy, security, data collection, disclosure, distribution, and use.

Your California privacy rights

Residents of the State of California, under the California Civil Code, have the right to request from certain companies conducting business in California a list of all third parties to which the company has disclosed personal information during the preceding year for direct marketing purposes and a disclosure of the shared information. To make such a request, contact us as described in the “Contacting Us” section below. Please note that, as of the date this Privacy Statement was last modified, we are not a ‘business’ (as defined under the California
Consumer Privacy Act) with respect to the information within the scope of this Privacy Statement.

Please note that some web browsers and devices permit you to broadcast a preference to websites and online services that they “do not track” your online activities. At this time, we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received.

Privacy Shield

MERIT complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield. MERIT has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our
certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, MERIT CRO commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact MERIT CRO at privacy@meritcro.com.

MERIT CRO has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) regard to unresolved Privacy Shield complaints concerning data transferred from the EU. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint. The services of EU Data Protection Authorities (EU DPAs) are provided at no cost to you. You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from JAMS; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.

MERIT is responsible for the processing of personal data it receives, under the Privacy Shield, and subsequently transfers to a third party acting as an agent on its behalf. MERIT complies with the Privacy Shield for all onward transfers of personal data from the EU, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield, MERIT is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

If a third party providing services on MERIT’s behalf processes personal data from the EEA in a manner inconsistent with the Privacy Shield Principles, MERIT will be liable unless we can prove that we are not responsible for the event giving rise to the damages.

In relation to third parties other than third party service providers, MERIT will enter into a contract with such third parties that provides that personal information may only be processed for limited and specified purposes, that the third party will comply with these Principles or equivalent obligations and will notify MERIT if it can no longer meet this obligation. This shall be MERIT’s entire liability in respect of processing of personal data by such third parties.

The Site is hosted in the United States. If you are accessing the Site from outside the United States or any other region with laws or regulations governing personal data collection, use and disclosure that differ from the United States laws, please be advised that through your continued use of or access to the Site, which is governed by U.S. law, you are transferring personal information to the United States and you consent to that transfer. We also store in the United States the information we obtain about you at trade shows and other events.

The laws of the State of Wisconsin and applicable United States law govern all matters arising out of or relating to the Privacy Statement, including, without limitation, interpretation, construction, performance, and enforcement, without giving effect to such state’s conflicts of law principles or rules of construction concerning the drafter hereof.

Changes to this privacy statement

We reserve the right at our discretion to change the Privacy Statement at any time. We will post the most current version of this Privacy Statement to the privacy policy pages on the Site.

If we make a material change to this Privacy Statement, we will notify by posting a notice on the Site for a reasonable period of time after such changes are made and by changing the last modified date listed below.

Changes will take effect as described in the notice. If you use or access the Site after the change takes effect, you accept the Privacy Statement as modified.

Contacting us

You can contact us via email support@meritcro.com or at the following address:

MERIT CRO
6527 Normandy Lane, Suite 100
Madison, WI 53719

Please include your name, address, and any other information necessary to respond to you.