(Updated and Effective: July 31, 2023)
UPDATES TO POLICY
This Policy is subject to change without prior notification. Any changes will be posted on this page, and we will update the "Updated and Effective" date to reflect the date of the changes, unless another type of notice is required by applicable law. By continuing to use the Vericel web sites and/or services after the posting of such changes, you accept the Policy as modified.
COLLECTION OF INFORMATION, INCLUDING PERSONAL DATA
Vericel may collect, use, store, and transfer different categories of personal data and non-personal data about you, which may include:
- Identity Data such as your first, maiden, and last name, username or similar identifier, marital status, title, social security number, date of birth, and gender.
- Contact Data such as billing address, delivery address, e-mail address, and telephone number.
- Financial Data such as bank account, payment card details, insurance information, and payroll data.
- Technical Data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology and the devices you use to access our web sites.
- Professional or Employment-related Data such as employer and employment history.
- Transaction Data such as details about payments to you and other details regarding services you have received from Vericel.
- Profile Data such as information regarding your communication preferences, and feedback and survey responses.
- Usage Data such as information about how you use our web sites and other services and search queries.
- Marketing and Communications Data such as your preferences in receiving materials regarding Vericel products and services from us and our third parties and your communication preferences.
While in some instances we may collect personal data about children with the consent of a parent or guardian, such as clinical activities or for patient support programs, we do not otherwise knowingly solicit data from, or market to, children, and we are committed to collecting and using personal data of children in accordance with applicable laws.
Vericel does not knowingly collect personal data from children under the age of 13 on our web sites. If we become aware that we have collected personal data from children on or web sites, we will take reasonable steps to delete it as soon as practicable. If the parent or guardian of a child aged 13 or younger has reason to believe that a child has provided us with personal data on our web sites, the parent or guardian should contact Vericel in accordance with the contact information provided in the section titled “Contacting Vericel” to request deletion of this data from our files.
HOW WE COLLECT PERSONAL DATA ABOUT YOU
Direct Interactions. We will collect and store certain personal data, such as Identity Data, Contact Data, and Financial Data that you may give us through interaction and correspondence with Vericel, including if you:
- register and create a profile, create a username and password, or sign up for a contest or survey;
- send us an e-mail, contact us by phone or mail, either using addresses or numbers posted on our web sites or when you contact our employees directly;
- sign up/register on our web sites to receive clinical, promotional, disease awareness, or other information about products or services we offer or plan to offer in the future;
- through interactions with us on social media;
- subscribe to receive email notifications or other publications;
- give us feedback;
- provide unsolicited information to us;
- provide information to us as our business partner;
- apply for employment or consulting opportunities with us or when you become an employee or a consultant;
- express interest in participating in our clinical trials or other studies and research programs; or
- voluntarily submit personal data to Vericel.
Please note that while you are logged into a Vericel web site, your actions in that browsing session may be associated with your personal data. We may combine the personal data you share with us through this website with other information you have shared with us, both online and offline. We may also combine this personal data with records provided by third parties. We use this consolidated information to help us better design Vericel products, to communicate information to you, to enhance our marketing and research activities, and to facilitate other business functions.
TECHNICAL INFORMATION THAT IS ALWAYS COLLECTED
This Technical Information includes: (i) the domain and host from which you access the Internet; (ii) the Internet address of the web sites from which you linked directly to the Vericel web sites, if applicable; (iii) the date and time you arrived at our web sites and how long you spent on the web sites and which pages you visited; (iv) your Internet Protocol (IP) address; and (v) your computer's operating system and browser software. For more information about technical tracking technology used on our web sites, please see the section on Cookies and Related Technology.
Third parties (or publicly available sources). Vericel may receive categories of personal data about you from various third parties and public sources, such as:
- Technical Data from analytics providers such as Google, advertising networks, and search information providers.
- Contact Data, Financial Data, and Transaction Data from providers of technical, payment, and delivery services.
- Identity Data and Contact Data from recruitment agencies.
- Identity Data and Contact Data from publicly available sources.
- Special Categories of Personal Data including health data from Contract Research Organizations ("CROs") managing clinical research on our behalf.
OUR USE AND DISCLOSURE OF YOUR PERSONAL DATA
USE AND STORAGE OF PERSONAL DATA
Vericel or its affiliates, subsidiaries, business partners, and vendors who assist Vericel in providing services to you (collectively the "Service Providers") may use your personal data, including:
- Contacting you to obtain more information related to complying with or fulfilling a request that you have made;
- Personalizing your experience on the web sites;
- Responding to a question, comment, or concern;
- Maintaining and developing business or professional relationships with you, as applicable;
- Asking you to participate in surveys;
- Providing you with products or services for which you have requested, signed up, or opted-in;
- Sending you additional information about Vericel products and services (unless you have opted-out of receiving marketing communications);
- Providing you with additional information that Vericel believes may be of interest to you;
- Investigating or responding to issues such as complaints or security threats and for fraud prevention;
- Complying with legal requirements and requests and exercising our legal rights;
- Using data analytics to help us evaluate and modify existing products and services;
- Conducting depersonalized and aggregate statistical studies and research related to Vericel's products and services and the use of web sites to help us understand trends and needs;
- Recognizing you and allowing you to log-on to certain pages and featured for which you have registered, as necessary;
- Conducting audits (such as compliance or corporate audits);
- In connection with a sale or merger of our business or upon a sale or liquidation of assets; and
- Complying with regulatory monitoring and reporting obligations, including those related to adverse events, product complaints, and patient safety.
Vericel reserves the right to maintain all information in electronic and/or an offline form, for archival purposes and as otherwise required by law.
DISCLOSURE TO OTHER PARTIES
- Internal parties: Individuals or groups within Vericel to operate our business.
- Our subsidiaries, related companies, or affiliates: Other companies within the Vericel family of companies, such as subsidiaries, affiliates, and holding companies (if applicable).
- Our partners: Our partners, including other companies and academic institutions, such as those listed or referenced on our web sites.
- Service Providers: Third parties, as described above, who perform services on our behalf and help further our business requirements, including, without limitation, for market research, marketing communications, technological maintenance, data storage, system administration, and data analysis and processing.
- Professional advisers: Advisers (e.g., lawyers, bankers, auditors, and insurers) who, for example, may provide consultancy, banking, financial, legal, insurance, and accounting and payroll services.
- Government authorities: Revenue and Customs, U.S. Internal Revenue Service, the U.S. Food and Drug Administration, and other government agencies, regulators, and authorities.
We do not allow our third-party Service Providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We may allow third-parties to use de-identified or aggregated information.
YOUR RIGHT TO CONTROL ACCESS TO YOUR PERSONAL DATA
OPTING IN / PERMISSION TO CONTACT YOU
Vericel and our Service Providers may use the personal data we collect from you, such as your Identity Data, Contact Data, and Profile Data to respond to your inquiries and/or to send you information/newsletters, fulfill e-mail messaging programs, and notify you about new content or services based on our assessment of what we think you may want or need with respect to what services and materials may be relevant for you (we refer to this as marketing). Your request for information or services is also known as "opting in" to receive marketing communications. By opting in to Vericel e-mails, you also agree to the use of e-mail analytics (described below).
If you decide you no longer wish to receive promotional e-mail communications from Vericel, you may opt out at any time by using the contact information below or following the opt-out instructions contained in promotional e-mail communications sent to you. You may opt out of other types of promotional communications by contacting us through one of the methods described under "Contacting Vericel," below. If you opt out of receiving promotional communications from Vericel, you may continue to receive non-promotional communications, such as information about safety warnings or changes to programs in which you are enrolled. If you have opted out of promotional Vericel communications and subsequently request information from Vericel, Vericel will contact you to answer your request, although we may require additional information before we can process your request.
UPDATING PERSONAL DATA
Vericel is committed to maintaining accurate personal data. Where required by law, you may always contact us to request an update or request the correction of your personal data. Vericel will make reasonable efforts to comply with your correction/update request.
If you have any questions or concerns about the way your personal data is used and handled, or would like to exercise your privacy rights, please e-mail us at [email protected], call us at (617) 588-5555, or write to:
Attn: Customer Care
64 Sidney Street
Cambridge, MA 02139
Vericel takes reasonable security precautions to keep all personal data secure against loss, misuse, and unauthorized access, disclosure, alteration, or destruction, including encrypting personal data during the transmission of such information, while it is under our control. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They are subject to the duty of confidentiality. Nevertheless, Vericel makes no guarantee as to the security of your personal data and disclaims to the fullest extent permitted by law all liability and damages caused by its loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Please be aware that there is always some risk involved when submitting data over the Internet. We recommend that you take any available precautions to protect personal data that you submit to us. We have implemented procedures to appropriately deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
RETAINING YOUR PERSONAL DATA
We will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your information and whether we can achieve those purposes through other means, and applicable legal requirements.
PUBLIC FORUMS/SOCIAL MEDIA
Our web sites may make chat rooms, forums, Listservs and message boards available to its users. Please remember that any information that is disclosed in these areas becomes public information. You should exercise caution when deciding to disclose your personal data and you should not disclose the personal data of anyone other than yourself. Vericel cannot ensure or warrant the security of any information provided by you in such forums, and you do so at your own risk.
This site may use social plugins (e.g., the Facebook "Like" button) to enable you to easily share information with others. When you visit our sites, the operator of the social plugin may be able to place a cookie on your computer, enabling that operator to recognize individuals who have previously visited our site. The social plugin may allow that social media web site to receive information that you have visited our web sites. The social plugin may also allow the social media web site to share information about your activities on our web sites with other users of their social media web site. For more information about the information shared via a particular social media plugin, you should refer to that social media site's privacy statement.
USE OF "COOKIES" AND RELATED TECHNOLOGY
Vericel sites may use the following types of cookies and tracking technology:
"Session" cookies: Session cookies are temporary bits of information that are erased once you exit your web browser window or otherwise turn your computer off. Session cookies are used, for example, to improve navigation on our web sites, block visitors from providing information where inappropriate (e.g., the site may remember previous entries of age that are outside the permitted parameters and block subsequent changes) and to collect aggregated statistical information.
"Persistent" cookies: Persistent cookies are more permanent bits of information that are placed on the hard drive of your computer and stay there unless you delete the cookie. Persistent cookies store information on your computer for a number of purposes, such as retrieving certain information you have previously provided (e.g., Login ID), helping to determine what areas of the web site visitors find most valuable, and customizing the web site based on your preferences on an ongoing basis.
To help us better improve the user experience, Vericel uses e-mail analytics services to track certain information about how you access, engage with, and dispose of Vericel e-mails to which you have opted-in (subscribed). Such data may include, but is not limited to, your e-mail and IP addresses, the browser and e-mail client you use, the city in which you are located, and details about how you engage with the email, such as whether you opened, read, forwarded, or printed the e-mail. By opting in to Vericel e-mails, you agree to the use of e-mail analytics.
In addition, our sites use two Google Analytics Advertising Display Features, which collect information through cookies: Remarketing with Google Analytics and Demographics and Interests reporting. If you would like to opt-out of having your data used by these cookies, please use the Google Analytics opt-out available here.
Other information on opt-outs for targeted advertisement delivery is available below.
THIRD-PARTY WEB SITES
DO NOT TRACK SIGNALS
Certain web browsers and other programs may be used to signal your preferences to Vericel about how or whether Vericel or third parties may collect information about your online activities. Currently, Vericel web sites do not respond to such signals.
Nevertheless, the Digital Advertising Alliance maintains a web site where consumers can opt out from receiving interest-based advertising from some or all of the network advertising companies participating in the program explained here.
STATE PRIVACY RIGHTS
Vericel is committed to complying with state privacy laws and continues to monitor developments. Vericel may, now or in the future, be subject to certain state privacy laws that provide residents with specific rights concerning the disclosure and use of their personal data, subject to some limitations, exclusions and the verification of your identity. These rights may include, but are not limited to: (1) the right to know whether Vericel is processing your personal data; (2) the right to access the personal data that we process; (3) the right to correct inaccuracies in your personal data that we process; (4) the right to delete your personal data; (5) the right to obtain a copy of your personal data; (6) the right to opt-out of the processing of your personal data for targeted advertising, profiling activity and the sale of personal data; (7) the right to not be discriminated against for exercising your rights; and (8) the right to appeal a decision with regard to a request you make. To exercise your state privacy rights (as applicable), please contact us as described above.
Section 603A of the Nevada Revised Statutes permits Nevada residents who are Vericel "consumers" to, at any time, submit a request to an "operator" of a website in Nevada directing the operator not to make any sale of any "covered information" the operator has collected or will collect about the consumer. Vericel does not currently "sell" or plan to sell covered information as defined in the Nevada law. If you are a Nevada resident, you may submit a verified request by contacting us by sending an email to [email protected] to opt out of sales and we will record your instructions and incorporate them in the future if our policy changes. We will respond within the time required by law.
NOTICE TO CALIFORNIA RESIDENTS
California's Shine the Light Law (California Civil Code Section 1798.83) permits California residents who are individual customers of Vericel to request certain information regarding its disclosure of "personal information" to third parties for their direct marketing purposes. To make such a request, please contact us using our contact information listed above.
CALIFORNIA CONSUMER PRIVACY ACT OF 2018 ("CCPA") AND THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020 ("CPRA")
If you reside in California, please read this section for additional disclosures about how Vericel may collect, use, and disclose information about you, and for information about your rights under California law under the California Consumer Privacy Act (“CCPA,” including as amended by the California Privacy Rights Act (the “CPRA”)). References to the CCPA include the CPRA.
1. Information We May Collect About You
We collect personal data that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household (“Personal Information,” as defined by the CCPA).
Personal Information does not include:
- Publicly available information such as from government records and information that we have reasonable basis to believe is lawfully made available to the general public by you or from widely distributed media;
- De-identified or aggregated consumer information; and
- Information excluded from the CCPA's scope, such as:
- Health or medical information collected by entities directly subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”);
- Clinical trial data or certain other research data; and
- Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) or California Financial Information Privacy Act (“FIPA”), and the Driver's Privacy Protection Act of 1994.
Over the last 12 months, we may have collected the information referenced in the Section above titled "COLLECTION OF INFORMATION, INCLUDING PERSONAL DATA" which may include one or more of the following categories of Personal Information:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));
- Characteristics of protected classifications under California or federal law;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information;
- Non-public education information;
- Inferences drawn from other Personal Information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and
- "Sensitive Personal Information" (as defined by the CCPA).
2. Sources of Personal Information
We may obtain your Personal Information from the following categories of sources:
- Directly from you, your caregiver, or agent;
- Indirectly from you or your caregivers or agents (i.e., in the course of providing services);
- Directly and indirectly from activity on our web sites (for example, from submissions through our web sites or from web site usage details collected automatically); and
- From third parties in connection with the provision of services.
3. Use of Personal Information
4. How We Share Your Personal Information
For more information about how we may otherwise share your Personal Information we collect for business purposes, please see the sections above titled: "OUR USE AND DISCLOSURE OF YOUR PERSONAL DATA" and DISCLOSURES TO OTHER PARTIES."
5. How Long We Retain Your Personal Information
For information about how long we retain your Personal Information, please see section above titled: "RETAINING YOUR PERSONAL DATA."
6. Your CCPA Rights
The CCPA provides consumers (i.e., California residents) with specific rights (listed below and subsequently referred to as “CCPA Rights”), subject to some limitations and exceptions and when applicable, the verification of a consumer's identity, regarding Personal Information:
- The right to know about and request access to the specific pieces of Personal Information that Vericel has collected, used, shared, or sold about you, including the categories of information, sources and business purposes of collection, as well as the categories of third parties to whom Vericel has disclosed or shared your Personal Information. You may only make a request twice within a 12-month calendar year;
- The right to request deletion of your Personal Information;
- The right to opt-out of the sale of your Personal Information and the right to opt-out of the sharing of certain Personal Information;
- The right to receive equal service and price and not be discriminated against for exercising your CCPA Rights;
- The right to correct inaccurate Personal Information;
- In certain circumstances, the right to restrict the processing of your Sensitive Personal Information and;
In order for Vericel to process a request for you to exercise your CCPA Rights, when applicable, we will first verify your identity by asking you to provide certain Personal Information. This may include a description of your relationship with Vericel, your first and last name, email address, telephone number, and postal address or other Personal Information that will allow us to verify your identity.
You may designate an authorized agent to exercise your CCPA Rights on your behalf in accordance with the CCPA. Vericel may require that you provide the authorized agent with written permission to act on your behalf and that the authorized agent verify his or her identity directly with us.
We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
When you submit a request to exercise your CCPA Rights, Vericel will do its best to respond to your request as soon as possible after we verify your identity, and, in any event, unless extended in accordance with the law, no later than 45 days after receiving your request.