Privacy Policy

At General Devices (GD), protecting your private information is our top priority. This Privacy Policy outlines our commitment to ensuring the confidentiality, integrity, and security of your personal information. Our policy applies to all our products and services, including our website, on-premise, and mobile solutions, designed primarily for hospitals and Emergency Medical Services (EMS) in the USA. By using GD’s services, you consent to the data practices described in this policy. This includes data entered by EMS and hospital workers, which is typically data on patients.

Scope and Applicability
This Privacy Policy governs the data collection, usage, and sharing practices of General Devices (GD) and is applicable to all users of our website (www.general-devices.com), mobile applications, and other related services. It provides a comprehensive overview of how we handle your personal information, ensuring compliance with relevant laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

Commitment to Privacy and Data Protection
We are dedicated to maintaining the privacy and security of your information. Our practices are designed to meet or exceed the requirements of applicable data protection laws. This policy outlines the measures we take to protect your information and provides guidance on how you can manage your privacy preferences.

To help you understand our Privacy Policy, we’ve defined key terms used throughout the document:

Personal Data: Any information that relates to an identified or identifiable individual. This includes information such as your name, address, email address, phone number, and other identifiers.

ePHI (Electronic Protected Health Information): Any protected health information that is created, stored, transmitted, or received electronically. ePHI includes medical records, treatment information, and health insurance data.

Cookies: Small text files placed on your computer or mobile device by websites you visit. Cookies are used to recognize users, remember user preferences, and track user activity.

Web Beacons: Small graphic images or other web programming code used to track user activity on websites or in emails. Web beacons are often used in conjunction with cookies.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, a federal law that sets standards for the protection of health information.

GD: General Devices LLC, the company responsible for providing the products and services covered by this Privacy Policy.

Covered Entity: As defined by HIPAA, a health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form.

Data Processor: A third party that processes personal data on behalf of GD.

Data Controller: The entity that determines the purposes and means of processing personal data. In most cases, GD acts as the data controller for the information collected through our services.

Encryption: The process of converting information or data into a code to prevent unauthorized access. We use encryption to protect your data both in transit and at rest.

Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Physical Safeguards: Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards: The technology and policies and procedures for its use that protect electronic health information and control access to it.

Types of Information Collected

We collect various types of information to provide and improve our services. This includes:

Personal Information: Information that can identify you as an individual, such as your name, email address, phone number, address, and other contact details.

Non-Personal Information: Data that does not directly identify you, such as browser type, operating system, the pages you visit on our site, the time and date of your visit, and other analytical data.

ePHI (Electronic Protected Health Information): Information related to your health, including medical records, treatment information, and health insurance data, especially when using our telehealth and EMS products.

Methods of Collection

We collect information through various methods, including:

Direct Collection: Information you provide directly to us, such as when you register for an account, fill out forms, or contact us for support.

Indirect Collection: Information collected automatically through the use of cookies, web beacons, pixels, and other tracking technologies when you visit our website or use our applications.

Information Collected from Third-Party Sites: We may receive information about you from third-party sites, especially if you register for events or webinars hosted by us. These third parties may include service providers that support our programs or provide technical assistance. By participating in these events, you consent to the receipt of this information. We use this information to enhance our services and communication with you.

Purpose of Data Collection

We use the information we collect for various purposes, including:

Service Provision: To deliver and manage our products and services, including customer support, account management, and technical assistance.

Personalization and User Experience Improvement: To personalize your experience on our website and applications, tailor content and advertisements to your interests, and enhance the overall user experience.

Marketing and Communication: To send you promotional materials, newsletters, and updates about our products and services. You can opt-out of these communications at any time.

Legal Basis for Processing Data

Our legal basis for processing your personal data includes:

Consent: We process your data based on your consent, which you can withdraw at any time.

Contractual Necessity: We process your data to fulfill our contractual obligations to you.

Legitimate Interests: We process your data to pursue our legitimate business interests, such as improving our services, conducting research, and maintaining security.

Legal Obligations: We process your data to comply with applicable laws and regulations.

Data Retention and Storage Policies

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our data retention policies ensure that we do not keep your information longer than necessary and that we securely dispose of data that is no longer needed.

Location Tracking: Our app is used for EMS and First Responders, not for the general public. GPS location information is collected only when needed to track ETA for paramedics to ER. The location data is stored securely and not shared with third parties.

Sharing Information with Third Parties

We take your privacy seriously and only share your information in specific circumstances:

Service Providers: We may share your personal data with trusted third-party service providers who assist us in operating our website, conducting our business, or providing services to you. These providers are obligated to keep your information confidential and use it only for the purposes for which we disclose it to them.

Business Partners: We may share your information with our business partners to offer you certain products, services, or promotions. These partners are required to adhere to strict data protection standards to ensure your information is safe.

Legal Obligations and Compliance: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

No Sale of Personal Data

We do not sell, trade, or otherwise transfer your personal information to outside parties. We are committed to ensuring your data remains private and is used solely for the purposes outlined in this policy.

Marketing and Advertising

With your consent, we may share your information with third parties for marketing and advertising purposes. You have the right to opt out of these communications at any time.

Types of Cookies Used

We use various types of cookies and similar tracking technologies on our website and applications to enhance your experience. These include:

Essential Cookies: Necessary for the operation of our website. They enable core functionalities such as security, network management, and accessibility.

Performance Cookies: Collect information about how you use our website, such as which pages you visit and if you experience any errors. These cookies help us improve our website’s performance.

Functionality Cookies: Allow our website to remember choices you make (e.g., your username, language, or region) and provide enhanced, more personalized features.

Targeting/Advertising Cookies: Used to deliver relevant advertisements to you and measure the effectiveness of our advertising campaigns.

Purpose of Cookies and Tracking Technologies

Cookies and similar technologies serve several purposes:

User Authentication: To recognize you when you return to our website and keep you logged in.

Preferences and Settings: To store your preferences and settings, such as language and region.

Performance and Analytics: To collect information about how you interact with our website and applications, enabling us to improve their performance and your experience.

Marketing and Advertising: To deliver personalized content and advertisements tailored to your interests and measure the effectiveness of our marketing efforts.

Managing Cookie Preferences

You have the right to manage your cookie preferences. Most web browsers allow you to control cookies through their settings. You can set your browser to block or alert you about cookies, or to delete cookies when you close your browser. However, if you disable cookies, some parts of our website may not function properly.

Overview of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. At General Devices (GD), we are committed to complying with HIPAA regulations to ensure the privacy and security of your electronic Protected Health Information (ePHI).

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for the protection of health information. It addresses the use and disclosure of individuals’ health information by entities subject to the rule, as well as standards for individuals’ privacy rights to understand and control how their health information is used.

Permitted Uses and Disclosures: We may use and disclose ePHI for treatment, payment, and healthcare operations without patient authorization. Any other uses and disclosures require written patient authorization.

Patient Rights: Patients have the right to access their health information, request amendments, and obtain an accounting of disclosures of their ePHI.

HIPAA Security Rule

The HIPAA Security Rule requires the implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Physical Safeguards: Measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards: Technology and policies and procedures for its use that protect electronic health information and control access to it.

HITECH Act Compliance

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 promotes the adoption and meaningful use of health information technology. It strengthens the enforcement of HIPAA by increasing penalties for violations and expanding the scope of privacy and security protections.

Safeguards for ePHI

Administrative Safeguards: We conduct regular risk assessments to identify potential vulnerabilities and implement necessary measures to mitigate risks. Our team is trained on HIPAA compliance, and we have strict policies and procedures in place to manage ePHI securely.

Physical Safeguards: Our facilities are secured with access controls to prevent unauthorized access to ePHI. This includes secured areas for servers and data storage, as well as surveillance systems to monitor access.

Technical Safeguards: We use advanced encryption technologies to protect ePHI during transmission and storage. Access to ePHI is restricted through secure login credentials and multi-factor authentication.

Security and Compliance Training

All GD team members are required to complete and pass HIPAA compliance training during onboarding and annual refreshers thereafter. We perform regular assessments of our security practices and update our training programs to ensure ongoing compliance with HIPAA regulations.

Data Encryption

We utilize state-of-the-art encryption methods to protect your data both in transit and at rest. This ensures that sensitive information, including ePHI, is secure from unauthorized access.

In-Transit Encryption: Data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) to protect it from interception.

At-Rest Encryption: Data stored on our servers is encrypted using Advanced Encryption Standard (AES) to ensure it remains secure even if physical security is compromised.

Access Controls

We implement strict access control measures to ensure that only authorized personnel can access sensitive information. This includes:

Role-Based Access Control (RBAC): Access to data is restricted based on the role and responsibilities of each team member. Only those who need access to specific information to perform their duties are granted access.

Multi-Factor Authentication (MFA): Users must provide multiple forms of identification before accessing sensitive information, adding an extra layer of security.

Vulnerability Management

We conduct regular vulnerability scans and security assessments to identify and address potential security risks. Our security team continuously monitors for new threats and vulnerabilities and takes immediate action to mitigate any identified risks.

Regular Updates and Patching: We ensure that all our systems and applications are regularly updated with the latest security patches to protect against known vulnerabilities.

Incident Response Plan: We have a comprehensive incident response plan in place to address any security breaches or incidents. This includes procedures for detecting, reporting, and responding to security incidents promptly.

Employee Training and Awareness

Security is a top priority at GD, and we ensure that all employees are well-versed in security best practices.

Onboarding Training: New employees undergo extensive security training during onboarding to familiarize them with our security policies and procedures.

Ongoing Education: Employees participate in regular security awareness training sessions to stay updated on the latest security threats and best practices.

Simulated Phishing Attacks: We conduct simulated phishing attacks to test and reinforce employees’ ability to recognize and respond to phishing attempts.

Data Integrity and Backup

We implement robust data integrity measures to ensure that your data is accurate, complete, and reliable. Regular backups are performed to prevent data loss and ensure that data can be restored in case of an incident.

Automated Backups: Data is backed up automatically on a regular schedule to secure locations.

Data Recovery: We have procedures in place to quickly recover data in the event of a loss or corruption.

Accessing and Updating Personal Information

You have the right to access and update your personal information held by General Devices (GD). If you wish to review or update your information, you can contact us at the details provided in the “How to Contact Us” section. We will take reasonable steps to ensure that your personal data is accurate, complete, and up-to-date.

Opting Out of Communications

You have the right to opt out of receiving marketing and promotional communications from us. If you no longer wish to receive such communications, you can unsubscribe by following the instructions provided in the email or by contacting us directly. Please note that even if you opt out of receiving marketing emails, we may still send you non-promotional emails related to your account or our ongoing business relations.

Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format. This allows you to move, copy, or transfer your data easily from one IT environment to another. If you wish to exercise this right, please contact us at the details provided in the “How to Contact Us” section.

Deletion and Anonymization Requests

You have the right to request the deletion or anonymization of your personal data. Upon receiving your request, we will take reasonable steps to delete or anonymize your information, except where we are required to retain it for legal or regulatory purposes. To request deletion or anonymization of your data, please contact us at the details provided in the “How to Contact Us” section.

Managing Cookies and Tracking Preferences

You can control how cookies and other tracking technologies are used on our website. Most web browsers allow you to manage your cookie preferences, including blocking or deleting cookies. You can also use tools provided by third-party organizations, such as the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), to control how your information is used for advertising purposes. For more information on managing your cookie preferences, please refer to the “Cookies and Tracking Technologies” section of this policy.

Exercising Your Rights

To exercise any of your rights described above, please contact us at the details provided in the “How to Contact Us” section. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Cross-Border Data Transfers

As a global company, General Devices (GD) may transfer your personal data to countries outside of your home country, including to the United States and other jurisdictions where we operate. These countries may have different data protection laws than your home country. We take appropriate steps to ensure that your information is treated securely and in accordance with this Privacy Policy, regardless of where it is processed. However, medical data subject to HIPAA regulations will only be stored and managed on servers located within the USA.

Compliance with International Data Protection Laws

We comply with applicable international data protection laws when transferring your data across borders. This includes implementing appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure that your data is protected when transferred to countries outside the European Economic Area (EEA).

Data Protection Agreements with Third Parties

When transferring data to third-party service providers or business partners located in other countries, we ensure that these entities comply with our data protection standards. We enter into data protection agreements with these third parties to ensure that your data is handled in a manner consistent with this Privacy Policy and applicable data protection laws.

User Consent to International Transfers

By using our services and providing us with your personal data, you consent to the transfer of your data to countries outside your home country, including the United States. We will take all necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

Additional Safeguards

To further protect your data during international transfers, we implement additional safeguards, including:

Encryption: We use advanced encryption methods to protect your data during transmission.

Access Controls: We restrict access to your data to authorized personnel only.

Regular Audits: We conduct regular audits of our data protection practices to ensure compliance with international standards.

Collection of Information from Minors

General Devices (GD) is committed to protecting the privacy of children. Our services are not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under the age of 13, we will take steps to delete such information from our records.

Parental Consent and Controls

In the event that we need to collect personal information from children under the age of 13, we will obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Act (COPPA). Parents or guardians can review, delete, or refuse further collection of their child’s information by contacting us at the details provided in the “How to Contact Us” section.

Educational and Healthcare Context

If our products are used in an educational or healthcare setting, such as schools or pediatric healthcare facilities, we ensure that any data collection complies with applicable laws and regulations, including COPPA and HIPAA. We work closely with educators and healthcare providers to ensure that the privacy of minors is protected.

Parental Rights

Parents or guardians have the right to review their child’s personal information, request its deletion, and refuse further collection or use of their child’s information. To exercise these rights, please contact us at the details provided in the “How to Contact Us” section. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Steps to Protect Children’s Privacy

Age Verification: We implement age verification mechanisms to prevent the collection of data from children under 13 without parental consent.

Secure Data Handling: We ensure that any data collected from children is stored securely and is only accessible by authorized personnel.

Transparency: We provide clear and easily understandable information about our data collection practices in our privacy notices directed to children and their parents or guardians.

Notification of Changes

We reserve the right to update or modify this Privacy Policy at any time. When we make changes to this policy, we will notify you by posting the updated policy on our website with a new “Last Updated” date. In the case of significant changes, we will provide a more prominent notice, such as a banner notification on our website or an email notification.

How Changes are Communicated

Significant changes to this Privacy Policy will be communicated to you in a clear and prominent manner. This may include:

Website Notification: A clear and prominent notice on our website’s homepage or relevant pages.

Email Notification: An email sent to the address associated with your account, detailing the changes and their implications.

In-App Notification: A notification within our mobile or desktop applications, informing users of the updated policy.

User Consent to Changes

Your continued use of our services following the posting of changes constitutes your acceptance of such changes. If you do not agree with the revised Privacy Policy, you may discontinue your use of our services and request the deletion of your personal information.

Review and Feedback

We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you have any questions or feedback about the changes, please contact us at the details provided in the “How to Contact Us” section.

Effective Date of Changes

Changes to this Privacy Policy will become effective on the date they are posted unless otherwise stated. The “Last Updated” date at the beginning of this policy indicates when the policy was last revised.

Archiving Previous Versions

We maintain an archive of previous versions of this Privacy Policy for your reference. If you wish to review any previous versions, please contact us at the details provided in the “How to Contact Us” section.

Contact Information for Privacy Queries

If you have any questions, concerns, or comments about this Privacy Policy or our data protection practices, please contact us using the information below. We are committed to addressing your inquiries and resolving any issues promptly.

Email: _____________
Phone: _____________
Mailing Address: ____________________________________________________

Data Protection Officer Contact Information

For matters specifically related to data protection and compliance, you can contact our Data Protection Officer (DPO) directly:

DPO Email: __________________________
DPO Phone: __________________________

Submitting Requests

To exercise your rights regarding your personal information, such as accessing, updating, deleting, or transferring your data, please contact us through one of the methods listed above. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Complaints and Dispute Resolution

If you believe your privacy rights have been violated or if you have a complaint regarding our data protection practices, please contact us. We take all complaints seriously and will investigate and respond promptly. If you are not satisfied with our response, you have the right to file a complaint with the relevant data protection authority.

Additional Contact Information

For specific product or service inquiries, you may also contact the respective department:

Customer Support: support@general-devices.com

Sales Inquiries: sales@general-devices.com

Technical Support: techsupport@general-devices.com

We are here to assist you and ensure that your privacy and data protection concerns are addressed effectively.

Medical Device Regulations

General Devices (GD) provides communication and telehealth capabilities that are intended for use by medical professionals and first responders. While our products are not classified as medical devices, we adhere to industry standards to ensure quality and reliability.

FDA Guidelines: Although not classified as medical devices, our products are developed following the FDA’s Center for Devices and Radiological Health (CDRH) regulations for medical device manufacturers (21 CFR 820) and current Good Manufacturing Practices (cGMPs) (21 CFR 110).

Quality Management System: Our quality management system utilizes these guidelines to maintain high standards in our products and services. Our facilities, processes, and systems undergo regular inspections to ensure compliance and quality.

Telehealth and EMS Compliance

Our telehealth and EMS solutions are designed to comply with specific industry regulations and standards to ensure safety, security, and effectiveness.

HIPAA Compliance: As detailed in the HIPAA Compliance section, our products and services are designed to meet the stringent requirements of the HIPAA Privacy and Security Rules. This includes the protection of ePHI through administrative, physical, and technical safeguards.

NEMSIS Compliance: For our EMS solutions, we ensure compliance with the National Emergency Medical Services Information System (NEMSIS) standards. This includes data collection and reporting practices that align with national EMS data requirements.

Compliance with State and Federal Regulations

In addition to federal regulations, we comply with relevant state laws and regulations concerning data protection, telehealth, and EMS operations.

State-Specific Requirements: We ensure that our products and services meet the specific requirements of each state in which we operate. This includes obtaining necessary licenses and certifications and adhering to state-specific data protection laws.

Continuous Monitoring and Auditing: We continuously monitor our compliance with state and federal regulations through regular audits and assessments. This helps us identify areas for improvement and ensure ongoing compliance.

Commitment to Quality and Safety

At GD, we are committed to providing high-quality, safe, and effective products and services. Our adherence to industry-specific regulations and standards is a testament to our dedication to excellence in the healthcare and EMS fields.

Appendix A: Glossary of Terms

To assist in understanding the terms used in this Privacy Policy, we have provided definitions of key terms below:

Personal Data: Information relating to an identified or identifiable individual.

ePHI (Electronic Protected Health Information): Any protected health information that is created, stored, transmitted, or received electronically.

Cookies: Small text files placed on your computer or mobile device by websites you visit.

Web Beacons: Small graphic images or other web programming code used to track user activity on websites or in emails.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, a federal law that sets standards for the protection of health information.

GD: General Devices LLC, the company providing the products and services covered by this Privacy Policy.

Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form.

Data Processor: A third party that processes personal data on behalf of the data controller.

Data Controller: The entity that determines the purposes and means of processing personal data.

Encryption: The process of converting information or data into a code to prevent unauthorized access.

Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Physical Safeguards: Measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards: Technology and policies and procedures for its use that protect electronic health information and control access to it.

Appendix B: Legal References and Regulations

This appendix provides a summary of the key laws and regulations that inform our privacy practices:

HIPAA (Health Insurance Portability and Accountability Act of 1996)

Privacy Rule: Establishes national standards for the protection of health information.

Security Rule: Requires the implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

HITECH Act: Strengthens the enforcement of HIPAA by increasing penalties for violations and expanding the scope of privacy and security protections.

COPPA (Children’s Online Privacy Protection Act)

Governs the collection of personal information from children under the age of 13 and requires verifiable parental consent.

GDPR (General Data Protection Regulation)

Sets out the key principles, rights, and obligations for the processing of personal data of individuals in the European Union.

NEMSIS (National Emergency Medical Services Information System)

Provides a standard for collecting, storing, and sharing EMS data to improve patient care and EMS operations.

Appendix C: Data Protection Impact Assessment (DPIA) Summary

A DPIA is a process to help identify and minimize the data protection risks of a project. Below is a summary of our DPIA for our primary services:

Scope: Evaluates the data protection risks associated with the collection, processing, and storage of ePHI through our telehealth and EMS solutions.

Risks Identified:

Unauthorized access to ePHI.

Data breaches due to insufficient security measures.

Non-compliance with HIPAA regulations.

Mitigation Measures:

Implementation of advanced encryption technologies.

Strict access controls and regular security audits.

Comprehensive employee training on data protection and HIPAA compliance.

Outcome: The DPIA concluded that the risks are adequately mitigated through our existing and planned security measures, ensuring compliance with HIPAA and other relevant regulations.

Compliance Measures: ePHI is encrypted both in transit and at rest. Access to the data is restricted to authorized personnel only. Patients are provided with a clear consent form outlining the data collection and usage.