Privacy Policy

At General Devices (GD), protecting private information is our top priority. This Privacy Policy outlines our commitment to ensuring the confidentiality, integrity, and security of personal information.

Scope and Applicability
This Privacy Policy governs the data collection, usage, and sharing practices of General Devices (GD) and is applicable to all users and data types including GD’s website (www.general-devices.com), Product Solutions and all other related services, and their derivatives, collectively “GD Services”. By using or accessing GD Services, you consent to the data practices described in this policy. This includes data entered by users on behalf of their 3rd party patients.
This policy provides a comprehensive overview of how GD handles data and personal information, ensuring compliance with relevant laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

Commitment to Privacy and Data Protection
We are dedicated to maintaining the privacy and security of your information. Our practices are designed to meet or exceed the requirements of applicable data protection laws. This policy outlines the measures we take to protect your information and provides guidance on how you can manage your privacy preferences.

To help you understand our Privacy Policy, we’ve defined key terms used throughout the document:

Personal Data: Any information that relates to an identified or identifiable individual. This includes information such as your name, address, email address, phone number, and other identifiers.

Cookies: Small text files placed on your computer or mobile device by websites you visit. Cookies are used to recognize users, remember user preferences, and track user activity.

Web Beacons: Small graphic images or other web programming code used to track user activity on websites or in emails. Web beacons are often used in conjunction with cookies.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, a federal law that sets standards for the protection of health information.

GD: General Devices LLC, the company responsible for providing the products and services covered by this Privacy Policy.

Product Solutions: General Devices’ product solutions that incorporate software and hardware products, web, computer or mobile applications, intended primarily for use by hospitals and Emergency Medical Services (EMS) located in the USA

Covered Entity: As defined by HIPAA, a health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form.

Data Processor: A third party that processes personal data on behalf of GD.

Data Controller: The entity that determines the purposes and means of processing personal data. In most cases, GD acts as the data controller for the information collected through our services.

Encryption: The process of converting information or data into a code to prevent unauthorized access. We use encryption to protect your data both in transit and at rest.

Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Physical Safeguards: Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards: The technology and policies and procedures for its use that protect electronic health information and control access to it.

Types of Information Collected
We collect various types of information to provide and improve our services. This includes

Personal Information: Information that can identify you as an individual, such as your name, email address, phone number, address, and other contact details.

Non-Personal Information: Data that does not directly identify you, such as browser type, operating system, the pages you visit on our site, the time and date of your visit, and other analytical data.

ePHI (Electronic Protected Health Information): Information related to your health, including medical records, treatment information, location and health insurance data, related to use of our Product Solutions.

Methods of Collection
We collect information through various methods, including:

Direct Collection: Information you provide directly to us, such as when you register for an account, fill out forms, or contact us for support.

Indirect Collection: Information collected automatically through the use of cookies, web beacons, pixels, GPS location and other tracking technologies when you visit our website or use our Product Solutions.

Information Collected from Third-Party Sites: We may receive information about you from third-party sites, especially if you register for events or webinars hosted by us. These third parties may include service providers that support our programs or provide technical assistance. By participating in these events, you consent to the receipt of this information. We use this information to enhance our services and communication with you.

Purpose of Data Collection
We use the information we collect for various purposes, including:

Product Solution: To provide communications and healthcare information used to support healthcare provided by emergency medical services (EMS) and hospital providers.

Service Provision: To deliver and manage our products and services, including customer support, account management, and technical assistance.

Personalization and User Experience Improvement: To personalize your experience on our website and applications, tailor content and advertisements to your interests, and enhance the overall user experience.

Marketing and Communication: To send you promotional materials, newsletters, and updates about our products and services. You can opt-out of these communications at any time.

Legal Basis for Processing Data
Our legal basis for processing your personal data includes:

Consent: Where applicable, we process your data based on your consent, which you can withdraw at any time.

Contractual Necessity: We process your data to fulfill our contractual obligations to you.

Legitimate Interests: We process your data to pursue our legitimate business interests, such as Product Solution usage, improving our services, conducting research, and maintaining security.

Legal Obligations: We process your data to comply with applicable laws and regulations.

Data Retention and Storage Policies
We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our data retention policies ensure that we do not keep your information longer than necessary and that we securely dispose of data that is no longer needed.

Sharing Information with Third Parties
We take your privacy seriously and only share your information in specific circumstances:

Service Providers: We may share your personal data with trusted third-party service providers who assist us in operating our website, conducting our business, or providing services to you. These providers are obligated to keep your information confidential and use it only for the purposes for which we disclose it to them.

Business Partners: We may share your information with our business partners to offer you certain products, services, or promotions. These partners are required to adhere to strict data protection standards to ensure your information is safe.

Legal Obligations and Compliance: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

No Sale of Personal Data
We do not sell, trade, or otherwise transfer your personal information to outside parties. We are committed to ensuring your data remains private and is used solely for the purposes outlined in this policy.

Marketing and Advertising
With your consent, we may share your information with third parties for marketing and advertising purposes. You have the right to opt out of these communications at any time.

Types of Cookies Used
We use various types of cookies and similar tracking technologies on our website and applications to enhance your experience. These include:

Essential Cookies: Necessary for the operation of our website. They enable core functionalities such as security, network management, and accessibility.

Performance Cookies: Collect information about how you use our website, such as which pages you visit and if you experience any errors. These cookies help us improve our website’s performance.

Functionality Cookies: Allow our website to remember choices you make (e.g., your username, language, or region) and provide enhanced, more personalized features.

Targeting/Advertising Cookies: Used to deliver relevant advertisements to you and measure the effectiveness of our advertising campaigns.

Purpose of Cookies and Tracking Technologies
Cookies and similar technologies serve several purposes:

User Authentication: To recognize you when you return to our website and keep you logged in.

Preferences and Settings: To store your preferences and settings, such as language and region.

Performance and Analytics: To collect information about how you interact with our website and applications, enabling us to improve their performance and your experience.

Marketing and Advertising: To deliver personalized content and advertisements tailored to your interests and measure the effectiveness of our marketing efforts.

Managing Cookie Preferences
You have the right to manage your cookie preferences. Most web browsers allow you to control cookies through their settings. You can set your browser to block or alert you about cookies, or to delete cookies when you close your browser. However, if you disable cookies, some parts of our website may not function properly.

Overview of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. At General Devices (GD), we are committed to complying with HIPAA regulations to ensure the privacy and security of your electronic Protected Health Information (ePHI).

HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards for the protection of health information. It addresses the use and disclosure of individuals’ health information by entities subject to the rule, as well as standards for individuals’ privacy rights to understand and control how their health information is used.

Permitted Uses and Disclosures: We may use and disclose ePHI for treatment, payment, and healthcare operations without patient authorization. Any other uses and disclosures require written patient authorization.

Patient Rights: Patients have the right to access their health information, request amendments, and obtain an accounting of disclosures of their ePHI.

HIPAA Security Rule
The HIPAA Security Rule requires the implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Physical Safeguards: Measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards: Technology and policies and procedures for its use that protect electronic health information and control access to it.

HITECH Act Compliance
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 promotes the adoption and meaningful use of health information technology. It strengthens the enforcement of HIPAA by increasing penalties for violations and expanding the scope of privacy and security protections.

Safeguards for ePHI

Administrative Safeguards: We conduct regular risk assessments to identify potential vulnerabilities and implement necessary measures to mitigate risks. Our team is trained on HIPAA compliance, and we have strict policies and procedures in place to manage ePHI securely.

Physical Safeguards: Our facilities are secured with access controls to prevent unauthorized access to ePHI. This includes secured areas for servers and data storage, as well as surveillance systems to monitor access.

Technical Safeguards: We use advanced encryption technologies to protect ePHI during transmission and storage. Access to ePHI is restricted through secure login credentials and multi-factor authentication.

Security and Compliance Training
All GD team members are required to complete and pass HIPAA compliance training during onboarding and annual refreshers thereafter. We perform regular assessments of our security practices and update our training programs to ensure ongoing compliance with HIPAA regulations.

Data Encryption
We utilize state-of-the-art encryption methods to protect your data both in transit and at rest. This ensures that sensitive information, including ePHI, is secure from unauthorized access.

In-Transit Encryption: Data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) to protect it from interception.

At-Rest Encryption: Data stored on our servers is encrypted using Advanced Encryption Standard (AES) to ensure it remains secure even if physical security is compromised.

Access Controls
We implement strict access control measures to ensure that only authorized personnel can access sensitive information. This includes:

Role-Based Access Control (RBAC): Access to data is restricted based on the role and responsibilities of each team member. Only those who need access to specific information to perform their duties are granted access.

Multi-Factor Authentication (MFA): Users must provide multiple forms of identification before accessing sensitive information, adding an extra layer of security.

Vulnerability Management
We conduct regular vulnerability scans and security assessments to identify and address potential security risks. Our security team continuously monitors for new threats and vulnerabilities and takes immediate action to mitigate any identified risks.

Regular Updates and Patching: We ensure that all our systems and applications are regularly updated with the latest security patches to protect against known vulnerabilities.

Incident Response Plan: We have a comprehensive incident response plan in place to address any security breaches or incidents. This includes procedures for detecting, reporting, and responding to security incidents promptly.

Employee Training and Awareness
Security is a top priority at GD, and we ensure that all employees are well-versed in security best practices.

Onboarding Training: New employees undergo extensive security training during onboarding to familiarize them with our security policies and procedures.

Ongoing Education: Employees participate in regular security awareness training sessions to stay updated on the latest security threats and best practices.

Simulated Phishing Attacks: We conduct simulated phishing attacks to test and reinforce employees’ ability to recognize and respond to phishing attempts.

Data Integrity and Backup
We implement robust data integrity measures to ensure that your data is accurate, complete, and reliable. Regular backups are performed to prevent data loss and ensure that data can be restored in case of an incident.

Automated Backups: Data is backed up automatically on a regular schedule to secure locations.

Data Recovery: We have procedures in place to quickly recover data in the event of a loss or corruption.

Accessing and Updating Personal Information
You have the right to access and update your personal information held by General Devices (GD). If you wish to review or update your information, you can contact us at the details provided in the “How to Contact Us” section. We will take reasonable steps to ensure that your personal data is accurate, complete, and up-to-date.

Opting Out of Communications
You have the right to opt out of receiving marketing and promotional communications from us. If you no longer wish to receive such communications, you can unsubscribe by following the instructions provided in the email or by contacting us directly. Please note that even if you opt out of receiving marketing emails, we may still send you non-promotional emails related to your account or our ongoing business relations.

Data Portability
You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format. This allows you to move, copy, or transfer your data easily from one IT environment to another. If you wish to exercise this right, please contact us at the details provided in the “How to Contact Us” section.

Deletion and Anonymization Requests
You have the right to request the deletion or anonymization of your personal data. Upon receiving your request, we will take reasonable steps to delete or anonymize your information, except where we are required to retain it for legal or regulatory purposes. To request deletion or anonymization of your data, please contact us at the details provided in the “How to Contact Us” section.

Managing Cookies and Tracking Preferences
You can control how cookies and other tracking technologies are used on our website. Most web browsers allow you to manage your cookie preferences, including blocking or deleting cookies. You can also use tools provided by third-party organizations, such as the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), to control how your information is used for advertising purposes. For more information on managing your cookie preferences, please refer to the “Cookies and Tracking Technologies” section of this policy.

Exercising Your Rights
To exercise any of your rights described above, please contact us at the details provided in the “How to Contact Us” section. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Cross-Border Data Transfers
As a global company, General Devices (GD) may transfer your personal data to countries outside of your home country, including to the United States and other jurisdictions where we operate. These countries may have different data protection laws than your home country. We take appropriate steps to ensure that your information is treated securely and in accordance with this Privacy Policy, regardless of where it is processed. However, medical data subject to HIPAA regulations will only be stored and managed on servers located within the USA.

Compliance with International Data Protection Laws
We comply with applicable international data protection laws when transferring your data across borders. This includes implementing appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure that your data is protected when transferred to countries outside the European Economic Area (EEA).

Data Protection Agreements with Third Parties
When transferring data to third-party service providers or business partners located in other countries, we ensure that these entities comply with our data protection standards. We enter into data protection agreements with these third parties to ensure that your data is handled in a manner consistent with this Privacy Policy and applicable data protection laws.

User Consent to International Transfers
By using our services and providing us with your personal data, you consent to the transfer of your data to countries outside your home country, including the United States. We will take all necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

Additional Safeguards
To further protect your data during international transfers, we implement additional safeguards, including:

Encryption: We use advanced encryption methods to protect your data during transmission.

Access Controls: We restrict access to your data to authorized personnel only.

Regular Audits: We conduct regular audits of our data protection practices to ensure compliance with international standards.

Collection of Information from Minors
General Devices (GD) is committed to protecting the privacy of children. Our services are not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under the age of 13, we will take steps to delete such information from our records.

Parental Consent and Controls
In the event that we need to collect personal information from children under the age of 13, we will obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Act (COPPA). Parents or guardians can review, delete, or refuse further collection of their child’s information by contacting us at the details provided in the “How to Contact Us” section.

Educational and Healthcare Context
If our products are used in an educational or healthcare setting, such as schools or pediatric healthcare facilities, we ensure that any data collection complies with applicable laws and regulations, including COPPA and HIPAA. We work closely with educators and healthcare providers to ensure that the privacy of minors is protected.

Parental Rights
Parents or guardians have the right to review their child’s personal information, request its deletion, and refuse further collection or use of their child’s information. To exercise these rights, please contact us at the details provided in the “How to Contact Us” section. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Steps to Protect Children’s Privacy

Age Verification: We implement age verification mechanisms to prevent the collection of data from children under 13 without parental consent.

Secure Data Handling: We ensure that any data collected from children is stored securely and is only accessible by authorized personnel.

Transparency: We provide clear and easily understandable information about our data collection practices in our privacy notices directed to children and their parents or guardians.

Notification of Changes
We reserve the right to update or modify this Privacy Policy at any time. When we make changes to this policy, we will notify you by posting the updated policy on our website with a new “Last Updated” date. In the case of significant changes, we will provide a more prominent notice, such as a banner notification on our website or an email notification.

How Changes are Communicated
Significant changes to this Privacy Policy will be communicated to you in a clear and prominent manner. This may include:

Website Notification: A clear and prominent notice on our website’s homepage or relevant pages.

Email Notification: An email sent to the address associated with your account, detailing the changes and their implications.

In-App Notification: A notification within our mobile or desktop applications, informing users of the updated policy.

User Consent to Changes
Your continued use of our services following the posting of changes constitutes your acceptance of such changes. If you do not agree with the revised Privacy Policy, you may discontinue your use of our services and request the deletion of your personal information.

Review and Feedback
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you have any questions or feedback about the changes, please contact us at the details provided in the “How to Contact Us” section.

Effective Date of Changes
Changes to this Privacy Policy will become effective on the date they are posted unless otherwise stated. The “Last Updated” date at the beginning of this policy indicates when the policy was last revised.

Archiving Previous Versions
We maintain an archive of previous versions of this Privacy Policy for your reference. If you wish to review any previous versions, please contact us at the details provided in the “How to Contact Us” section.

Contact Information for Privacy Queries
If you have any questions, concerns, or comments about this Privacy Policy or our data protection practices or compliance, please contact us using the information below.

Mailing Address:
General Devices
1000 River St.
Ridgefield, NJ 07657
Attn: Data Protection Officer

DPO Email: privacy@general-devices.com
DPO Phone: (201) 313-7075

Submitting Requests
To exercise your rights regarding your personal information, such as accessing, updating, deleting, or transferring your data, please contact us through one of the methods listed above. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Complaints and Dispute Resolution
If you believe your privacy rights have been violated or if you have a complaint regarding our data protection practices, please contact us. We take all complaints seriously and will investigate and respond promptly. If you are not satisfied with our response, you have the right to file a complaint with the relevant data protection authority.

Additional Contact Information
For specific product or service inquiries, you may also contact the respective department:

Customer Support: support@general-devices.com

Sales Inquiries: sales@general-devices.com

Technical Support: techsupport@general-devices.com

We are here to assist you and ensure that your privacy and data protection concerns are addressed effectively.

Medical Device Regulations
General Devices (GD) provides communication and telehealth capabilities that are intended for use by medical professionals and first responders. While our products are not classified as medical devices, we adhere to industry standards to ensure quality and reliability.

FDA Guidelines: Although not classified as medical devices, our products are developed using the FDA’s Center for Devices and Radiological Health (CDRH) regulations for medical device manufacturers (21 CFR 820) and current Good Manufacturing Practices (cGMPs) (21 CFR 110) as guidance where applicable.

Quality Management System: Our quality management system utilizes these guidelines to maintain high standards in our products and services. Our facilities, processes, and systems undergo regular inspections to ensure compliance and quality.

Telehealth and EMS Compliance
Our telehealth and EMS solutions are designed to comply with specific industry regulations and standards to ensure safety, security, and effectiveness.

HIPAA Compliance: As detailed in the HIPAA Compliance section, our products and services are designed to meet the stringent requirements of the HIPAA Privacy and Security Rules. This includes the protection of ePHI through administrative, physical, and technical safeguards.

NEMSIS Compliance: For our EMS solutions, we ensure compliance with the National Emergency Medical Services Information System (NEMSIS) standards. This includes data collection and reporting practices that align with national EMS data requirements.

Compliance with State and Federal Regulations
In addition to federal regulations, we comply with relevant state laws and regulations concerning data protection, telehealth, and EMS operations.

State-Specific Requirements: We ensure that our products and services meet the specific requirements of each state in which we operate. This includes obtaining necessary licenses and certifications and adhering to state-specific data protection laws.

Continuous Monitoring and Auditing: We continuously monitor our compliance with state and federal regulations through regular audits and assessments. This helps us identify areas for improvement and ensure ongoing compliance.

Commitment to Quality and Safety: At GD, we are committed to providing high-quality, safe, and effective products and services. Our adherence to industry-specific regulations and standards is a testament to our dedication to excellence in the healthcare and EMS fields.

Appendix A : Legal References and Regulations
This appendix provides a summary of the key laws and regulations that inform our privacy practices:

HIPAA (Health Insurance Portability and Accountability Act of 1996)

Privacy Rule: Establishes national standards for the protection of health information.

Security Rule: Requires the implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

HITECH Act: Strengthens the enforcement of HIPAA by increasing penalties for violations and expanding the scope of privacy and security protections.

COPPA (Children’s Online Privacy Protection Act)
Governs the collection of personal information from children under the age of 13 and requires verifiable parental consent.

GDPR (General Data Protection Regulation)
Sets out the key principles, rights, and obligations for the processing of personal data of individuals in the European Union.

NEMSIS (National Emergency Medical Services Information System)
Provides a standard for collecting, storing, and sharing EMS data to improve patient care and EMS operations.

Appendix B : Data Protection Impact Assessment (DPIA) Summary
A DPIA is a process to help identify and minimize the data protection risks of a project. Below is a summary of our DPIA for our primary services:

Scope: Evaluates the data protection risks associated with the collection, processing, and storage of ePHI through our telehealth and EMS solutions.

Risks Identified:

• Unauthorized access to ePHI.
• Data breaches due to insufficient security measures.
• Non-compliance with HIPAA regulations.

Mitigation Measures:

• Implementation of advanced encryption technologies.
• Strict access controls and regular security audits.
• Comprehensive employee training on data protection and HIPAA compliance.

Outcome: The DPIA concluded that the risks are adequately mitigated through our existing and planned security measures, ensuring compliance with HIPAA and other relevant regulations.

Compliance Measures: ePHI is encrypted both in transit and at rest. Access to the data is restricted to authorized personnel only. Patients are provided with a clear consent form outlining the data collection and usage.