Last Updated: 18 December, 2020
Butterfly Network Inc. (“Butterfly”, “we”, “us” or “our”) takes the privacy and the security of its users' data (like you) very seriously. This Privacy Notice ("Notice") explains who we are, how we collect, use and share personal information about you and how you can exercise your privacy rights.
PROCESSING ACTIVITIES COVERED
This Notice applies (unless a different Notice is displayed) to the processing of personal information collected by us in the usual course of business, including when you:
- Visit our websites (such as www.butterflynetwork.com) that display a link to this Notice (the “Site” or “Sites”), visit our social media pages; visit our offices; receive communications from us, including emails, phone calls and texts; or register for, attend and/or otherwise take part in our events, tutorials, webinars or contests (we collectively refer to all of these activities as our "Marketing Activities" in this Notice).
- Use any Butterfly products or services as an authorized end user (for example, as an individual customer or as a team member of one of our customers who has provided you with access to our services) ("Service Users"), including the Butterfly hosted, on demand platform services ("Butterfly Cloud"), Butterfly iQ device ("iQ Device"), as well as any application supplied by us, including the Butterfly iQ applications available for mobile users (the "App" or "Apps") (collectively, the "Services"), when we act as a data controller of your personal information.
"You" may, depending on the context, be: a visitor to one of our Sites, offices or social media pages; a recipient of our communications; a patient whose personal information is being hosted in our Services; or a Service User of one or more of our Services.
This Notice does not apply to the personal information that we process as data processors on behalf of our customers in the course of providing our Services.
WHO WE ARE
We are Butterfly Network, a company headquartered in the United States. In support of our mission to democratize healthcare by making medical imaging accessible to everyone around the world, we have developed and provide a whole-body portable ultrasound scanner (the iQ Device) and related hosted, on demand Web-based application, application programming interfaces and platform services, which we offer to physicians or other licensed health care providers (our "customers"). You can find out more about us and our Services here.
If you are resident in the European Economic Area ("EEA"), UK or Switzerland, the controller of your personal information that we process for the purposes described in this Notice is Butterfly Network, Inc.
WHAT PERSONAL INFORMATION DO WE COLLECT?
The information we collect depends on the context of your interactions with Butterfly and the choices you make (including your privacy settings), the products and features you use, your location and applicable law.
In general, our Services are intended for use by Service Users. As a result, for much of the personal information (including patient personal information) we collect and process through the Services, we act as a data processor. This means, it is primarily our Service Users that control what personal information we collect through the Services and how we use it. Therefore, if you are a patient of one of our Service Users, and have privacy related questions or concerns about the privacy practices of or the choices the relevant Service User has made to share your information with us or any other third party, you should contact the relevant Service User or review their or (where applicable) their organizations' privacy notices.
Butterfly is not responsible for the privacy or security practices of its Service Users, which may differ from those set out in this Notice.
Information you provide to us:
If you are a Service User you (or your team administrator) may provide certain personal information to us through the Services - for example, when you sign up for a Butterfly account to access and use the Services, when you consult with customer support or send us an email or communicate with us in any way (for example, to make a support request).
The personal information we collect may include:
- Business contact information (such as your name, job title, organization, phone number, email address and country);
- Marketing information (such as your contact preferences);
- Account log-in credentials (such as your email or username and password when you sign-up for an account with us and the unique Service User/ team ID assigned to you in our systems);
- Troubleshooting and support data (which is data you provide or we otherwise access in connection with support queries we receive from you. This may include, for example, contact or authentication data, the content of your chats and other communications with Butterfly, and the product or service you are using related to your help inquiry); and
- Payment information (including your credit card numbers and associated identifiers, billing address and background information, but only where you pay for the Services).
If you ever communicate directly with us, we will maintain a record of those communications and responses.
Information we collect automatically:
When you use or interact with the Services, we automatically collect or receive certain information through our Services (for example in log files) and through other technologies (such as cookies) about your device and usage of the Services. In some (but not all) countries, including countries in the European Economic Area ("EEA"), UK and Switzerland, this information is considered 'personal data' under data protection laws. For further information please review the section "Cookies and Similar Technologies" below.
The information we collect includes:
- Log and usage data, which is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our Services and which we record in log files. This log data may include the Internet Protocol (IP) address, device information, browser type and settings and information about your activity in the Services (such as the date/ time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features of you use)), device event information (such as system activity, error reports (sometimes called 'crash dumps') and hardware settings).
- Device data, such information about your computer, phone, tablet or other device you use to access the Services. This device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system configuration information. If you are using our mobile App, we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID and information about the features of our mobile App you accessed.
- Location data, such as information about your device's location, which can be either precise or imprecise. How much of this information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note however, if you choose to opt out, you may not be able to use certain aspects of the Services.
This information is used to:
- maintain the security of the Services;
- provide necessary functionality;
- improve performance of the Services;
- assess and improve Service User's experience of the Services;
- review compliance with applicable usage terms;
- identify future opportunities for development of the Services;
- assess capacity requirements;
- identify customer opportunities and for the security of Butterfly generally (in addition to the security of our Services); and
- analyze overall trends, to help us provide and improve our Services, and to guarantee their security and proper functioning.
Some of the data automatically collected within the Services, whether alone or in conjunction with other data, could be personally identifying to you. Please note that this data is primarily used for the purposes of identifying the uniqueness of Service User logging on (as opposed to specific individuals), apart from where it is strictly required to identify an individual for security purposes or as required as part of our provision of the Services to our customers (where we act as a data processor).
Information we process about our Service Users' patients: We process certain personal information about our Service Users patients on behalf of our Service Users (where we act as a data processor). This personal information includes:
- Identification and contact data (name, title, date of birth, sex, medical record number (MRN), accession number).
- Patient health information ("PHI"), such as MRN data, study description and related metadata (such as comment data from Service Users about an ultrasound study) and other categories of PHI uploaded by (or on behalf of) the Service Users in connection with the Services.
As described above, in most cases, we only process patient personal information on behalf of and as instructed by our Service Users (the data controllers of the personal information).
However, where permitted by the relevant Service User and applicable law, we may leverage certain patient data collected through the operation of the Services for our internal research and development purposes to develop and improve our Services (for which we will be a data controller). For these purposes, we only use patient personal information in a de-identified form that does not specifically identify any particular patient (for example, by reference to their name or other identification data). For example, we may leverage de-identified patient data to train our models and algorithms to better interpret the ultrasound images captured from Butterfly devices, to make more consistent measurements and therefore to improve the functionality of our Services and diagnostic outcomes. To the extent the de-identified patient data is considered personal information under applicable privacy and data protection law, we will ensure that such data is processed in compliance with such privacy and data protection laws (including seeking patient consent where legally required). Please review our Patient Privacy Notice for further information.
Cookies and Similar Technologies (Services)
Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. The Services may make use of first or third party cookies (whether session or persistent cookies) and similar technologies, for such things as session management, account access/ authentication, to recognize returning Service Users, for storing and honoring Service User's preferences and settings, combating fraud, maintaining and monitoring the infrastructure of the Services, ensuring security protections, analyzing how our Services perform and other analytics purposes, and fulfilling other legitimate purposes as further described in this Notice (such as fixing issues with and improving our Services and related Service User experience). We also use analytics cookies to better understand how our Services are being used by tracking how you interact with the Services and where you click.
(B) Marketing Activities
Information you provide to us:
Our Site offers various ways to contact us, such as through form submissions, email or phone, to inquire about our company and Services. For example, when expressing an interest in obtaining information about us or our Services, subscribing to marketing or otherwise contacting us, we will collect personal information from you. We may also collect information from you in person at a tradeshow or event or via a phone call with one of our sales representatives or if you visit our offices (where you may be required register as a visitor and provide us with certain information).
The personal information we collect may include:
- Business contact information (such as your name, phone number, email address and country);
- Professional information (such as your job title, institution or company);
- Nature of your communication;
- Marketing information (such as your contact preferences); and
- Any information you choose to provide to us when completing any 'free text' boxes in our forms.
Personal information may also be provided to us on your behalf by another Service User (such as the ultimate customer). If you ever communicate directly with us, we will maintain a record of those communications and responses.
Information we collect automatically:
The information we collect may include:
Device data - such as your IP address, your operating system, your browser, device information, unique device identifiers, mobile network information, request information (speed, frequency, the site from which you linked to us (“referring page”), the name of the website you choose to visit immediately after ours (called the “exit page”), information about other websites you have recently visited and the web browser used (software used to browse the internet) including its type and language); and
Usage data – such as information about how you interact with our emails, Sites and other websites (such as the pages and files viewed, searches, operating system and system configuration information and date/time stamps associated with your usage).
Information we collect from other sources: In order to enhance our ability to provide relevant marketing, offers and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, social media platforms, as well as from other third parties. This information may include mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), IP addresses, social media profiles, social media URLs and custom profiles, for purposes of targeted advertising, event promotion and optimizing our Sites, Services and Marketing Activities.
Cookies and Similar Technologies (Marketing Activities)
HOW DO WE USE YOUR INFORMATION?
We use and process the personal information we collect receive (alone or in combination) for the purposes and on the legal bases identified below:
- Communicating with you about the Services: We may send you service, technical and other administrative or technical email, messages and other types of notifications (such as distribution and product updates and product patches and fixes) in reliance on our legitimate interests in administering the Services and providing certain features. These communications are considered part of the Services and in most cases you cannot opt-out of them. If an opt-out is available, you will find that option within the communication itself or in your account settings.
- Promoting the security of our Sites and Services: We process your personal information by tracking use of our Sites and Services, creating aggregated, non-personal data, verifying accounts and activity, investigating suspicious activity and enforcing our terms and policies, to the extent this is necessary for our legitimate interest in promoting the safety and security of the Sites, Services, systems and applications and in protecting our rights and the rights of others;
- Providing necessary functionality: We process your personal information to perform our contract with you for the use of our Sites or Services; where we have not entered into a contract with you, we base our processing of your personal information in reliance on our legitimate interest to provide you with the necessary functionality required during your use of our Sites and Services;
- Handling contact and Service User support requests: If you fill out a “Contact Us” web form or request Service User support, or if you contact us by other means including via a phone call, we process your personal information to perform our contract with you and/or (if we have not entered into a contract with you) to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you;
- Managing event registrations and attendance: We process your personal information to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you, to perform of our contract with you;
- Developing and improving our Marketing Activities and Services: We process your personal information to analyze trends and to track your usage of and interactions with our Marketing Activities and Services to the extent it is necessary for our legitimate interest in developing and improving our Marketing Activities and Services and providing you with more relevant content and service offerings, or where we seek your valid consent;
- Assessing and improving end user experience: We process device and usage data as described above which in some cases may be associated with your personal information, in order to analyze trends in order to assess and improve the overall user experience to the extent it is necessary for our legitimate interest in developing and improving our Marketing Activities and/or Services, or where we seek your valid consent;
- Reviewing compliance with applicable usage terms: We process your personal information to review compliance with our contract with you or your organization (where applicable) to the extent that it is in our legitimate interest to ensure adherence to the relevant terms;
- Assessing capacity requirements: We process your personal information to assess the capacity requirements of our Services the extent that it is in our legitimate interest to ensure that we are meeting the necessary capacity requirements of our service offerings;
- Identifying customer opportunities: We process your personal information to assess new potential customer opportunities to the extent that it is in our legitimate interest to ensure that we are meeting the demands of our customers and their Service Users experiences;
- Registering office visitors: We process your personal information for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access;
- Displaying personalized advertisements and content: We process your personal information to conduct marketing research, advertise to you, provide personalized information about us on and off our Sites and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in supporting our Marketing Activities or advertising our Services or, where necessary, to the extent you have provided your prior consent (please see the "Your Privacy Rights" section, below, to learn how you can control how the processing of your personal information for personalized advertising purposes);
- Sending marketing communications: We will process your personal information to send you marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS, or push notifications) about us when this is in accordance with your marketing preferences, including information about our products, services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent (please see the "Your Privacy Rights" section, below, to learn how you can control the processing of your personal information by Butterfly for marketing purposes);
- For our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products and features, enhancing, improving or modifying our products and services, identifying usage trends and expanding our business activities in reliance on our legitimate interests; and
- Complying with legal obligations: We process your personal information when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our Sites, Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests.
Where we need to collect and process personal information by law, or under a contract we have entered into with you, and you fail to provide the required personal information when requested, we may not be able to perform our contract with you.
SOCIAL MEDIA FEATURES
Our Sites may use social media features, such as the Facebook “like” button, the “Tweet” button and other sharing widgets (“Social Media Features”). You may be given the option by such Social Media Features to post information about your activities on a website to a profile page of yours that is provided by a third party social media network in order to share with others within your network. Social Media Features are either hosted by the respective social media network or hosted directly on our website. To the extent the Social Media Features are hosted by the respective social media networks and you click through to these from our website, the latter may receive information showing that you have visited our website. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our websites with your social media profile. Your interactions with Social Media Features are governed by the privacy policies of the companies providing the relevant Social Media Features.
COLLECTION OF PERSONAL INFORMATION BY THIRD PARTIES
Some links on our Sites and in our Services may redirect you to third party resources, including websites and services that Butterfly does not operate. The privacy practices of these websites and services will be governed by their own policies.
In addition, our Sites use Google Maps features and content, such as the Place Autocomplete service which automatically populates your billing and/or shipping address if you order the iQ Device through our Sites. Further information on how Google uses your information collected through Google maps features and content can be found at https://policies.google.com/privacy.
WHO DO WE SHARE YOUR INFORMATION WITH?
We do not sell or share your personal information with third parties except as outlined below. We may disclose your personal information to the following categories of recipients:
- Service providers. In order to provide our Services to you and undertake our Marketing Activities, it may be necessary for us to disclose your information to contracted third parties and service provider partners who perform certain functions of our service on our behalf. Examples include payment providers (to authorize, record, settle and clear payment card transactions); cloud hosting providers (to provide data storage and processing services); communications providers (to process new queries and to manage our emails); and analytics company to perform analysis on the Site and Services. These third party service providers are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.
- Compliance with laws. We may disclose information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or other legal process (including in response to public authorities to meet national security or law enforcement requirements).
- Business transfers. We may share or transfer information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Notice.
- Advertising Partners. We may partner with third party advertising networks, exchanges and social media platforms (like Facebook) to display advertising on our Sites or to manage and service advertising on other sites and we may share personal information with them for this purpose. Please see more information in our Cookie Notice for further information, including information about how you can turn off tracking technologies.
- Consent. We may share your information with any other person with your consent to the disclosure.
INTERNATIONAL DATA TRANSFERS
The Sites and Services are provided and hosted in the United States. If you are using the Sites or Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by Butterfly Network in our facilities and by those third parties with whom we may share your personal information, in the United States, Australia, Canada, European Union and other locations where we have offices. These countries may have data protection laws that are different to the laws of your country. Regardless of where your data is located, we:(a) treat all personal information in accordance with applicable law; and (b) take reasonable steps to ensure the security of personal information.
If you are resident in or a visitor from the EEA, UK or Switzerland, we will protect your personal information when it is transferred outside of the EEA, UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information; or otherwise implementing appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses, complying with the Privacy Shield Framework for transfers of personal information from EEA, UK and Switzerland to US (see below) or another lawful transfer mechanism approved by the European Commission.
If you require further information about our international transfers of personal information, please contact us using the contract details in the “Contact Information” section further below.
Butterfly Network, Inc. has certified its compliance with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce with respect to personal information concerning individuals from the EEA, UK and Switzerland. Please see our Privacy Shield Notice to learn more.
If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
YOUR PRIVACY RIGHTS
Where we are acting as a data controller, and depending on your location and subject to applicable law, you may have the following rights with regard to the personal information we control about you.
- You can access, correct, update and delete your personal information by emailing us at firstname.lastname@example.org. If you are a Service User, you can also do this by signing in to your account and editing your information as desired
- In addition, if you are a resident of or visitor from the EEA UK or Switzerland, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. To exercise these rights, please send an email to email@example.com.
- You can opt out of receiving marketing emails from us by following the unsubscribe link in the emails or by emailing firstname.lastname@example.org. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or other transactional, non-marketing purposes.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
- If you are resident in the EEA and UK, the contact details for data protection authorities are available here.
- If you are resident in Switzerland, the contact details for the data protection authorities are available here.
- If you are resident in Australia, you can visit the ‘Complaints’ section of the Information Commissioner’s website, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.
- If you are resident in New Zealand, further information is available here.
- If you are resident in Canada and unable to resolve your privacy issue directly with us, you may find information about reporting your privacy concern to the appropriate privacy authority here.
CALIFORNIA PRIVACY RIGHTS
If you are resident in California, please refer to our California Consumer Privacy Act Notice (“CCPA Notice”) [link] for information about how we use your personal information and about your California privacy rights.
HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We retain your personal information where we have an ongoing legitimate business need to do so and for a period of time consistent with the original purpose as described in this Notice. We determine the appropriate retention period for personal information on the basis of the amount, nature and sensitivity of your personal information processed, the potential risk of harm from unauthorized use or disclosure of your personal information and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation).
After expiration of the applicable retention periods, we will either delete or anonymize your personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information.
You must have reached the age of majority to register as a member of or be permitted use of the Site or Services. Any information we receive from people we believe to be under this age will be purged from our database. We do not knowingly collect personal information from children under the age of 13 or have any reasonable grounds to believe that children under the age of 13 are accessing our Website or using our Service.
If you believe that a child under 13 may have provided us personal information, please contact us at email@example.com.
SECURITY OF THE SITE AND SERVICES
We take the security of your personal information very seriously. We use reasonable and appropriate administrative, physical, and technical safeguards to secure the personal information we process. Despite these safeguards and our additional efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third-parties will not be able to defeat our security, and improperly collect, access, steal, or modify your Personal Information.
The security of your use of any Butterfly App relies on your protection of your mobile device. You may not share your instance of the mobile application with anyone. If you believe that an unauthorized access to your instance of the mobile application has occurred please report it immediately at firstname.lastname@example.org. You must promptly notify us if you become aware that any information provided by or submitted to the mobile application is lost, stolen, or used without permission.
If you are a Service User, the security of the user profile you create to interact with the Services relies on your protection of your login credentials. You are responsible for maintaining the security of your login credentials, including your password and for any and all activities that occur under your account. You may not share your password with anyone. We will never ask you to send your password or other sensitive information to us in an email, though we may ask you to enter this type of information on a Butterfly website, or mobile application interface.
Any email or other communication purporting to be from us requesting your password or asking you to provide sensitive account information via email, should be treated as unauthorized and suspicious and should be reported to us immediately by emailing email@example.com. If you believe someone else has obtained access to your password, please change it immediately and report it immediately by emailing firstname.lastname@example.org.
WILL WE CHANGE THIS PRIVACY NOTICE?
Each time you use our Site or Services, the current version of the Notice will apply. When you use our Site or any of our Services, you should check the date of this Notice (which appears at the top of this Notice) and review any changes since the last version.
If we make material changes to this Notice, we will notify you either by prominently posting a notice of such changes prior to implementing the changes or by directly sending you a notification. We encourage you to review this Notice frequently to be informed of how Butterfly is protecting your information.
This Notice is accessible within our App under My Account Settings -> Privacy Notice and available at https://www.butterflynetwork.com/privacy-policy.
To contact us with your questions or comments regarding this Notice or the information collection and dissemination practices of this website, please email us at email@example.com. Alternatively, you can contact us in writing at: 530 Old Whitfield St, Guilford, CT 06437 ATT: Data Protection Officer.