Purpose and Scope

In pursuing our mission to facilitate the delivery of better hearing to the world, Sycle and its affiliated companies (“we,” “our,” “us”) may collect, use and disclose Personal Information about Sycle customers and users of Sycle services. This privacy policy explains what Personal Information Sycle collects, uses, and discloses about Sycle customers and users of Sycle services, and our purposes for doing so.  It also explains how we endeavor to protect this information, what rights you have and how to contact us if you have any questions or concerns. By engaging with Sycle, you agree to be bound by this policy and by our website Terms of Use. For the purposes of this privacy policy, “Personal Information” and “personal data” have the same meaning.

Information for Patients

Our processing of data on behalf of our healthcare provider customers is governed by the agreements we enter into with our customers, which may include Business Associate Agreements as applicable and required under the Health Insurance Portability and Accountability Act (“HIPAA”). Your healthcare provider may also have its own privacy practices and/or policies that govern its collection and use of your data. We are not responsible for how your healthcare provider treats your information, and we recommend you review their privacy policies.

If you are unable to access this privacy policy due to a disability, please contact us at privacy@sycle.net and we will provide you with it in an alternative format.

Jurisdiction-Specific Privacy Supplemental Policies

This Privacy Policy outlines general privacy policies applicable across jurisdictions including Canada, the United States, the European Union, Iceland, Liechtenstein, Norway, the United Kingdom, and Australia. If you are a customer or patient in one of the following jurisdictions, please see the applicable supplemental information:

• Australia
• Canada
• European Union, Iceland, Liechtenstein, Norway and the United Kingdom
• United States – California, Virginia, Colorado, Connecticut, Utah

Collection of Personal Information

Personal Information Provided by You

We collect Personal Information when you engage with us, including through use of our website, through communications with us, and through use of our Audiology Office Management Systems (“Service”). The Personal Information we collect may include your name, contact details including email address and phone number, company information, financial information, and other information you choose to provide.

 

Personal Information Automatically Collected

When you access or use our website, communicate with us, or use our Service, Personal Information may automatically be collected using browser navigation tools such as cookies, pixels, and other similar technologies. Information collected may include IP address, browser version, device, date and time of visit, location, website features viewed, operating system, and any errors encountered.

 

Personal Information Input by Our Customers

Our healthcare provider customers may provide us with Personal Information of their employees for purposes of provisioning access to the Service. Our customers may also input patient information into the System.

Personal Information Received from Third Parties

We may receive Personal Information from third parties including customer lead generation vendors.

 

Use of and Purpose for Collecting Personal Information

We use Personal Information for the following reasons:

• To fulfill and respond to requests and inquiries and to contact you for administrative or other communications.
• To provide, maintain and improve our products and services, including to analyze website traffic, performance, and reliability; to improve the content, functionality, and usability of our websites and communications; to assess market interests and trends; to detect and protect against security threats.
• To support our marketing and promotional efforts, including to invite you to participate in surveys and provide feedback to us; to contact you with offers and other information we believe will be of interest to you; to provide you with a personalized experience when you use our websites; to create a profile from the interactions we have with you to help us understand what information you might be interested in receiving.
• As necessary or appropriate under applicable law, to meet legal and regulatory requirements, including to comply with legal process and to respond to requests from public and government authorities; to enforce our Terms of Use; to protect our operations; to protect our rights, privacy, safety or property, and/or those of our affiliates, you or others; to allow us to pursue available remedies or limit the damages that we may sustain; to protect against fraud, and suspicious or other illegal activities.

We may combine or aggregate any Personal Information we collect for any of the above purposes.  We may also anonymize your Personal Information in such a way that you may not be re-identified by us or any other organization. We may use such anonymized information for any lawful purpose.

Disclosure of Personal Information

We disclose Personal Information as described below:

• Within Our Corporate Group: Sycle is a wholly-owned subsidiary of Cochlear Limited and may share Personal Information with Cochlear Limited and its other affiliates (the “Cochlear Group”). Members of the Cochlear Group will use and share your Personal Information only as set forth in this Privacy Policy.
• With Our Service Providers: We share Personal Information with organizations that provide or perform services to or on behalf of Sycle; for example, companies that provide website support services, or that help us market our products and services. Our service providers are required by contract to protect the confidentiality of the Personal Information we share with them and to use it only to provide services to us.
• Business Transactions: Your Personal Information may be transferred to a company that has acquired the stock or assets of Sycle; for example, as the result of a sale, merger, reorganization or liquidation. If such a transfer occurs, the acquiring company’s use of your Personal Information will still be subject to this Privacy Policy and the privacy preferences you’ve expressed to us.
• Legal/Government Requests and the Protection of Sycle and Others: We may disclose Personal Information when we, in good faith, believe disclosure is appropriate to comply with the law (or court order or subpoena); comply with lawful requests from public and governmental authorities; prevent or investigate a possible crime, such as fraud or identity theft; or protect the rights, property or safety of Sycle, the Cochlear Group, our users or others.

Cookies, Social Media Plug-Ins, and Similar Technologies

Cookies are small files that your internet browser stores to help websites keep track of information between visits. Our websites use cookies to help us:

• Understand which of our web pages you visit, how often and from what types of devices;
• Gather and remember information about your browsing devices and preferences;
• Personalize elements of our websites based on your browser, device, country, and language;
• Gather information about the website you came from and other sites you have visited to help categorize your browsing into a market segment for market analysis; and
• Provide you with more relevant content, promotional communications, and advertisements.

As an example, when you visit our websites, cookies help us identify what you search for, what content you visit, and how frequently you return. Although the information we collect via cookies does not directly identify you, once you register on our websites, we may associate your prior and future activity on our websites and apps with the contact details you have provided.

Some of the cookies used by our websites are set by us, and some are set by third parties on our behalf. Our use of cookies from third parties enables interest-based advertising that may cause you to be shown advertisements from Sycle on other websites that you visit.

We use cookies associated with Google Analytics, Microsoft Corporation, and HubSpot, Inc. to obtain statistical data about the use of our websites and apps, and Google Adsense and Google DoubleClick for managing and placing advertisements (together “Google Services”). Google Services allow your usage to be correlated across multiples devices, such as across your mobile phone and desktop computer. Click here to learn more about Google Analytics or prevent it from collecting information about your visit to our websites or visit http://myaccount.google.com to control your advertising experience across Google Services.

If you do not want cookies set, you can configure your internet browser to reject certain cookies. Doing so may prevent certain features of our websites from working as intended. To learn more about cookies and similar technologies, visit http://allaboutcookies.org. You can also opt-out of interest-based advertising via industry-operated websites by visiting http://www.networkadvertising.org/choices, http://www.aboutads.info/choices,  and http://www.youronlinechoices.com (for European residents).

Social Media Plug-ins

In addition to cookies, we have also implemented social media plug-ins from social networks including Facebook, Instagram, LinkedIn, YouTube, and Twitter so that you can share things from our websites with your online friends and connections. With every visit to our sites which include a plug-in, your browser will connect to the social network servers. If you are logged in to the social network services while you are visiting our websites, they may associate your browsing on our website with your respective user account.

For more information, see our Cookie Policy.

Transfers and Storage of Personal Information

Sycle is headquartered in Lone Tree, Colorado, but has key facilities and personnel in Canada and elsewhere in the United States. You acknowledge that your Personal Information may be transferred to, processed, and stored anywhere Sycle, the Cochlear Group, or their respective service providers operate except as may be restricted by law. Where we transfer or store your Personal Information in a foreign country, we will take reasonable steps to ensure that your Personal Information is protected at the same level as your applicable jurisdiction requires.

To the extent that Personal Information is collected from EEA or UK residents, we may transfer your Personal Information outside the EEA or the UK where the transfer is:

• to a country or territory deemed to provide an adequate level of protection by a relevant government authority (e.g. the European Commission or the UK government),
• pursuant to standard contractual clauses approved by a relevant government authority (e.g. the European Commission or the UK government), or
• in exceptional cases only, under a specific derogation recognized under applicable data protection law, including the GDPR.

You may contact us for additional information on data transfers outside of the UK or the EEA.

Retention of Personal Information

Unless otherwise agreed to in writing, or as required by law, Sycle will retain Personal Information in an identifiable form for as long as it is necessary to fulfill the purpose for which it was originally collected. When the retention period ends, we will either delete the information or anonymize it so that it is no longer associated with you. For more information, please see our Customer and Patient Retention Policy.

Security of Personal Information

Sycle has implemented reasonable security arrangements including appropriate administrative, technical and organizational measures to help protect Personal Information from misuse, loss, and unauthorized access or disclosure. Our security measures include appropriate access control, encryption (where appropriate), and regular security assessments. For more information see our Security Policy.

Individual Rights Regarding Personal Information

Certain jurisdictions provide individuals with certain rights to their Personal Information. These rights generally include the right to access, the right to portability, the right to correct, the right to delete, and the right to opt out of certain processing.

If you wish to make an individual rights request with us, please contact us via one of the methods listed in your applicable jurisdictional supplemental policy. To help protect your privacy and security, we will take reasonable steps to verify your identity before providing you with access to your details or before enabling you to correct, amend, or delete records. Certain jurisdictions allow individuals to make a request on behalf of someone else. In such cases we will take reasonable steps to verify the requestor’s identity and to verify their ability to make a request on your behalf before complying with any request.

You can always unsubscribe from promotional communications either via the unsubscribe links within the communications or by contacting us via one of the methods described at the end of this Privacy Policy.

If you are a patient and would like to make a request regarding to your Personal Information, please contact your clinic directly. If you are a customer, please contact your account administrator, contact Sycle Support at support@sycle.net, or see your jurisdiction-specific supplement to submit a request.

Third Party Privacy Policies

Please note that we are not responsible for the privacy practices of third parties. If you choose to engage with a third party, for example if you choose to click a link through our website, it is your responsibility to understand the privacy policy of that third party and we take not responsibility for any third party.

Minors

Our Service is designed to retain patient data, which may include patient data on minors 13 years of age or under. Aside from the clinical use of our Service, we do not knowingly or intentionally target children 13 years of age or younger, nor do we intentionally collect or maintain data about anyone under the age of 13.

How to Contact Sycle

Should you wish to contact Sycle or if you have any questions or concerns about this Privacy Policy or how we handle your Personal Information, please email privacy@sycle.net or write to us at:

Sycle
Attn: Privacy Officer
10350 Park Meadows Drive
Lone Tree, CO 80124
USA

If you are a patient and have questions related to the Personal Information Sycle handles on behalf of clinics or other hearing professionals, please direct your question to the specific clinic or professional.

 

Changes to this Privacy Policy

We may update this policy from time-to-time at our own discretion. When we make a change, we will post our updated privacy policy to our website with a new “last updated” date. We encourage you to review this policy regularly to be aware of any changes.

 

AUSTRALIA PRIVACY SUPPLEMENT

Last Updated: July 14, 2023

This supplement applies only to information collected, used and disclosed about individuals residing in Australia, and supplements the information contained in the Sycle Privacy Policy. It provides information required in accordance with the Australia Privacy Act.

Rights of Data Subjects under Australian Law

Under certain circumstances, you have rights under data protection laws in relation to your Personal Information. If you wish to exercise any of the rights set out below you may contact us in writing.

The Australia Privacy Act offers individuals the rights to:

• Access your Personal Information;
• Correct or update any of your Personal Information that is inaccurate;

In addition, where we rely on consent to process your Personal Information, you have the right to withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

In the ordinary course, you will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). If an exceptional circumstance applies, we will notify you and provide you with an opportunity to respond.

We respond to all legitimate requests within one month. Occasionally it may take us longer than a month to fully respond to your request, and in this case, we may extend the timeframe, but we will notify you and keep you updated if this is the case.

Should you wish to make an individual right request, you may email privacy@sycle.net, or write to us at:

Sycle
Attn: Privacy Officer
10350 Park Meadows Drive
Lone Tree, CO 80124
USA

 

CANADA PRIVACY SUPPLEMENT

Last Updated: July 14, 2023

This supplement applies only to information collected, used and disclosed about individuals residing in Canada, and supplements the information contained in the Sycle Privacy Policy. It provides information required in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector.

Rights of Data Subjects under Canadian Law

Under certain circumstances, you have rights under data protection laws in relation to your Personal Information. If you wish to exercise any of the rights set out below you may contact us in writing.

PIPEDA and the other Provincial laws referenced above offer individuals the rights to:

• Access your Personal Information;
• Correct or update any of your Personal Information that is inaccurate;

In addition, where we rely on consent to process your Personal Information, you have the right to withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

In the ordinary course, you will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). If an exceptional circumstance applies, we will notify you and provide you with an opportunity to respond.

We respond to all legitimate requests within one month. Occasionally it may take us longer than a month to fully respond to your request, and in this case, we may extend the timeframe, but we will notify you and keep you updated if this is the case.

Should you wish to make an individual right request, you may email privacy@sycle.net, or write to us at:

Sycle
Attn: Privacy Officer
10350 Park Meadows Drive
Lone Tree, CO 80124
USA

 

 

EUROPEAN UNION, ICELAND, LIECHTENSTEIN, NORWAY AND THE UNITED KINGDOM PRIVACY SUPPLEMENT

Last Updated: July 14, 2023

This supplement applies only to information collected, used, and disclosed about individuals residing in the European Union, Iceland, Liechtenstein, or Norway (the “EEA”) or the United Kingdom, and supplements the information contained in the Sycle Privacy Policy. It provides information required in accordance with Article 13 of the European Union General Data Protection Regulation 2016/679 (the “GDPR”) and the UK General Data Protection Regulation.

Sycle has designated the following representative who is responsible for overseeing questions in relation to this Policy:

Attn: Privacy Officer

6 Dashwood Lang Road, Bourne Business Park, Addlestone, KT15 2HJ, United Kingdom

+44 1932 26 3400

 

Lawful Bases for Processing

We collect Personal Information about you for a variety of purposes based on the specific legal grounds described in the table below:

 

Purpose for Collection	Lawful Basis
Delivering information, content, products, or services that you request or purchase	To perform a contract or fulfill our obligation to provide products or services to you Our legitimate interests
Providing marketing communications about our products and services, or those of third parties, that may be of interest to you	Your consent Our legitimate interests
Understanding how you use our products, services, and website in order to improve and further develop our products and services and the content, features, performance, and support available through our website	Our legitimate interests
Providing legal or service-related notices about our products, services, and website	To perform a contract with you Our legitimate interests To comply with a legal obligation
Detecting, preventing, and responding to fraud, intellectual property infringement, violations of our website Terms of Use, violations of law, or other misuse of the website	Our legitimate interests To comply with a legal obligation
Protecting our rights or the rights, property, and safety of others	Our legitimate interests To comply with a legal obligation
Complying with laws and regulations, judicial and administrative orders, or lawful requests from governmental authorities	To comply with a legal obligation
Fulfilling our contractual relationship with you, including carrying out our obligations and exercising our rights	To perform a contract with you Our legitimate interests To comply with a legal obligation

 

We process the Personal Information of visitors to our website, those who communicate with us, and those who use our Service who are located in the EEA or the UK for the purposes set out in the table above together with our legal basis. Where more than one purpose is listed, please contact us if you would like to know the specific legal basis which applies in connection with your specific enquiry. We have provided further information on the legal bases we generally rely on below:

• Contractual Necessity – We will process your Personal Information where necessary for us to meet our contractual commitments to you.
• Legitimate Interests – This means our general interest in conducting and managing our organization to enable us to provide you with the best products and give you the best service. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Information for our legitimate interests. We do not use your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Our specific legitimate interests include:
  • Administering our operations;
  • Providing high quality customer service;
  • Developing our products and services, and what we charge for them;
  • Defining types of customers for any new products or services;
  • Understanding how our website is being used;
  • Developing and growing our operations;
  • Ensuring cybersecurity;
  • To enhance protection against fraud, spam, harassment, intellectual property infringement, crime, and security risks; and
  • To meet our obligations and enforce our legal rights.
• Consent – In accordance with applicable law, we may seek your consent or explicit consent to process Personal Information collected on our website or otherwise provided by you. We may do so, for example, in relation to our marketing and promotional activities.
• Compliance with Laws and Regulations – We will process your Personal Information where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

 

Rights of Data Subjects under GDPR

Under certain circumstances, you have rights under data protection laws in relation to your Personal Information. If you wish to exercise any of the rights set out below, you may contact us verbally or in writing.

The GDPR offers individuals the rights to:

• Access your Personal Information;
• Correct or update any of your Personal Information that is inaccurate;
• Restrict or limit the ways in which we use your Personal Information;
• Object to the processing of your Personal Information;
• Request the deletion of your Personal Information; and
• Obtain a copy of your Personal Information in an easily accessible format.

In addition, where we rely on consent to process your Personal Information, you have the right to withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

In the ordinary course, you will not have to pay a fee to access your Personal Information (or to exercise any of the other rights).

We respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we may extend the timeframe by up to two further months but we will notify you and keep you updated if this is the case.

Should you wish to make an individual right request, you may email privacy@sycle.net, call +1-888-881-7925, or write to us at:

Sycle
Attn: Privacy Officer
10350 Park Meadows Drive, Lone Tree, CO 80124, USA

 

You may also contact our Data Privacy Officer by calling +44 1932 26 3400, or by writing to:

Attn: Privacy Officer

6 Dashwood Lang Road, Bourne Business Park, Addlestone, KT15 2HJ, United Kingdom

 

If you have any complaints regarding our privacy practices, you have the right to make a complaint with your national data protection authority. However, we would appreciate the opportunity to address any concern you have so please contact us in the first instance. Although we will strive to address any questions or concerns you may have, you also have the right to directly contact your local privacy or data protection regulator.

• A list of EU supervisory authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
• The relevant UK supervisory authority is the UK Information Commissioner’s Officer: https://ico.org.uk/

 

UNITED STATES – STATE LAW PRIVACY SUPPLEMENT

Last Updated: July 14, 2023

This supplement applies only to information collected, used, and disclosed about individuals residing in California, Colorado, Virginia, Utah, or Connecticut and supplements the information contained in the Sycle Privacy Policy. It provides information required under the California Consumer Privacy Act of 2018 and as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”) and any and all regulations arising therefrom.

This supplement describes our practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject requests. Some portions of this supplement apply only to consumers of particular states, and we have indicated where those portions are state-specific.

Definitions Specific to this Supplement

• “Consumer” means a natural person who resides in California, Colorado, Virginia, Utah and Connecticut and to whom we offer information, goods, or services. For purposes of this supplement, this term includes natural persons who reside in California and engage with us as part of business-to-business transactions.
• “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA. Personal Information also includes “Sensitive Personal Information,” as defined below.
• “Sensitive Personal Information” means Personal Information that reveals a Consumer’s: 1) Social security, driver’s license, state identification card, or passport number; 2) Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to the individual’s account; 3) Precise geolocation; 4) Racial or ethnic origin; 5) Religious beliefs; 5) Union membership; 6) Contents of email or text messages, unless we are the intended recipient; 7) Genetic data; 8) Biometric information used to uniquely identify the Consumer, and 9) Health, sex life, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.
• “Third Party” means a person or organization which is not a Consumer, Vendor, or an entity owned or controlled by us and as defined by the CCPA, CPA, VCDPA, UCPA, and CDPA.
• “Vendor” means a “service provider,” “contractor,” or “processor” which collects, stores, or otherwise handles data for us, as those terms are defined in the CCPA, CPA, VCDPA, UCPA, and CDPA.

Other terms used in this supplement may be defined under the CCPA, CPA, VCDPA, UCPA, or CDPA, and they shall have the meanings described in those statutes. If there are variations between such definitions in different laws, you will be covered by the definition that applies in your state. For example, if you are a Virginia consumer, terms defined in the VCDPA shall apply to you if they are used in this supplement.

Categories of Personal Information and Sensitive Personal Information We Collect & Process

We, and our Vendors, may have collected and processed the following categories of Personal Information about you in the preceding 12 months:

• Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
• Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
• Commercial information, such as transaction information and purchase history;
• Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements; for more information on these collection practices, please see our Cookie Policy.
• Geolocation data, such as device location;
• Audio, electronic, visual and similar information, such as call and video recordings;
• Professional or employment-related information, such as work history and prior employer;
• Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics.

We, and our Vendors, may have collected and processed the following categories of Sensitive Personal Information about you in the preceding 12 months:

• Information that reveals:
  1. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;

Categories of Personal Information and Sensitive Personal Information We Disclose to Vendors & Third Parties

We may disclose the following categories of Personal Information to Vendors and Third Parties:

• Identifiers, such as name, alias, online identifiers, account name;
• Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
• Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
• Commercial information, such as transaction information and purchase history;
• Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements; for more information on these disclosure practices, please see our Cookie Policy.
• Geolocation data, such as device location;
• Audio, electronic, visual and similar information, such as call and video recordings;

We may disclose the following categories of Sensitive Personal Information to Vendors and Third Parties:

• Information that reveals:
  1. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;

Disclosure for California Consumers: We have not sold or shared Personal Information about California consumers in the past twelve months. Relatedly, we do not have actual knowledge that we sell or share Personal Information of California consumers under 16 years of age. For purposes of the CPRA, a “sale” is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and a “share” is the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Disclosure for Colorado Consumers: We do not sell Personal Information to Third Parties or process personal Information for purposes of targeted advertising or Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, as the terms “sell,” “process,” “targeted advertising,” and “profiling” are defined in the CPA.

Disclosure for, Virginia, Utah and Connecticut Consumers: We do not sell or share Personal Information to Third Parties or process Personal Information for purposes of targeted advertising, as the terms “sell,” “share,” “process,” and “targeted advertising” are defined in the VCDPA, UCPA and CDPA.

Sources from Which We Collect Personal Information

We collect Personal Information directly from California, Colorado, Virginia, Utah and Connecticut consumers. We also collect Personal Information from our Vendors, customers, website, and social media platforms.

Purposes for Processing Personal Information

We, and our Vendors, collect, process, and disclose the Personal Information (excluding Sensitive Personal Information) described in this supplement to:

• To fulfill and respond to requests and inquiries and to contact you for administrative or other communications.
• To provide, maintain and improve our products and services, including to analyze website traffic, performance, and reliability; to improve the content, functionality, and usability of our websites and communications; to assess market interests and trends; to detect and protect against security threats.
• To support our marketing and promotional efforts, including to invite you to participate in surveys and provide feedback to us; to contact you with offers and other information we believe will be of interest to you; to provide you with a personalized experience when you use our websites; to create a profile from the interactions we have with you to help us understand what information you might be interested in receiving.
• As necessary or appropriate under applicable law, to meet legal and regulatory requirements, including to comply with legal process and to respond to requests from public and government authorities; to enforce our Terms of Use; to protect our operations; to protect our rights, privacy, safety or property, and/or those of our affiliates, you or others; to allow us to pursue available remedies or limit the damages that we may sustain; to protect against fraud, and suspicious or other illegal activities.

We may combine or aggregate any Personal Information we collect for any of the above purposes.  We may also anonymize your Personal Information in such a way that you may not be re-identified by us or any other organization. We may use such anonymized information for any lawful purpose.

Purposes for Processing Sensitive Personal Information

We, and our Vendors, collect and process the Sensitive Personal Information described in this supplement only for:

• Performing the services or providing the goods reasonably expected by an average Consumer who requests those goods or services;
• Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information;
• Resisting malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions;
• Ensuring the physical safety of natural persons;
• Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a Consumer’s current interaction with us, provided that we will not disclose the Consumer’s Personal Information to a Third Party and/or not build a profile about the Consumer or otherwise alter the Consumer’s experience outside the current interaction with the business;
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage,or providing similar services on our behalf;
• Verifying or maintaining the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us;
• Collecting or processing Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a consumer.

Categories of Entities to Whom We Disclose Personal Information

• Affiliated Companies & Vendors. We may disclose your Personal Information to our corporate affiliates and to Vendors for the purposes described in this supplement. Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, customer service, infrastructure provision, technology services, email delivery services, credit card processing, legal services, and other similar services. We grant our Vendors access to Personal Information only to the extent needed for them to perform their functions and require them to protect the confidentiality and security of such information.
• Third Parties. We may disclose your Personal Information to the following categories of Third Parties:
  • At Your Direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
  • Business Transfers or Assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
  • Legal and Regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

Retention of Data

We intend to retain each category of Personal Information described above only for as long as necessary to fulfill the purpose for which it was collected, or a related and compatible purpose consistent with the average consumer’s expectation, and to comply with applicable laws and regulations. We consider the following criteria when determining how long to retain Personal Information: why we collected the Personal Information; the nature of the Personal Information; the sensitivity of the Personal Information; our legal obligations related to the Personal Information, and risks associated with retaining the Personal Information.

Individual Data Rights Request

California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. As required by the CCPA, we provide detailed information below regarding the data subject rights available to California consumers. Consumers in Colorado, Virginia, Utah, and Connecticut have similar rights and can find more detail by referencing the CPA, VCDPA, UCPA, or CDPA, as applicable.

You have the right to submit requests related to the Personal Information we have collected about you. You may make such a request twice in a 12-month span. Please note, there are circumstances when we may not be able to comply with your request. For example, we may not be able to verify your request, or we may find that providing a full response conflicts with other legal obligations or regulatory requirements. We will notify you if this is the case.

Right to Receive Information on Privacy Practices. You have the right to receive the following information at or before the point of collection:

• The categories of Personal Information to be collected;
• The purposes for which the categories of Personal Information are collected or used;
• Whether or not that Personal Information is sold or shared with Third Parties or disclosed to Vendors;
• If the business collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
• The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

We have provided such information in this supplement, and you may request further information about our privacy practices by using the contact information provided below.

Right Know and Right to Access. You have the right to request certain information we have collected about you. You have the right to request:

• Specific pieces and categories of Personal Information we collected about you;
• The categories of sources from which Personal Information was collected;
• The purposes for which Personal Information was collected, shared, sold, or processed;
• The categories of Personal Information we shared, sold or disclosed; and
• The categories of Vendors or Third Parties with whom we shared, sold or disclosed Personal Information.

Right to Delete. You have the right to request that we delete certain Personal Information that we have collected.

Right to Correct. You have a right to request that we correct any inaccurate Personal Information we may retain about you.

Right to Non-discrimination. You have a right to exercise the above rights, and we will not discriminate against you for exercising these rights. Please note that a legitimate denial of a request to access, delete, or opt-out is not discriminatory, nor is charging a fee for excessive or repetitive requests.

Instructions to Exercise your Rights

If you would like to make any of the data requests listed above, please call us at 888-881-7925. If you use the telephone number, you will be guided through a process that will allow you to submit a verifiable request, and the level of verification will depend on the request being submitted. You may also submit a request by emailing us at privacy@sycle.net.

You may designate an authorized agent to exercise your rights under the CCPA on your behalf. Such individual must have power of attorney, or be an authorized agent registered with the relevant Secretary of State.

Verification Process

When you submit a request to exercise your data subject rights, we may ask you to provide information that will enable us to verify your identity.

If you designate an authorized agent to exercise your rights on your behalf, we may require that you or the authorized agent do the following:

• Verify your identity with us directly.
• Provide proof of your signed written permission for the authorized agent to submit a request on your behalf.

We may deny a request from an agent purportedly acting on your behalf if we request, and the agent does not submit, proof that he, she, or it has been authorized by you to act on your behalf.

Right to Appeal for California, Virginia, Colorado, and Connecticut Consumers.

You have the right to appeal our decisions about your data subject requests. If you choose to appeal, your request will move from Customer Experience team to our Legal Department for review.  If you would like to appeal a decision regarding your data request, please call 888-881-7925, or email privacy@sycle.net.  Please state that your request is an “Appeal,” and describe the date and nature of your original request.

Personal Information of Minors

Our online content is not intended for children or minors under the age of sixteen years. Accordingly, we do not knowingly store information from minors under the age of sixteen years, except as required by applicable law. If you believe that a child has submitted Personal Information to us, please contact us at privacy@sycle.net or 888-881-7925 and we will delete the information.

Other Disclosures

California “Shine the Light Request.” California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Information to other entities for their own direct marketing purposes. 

Updates to this Supplement

We reserve the right to amend this supplement at our discretion and at any time. When we make material changes to this supplement, we will notify you by posting an updated supplement on our website and listing the effective date of such updates.

Contacting Sycle

If you have any questions, comments, requests, or concerns related to this supplement or our information practices please contact us by email at privacy@sycle.net, by phone at 888-881-7925, or by mail at

Sycle
Attn: Privacy Officer
10350 Park Meadows Drive
Lone Tree, CO 80124
USA

Last Updated: July 14, 2023

Our website has security measures in place to help protect against the loss, misuse, and alteration of the data under our control. When our website is accessed using Microsoft Internet Explorer versions 5.0 or higher, Secure Socket Layer (SSL) technology protects information using server authentication to help ensure that data is safe, secure, and available only to you. Our website is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders. Finally, our website provides unique usernames and passwords that must be entered each time a customer logs on. These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of data.

Security Measures

Security measures include the following:

• Expert team of experienced, professional engineers and security specialists
• Around-the-clock protection of data and systems
• Continuous deployment of proven, up-to-date firewall protection, SSL encryption, and other security technologies
• Ongoing evaluation of emerging security developments and threats
• Complete redundancy throughout our entire website Online Infrastructure architecture

Physical Security

Our production equipment is collocated at an IBM Data Center that provides:

• 24-hour physical security
• Enforcement of fingerprint and body weight verification for all facility access
• Solid, steel-reinforced concrete building
• Redundant electrical generators and data center air conditioners v
• Emergency diesel generators
• Other backup equipment designed to keep servers continually up and running Data Encryption: our website leverages the strongest encryption products to protect customer data and communications, including 128-bit SSL certification and 2048-bit RSA public keys.

User Authentication

Users access our website only with a valid username and password combination, which is encrypted via SSL while in transmission. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.

Application Security: Our comprehensive application security model prevents customers from accessing another customer’s data. This security model is reapplied with every request and enforced for the entire duration of a user session.

Internal Systems Security: Inside of the perimeter firewalls, systems are safeguarded by network high-performance web proxies, access control lists, non-routable IP addressing schemes, and more. Exact details of these features are proprietary.

Database Security: Sycle database servers are not exposed to the internet. All Sycle database servers reside on a separate private network that can only be accessed by the Sycle application. All Sycle administration is through individual, monitored administration logins.

Server Management Security: All data entered into our application by a customer is owned by that customer. Sycle employees do not have direct access to production equipment, except where necessary for system management and administration, monitoring, backups and customer support at the behest of the customer.

Business Continuity and Disaster Recovery: All networking components, SSL accelerators, load balancers, web servers, and application servers are configured in a redundant configuration. All customer data is stored on multiple database servers with full business continuity fail-over. Data is backed up nightly and stored to a secure offsite facility. In the event of catastrophic failure, data can be restored within a maximum of 24 hours.

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a regulation designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during, and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans, and information access control and encryption.

The HIPAA regulation has three main components that apply to “covered entities” (a covered entity is any provider of healthcare services that charges the government or insurance for their services):
Standard Transaction Code Sets
Patient Information Privacy
Patient Information Security (both electronic and physical records)

To learn more about HIPAA, please visit:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.htmlhttp://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act