This Privacy Policy (“Policy”) outlines how LedgerDomain Inc. and the XATP Compliance Suite and XATP Mobile App (“Company”, “we”, “us”, “our”) collects, uses, and discloses certain personal information obtained through (i) our website, available at https://ledgerdomain.com/ (“Site”) and (ii) your use of the services, applications, or platforms provided by us (“Services”). As used in this Policy, “personal data” means any information that relates to, describes, or could be used to identify an individual, either directly or indirectly.
LedgerDomain will not sell your personal data to third parties, or utilize it for marketing or other purposes directly unrelated to the use of LedgerDomain Software, or otherwise use or intentionally disclose the information to third parties other than in accordance with the below Privacy Policy without your prior written consent. The information you submit to LedgerDomain is considered private and personal. Your private information will not be sold, rented, leased, or intentionally disclosed in any manner to any person without your prior written consent, unless otherwise required by law, or except as may be necessary for the performance of LedgerDomain Software services.
The Site and the Services are intended for U.S. customers only.
1. Personal Data We Collect
1.1 User Account Information
When you use our Services, we may collect personal data such as your contact information (name, email, phone number, and mailing address), account related information (username, password, and IP address), and any other correspondence or information that you provide when you communicate with us.
1.2 Looking up Drug Information
When a user submits a report, LedgerDomain Software may provide publicly available information about the drug. LedgerDomain specifically disclaims any responsibility for the veracity of these public datasets and asks that users confirm this content for themselves.
1.3 Applying for a Verifiable Credential
To gain access to functionality intended only for ATPs as defined under the U.S. Drug Supply Chain Security Act of 2013 (in the case of XATP), or gain access to functionality intended only for clinical supply chain participants (in the case of KitChain), we may require you to provide us with certain personally identifiable information which we use to validate your identity. These include, but are not limited to:
- Name
- Email address
- Phone number
- Photo (including the user, and may include an acceptable form of ID)
- Name of organization
- Address of organization
- State or federal license number
The information that we request will be retained by us and used as described in this Privacy Policy and the Terms of Use.
1.4 Responding to a Request
Users who receive requests via the Services have the ability to securely respond to the request. The response (i.e. whether the information contained in the product identifier is verified or unverified) is retained in secure data storage, and a notification is sent to the requesting user. While LedgerDomain may be able to determine whether a manufacturer has been able to respond to a given verification request, LedgerDomain may not have the ability to determine whether a particular product identifier has been marked as verified or unverified.
LedgerDomain Software may use third-party services that may collect information used to identify you.
1.5 Cookies
When you visit one of our websites, the site asks your browser to store a small piece of information (text file) called a cookie on your device. A cookie remembers information about you, such as your preferences or login information. Some cookies are set by us and are called first-party cookies. We may also use third-party cookies, which are cookies from a domain that is different than the website you are visiting, and may share information with our processors or third-party partners.
We use cookies and other tracking technologies for the following purposes:
Strictly Necessary Cookies
These cookies are necessary for the website to function and may not be switched off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but that will cause some parts of the site to not work.
- The route cookie is a third-party cookie that enables load balancing and distinguishes between different XATP instances. Its lifespan is 48 hours.
- The xap-tc cookie is a first-party cookie that allows for users to have a persistent session via an authorization token. Its lifespan is 24 hours.
- The xap-cc cookie is a first-party cookie that allows for logged-in users to retain the selected request category.Its lifespan is 24 hours.
- The xap-cpc cookie is a first-party cookie that is used to store the date and status of your cookie acceptance or rejection. Its lifespan is 1 year.
Third Party Website Cookies
When using our website, you may be directed to other websites for activities such as surveys, or to view content hosted on those sites such as embedded videos or news articles. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our website.
How To Control and Delete Cookies
You can customize your consent preferences for cookies and other tracking technologies in the LedgerDomain cookie consent solution. While strictly necessary cookies cannot be disabled, the cookie consent solution will record your choices for the use of performance, functional and marketing cookies that we use on our websites and will ask for consent again after one year. This helps you stay up to date with changes to our cookie and privacy policies, and the types of cookies and other tracking technologies we’re using on our site. You can access the LedgerDomain cookie consent solution at any time from the “Cookie Settings” link in the footer of the LedgerDomain website you’re visiting. The preferences you make on the LedgerDomain website will not apply to any other external websites that are linked from our websites.
1.6 Automatically Collected Information
When you visit your website or use the Services, we may also automatically collect information such as the date and time of your access, your IP address, information about the browser and operating system that you are using, the features you use, the actions you take, and type of computer or mobile device you use. Our Site and Services may also contain web beacons as well as store small text files (“Cookies”) on your device, and may use analytics products that use these Cookies to help us analyze and understand how users interact with and use our Services.
1.7 Payment Information
We use third-party payment processors to collect credit card or other financial information when you subscribe to our services. We do not store the credit card or payment information that you provide, and only receive confirmation that the payment was made.
2. How We Use Personal Data
2.1 Purpose of Use
We may use personal data for the following purposes:
- To provide our Service: We may use personal data to help provide, maintain, monitor the usage of, and improve upon our Service.
- To manage your account: We may use personal data to manage your user account, which can give you access to the functionalities available to you as a registered user.
- To perform a contract: We may use personal data to develop or comply with the purchase contract for the products, items, or services you have purchased, or with any other contract you have with us through the Service.
- To contact you: We may use personal data to contact you regarding updates or informative communications related to our Services, including security updates when necessary or reasonable for their implementation.
- To provide news and offers: We may send news, special offers, and general information regarding other goods, services, and events that we offer which are similar to those you have already purchased or inquired about, unless you have opted out of receiving such information.
- For business transfers: We may evaluate or administer a sale or possible sale of the whole of or part of our business, or the restructuring of our business, in which personal data held by us about our users is among the assets being transferred.
- Other purposes: We may use personal data for other purposes, such as data analytics, identifying usage trends, determining the effectiveness of our promotional campaigns, and to improve our Service.
2.2 Aggregated and Anonymized Information
We may aggregate and anonymize personal data so that it may no longer be used to identify you, and use this information to understand how our users interact with the Services, the effectiveness of our Services, improve upon or develop new features for the Services, or conduct research for these purposes. Such aggregated and de-identified information will not be linkable to you, and we will not attempt to re-identify such information unless required to do so by law.
3. Disclosures of Personal Data
3.1 Service Providers
We may disclose personal data to our service providers, third-party vendors, consultants, and other business partners who need to process personal data to provide services on our behalf, monitor and analyze the use of our services, contact you, and for the reasons stated in this Policy.
3.2 Sale or Restructuring
We may disclose or transfer personal data in connection with, or during negotiations of, any merger, sale of Business, Inc. assets, financing, acquisition of all or a portion of our business to another company, or the restructuring of our business.
3.3 Law Enforcement
Under certain circumstances, we may disclose personal data if required to do so by law or in response to valid requests by public authorities (such as a court or a government agency). To the extent we receive a request from law enforcement for your personal data, we will promptly notify you and provide you with a copy of the request, unless we are legally prohibited from doing so.
3.4 Other Data Sharing
We may disclose personal data to comply with a legal obligation, to protect and defend the rights or property of the company, prevent or investigate possible wrongdoing in connection with our Service, to protect the personal safety of users of the Service or of the public, and protect against legal liability. We may also disclose personal data for any other purpose with your consent.
3.5 Transfers
Your information, including personal data, is processed at our operating offices and in any other places where the parties involved in the processing are located. This means that information may be transferred to- and maintained on- computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. Your consent to this Privacy Policy, followed by your submission of such information, represents your agreement to that transfer.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place, including the security of your data and other personal information.
4. Data Retention
We will retain your personal data only for the period necessary to fulfill the purposes outlined in this Policy, and will retain and use your personal data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.
5. Data Security
The security of your personal data is important to us, but no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
6. Children’s Privacy
We do not knowingly collect, retain, or use personal data from anyone under the age of 13. You must be at least 13 years of age to use our Services according to our Terms of Service. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 13, we will take reasonable steps to delete such information from our servers.
7. Changes to this Privacy Policy
We may update our Privacy Policy from time to time, and we will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our service prior to the change becoming effective, and update the “Last Updated” date at the top of this Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
8. Supplemental Terms and Conditions
8.1 Europe
If you are located in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”), our legal basis for collecting and using the personal data described in this Policy will depend on the personal data concerned and the specific context in which we collect it. However, we will normally collect personal data from you only where we have your consent to do so, where we need the personal data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal data from you.
We may share information internally or with third-parties, as described in this Policy. When we share personal data of individuals in the EEA, Switzerland, or UK with third-parties, we make use of a variety of legal mechanisms to safeguard the transfer, including the European Commission-approved standard contractual clauses, as well as additional safeguards where appropriate.
Additionally, you have the following data protection rights:
- You can request access, correction, updates, or deletion of your personal data.
- You can object to our processing of your personal data, ask us to restrict processing of your personal data, or request portability of your personal data.
- If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal data.
To exercise your rights, please contact privacy@ledgerdomain.com .
8.2 California
The following applies solely to residents of California or individuals whose information has been collected in California. We have adopted and included this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”). Any terms used in this section that are defined in the CCPA have the same meaning given therein.
8.2.1 Information We Collect
| Category | Collected? | Disclosed? | |
| 1 | Identifiers- name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers | Yes | Yes |
| 2 | Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e))- A name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. | Yes | Yes |
| 3 | Protected classification characteristics under California or federal law- Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | No | No |
| 4 | Commercial information- records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Yes | Yes |
| 5 | Biometric information- genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | No | No |
| 6 | Internet or other similar network activity- browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement | No | No |
| 7 | Geolocation data- physical location or movements | No | No |
| 8 | Sensory data- audio, electronic, visual, thermal, olfactory, or similar information | No | No |
| 9 | Professional or employment-related information- current or past employment history or performance evaluations | No | No |
| 10 | Education information under California Family Educational Rights and Privacy Ct (20 U.S.C. §1232g, 34 C.F.R. Part 99)- information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and PRivacy Act (20 U.S.C. §1232g, 34 C.F.R. Part 99). Includes education records directly related to a student maintained by an educational institution or party acting on its behalf, like grades, transcripts, class lists and student schedules, identification codes, financial information, or disciplinary records. | No | No |
| 11 | Inferences- conclusions that could be used to create a profile reflecting an individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitude. | No | No |
8.2.2 No Sale of Information
We do not sell your personal information, as defined under the CCPA. If in the future we do sell your personal information, we will notify you and you may have the rights to opt-out of such sale.
8.2.3 Your Rights and Choices
The CCPA provides individuals residing in California or whose personal information was collected in California with specific rights regarding their personal information. The below describes your rights and how you may exercise them.
8.2.3.1 Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past twelve (12) months. Once we receive and confirm your verifiable information access request, we must disclose to you: (i) the categories of personal information we collected about you, (ii) the categories of sources for the personal information we collected about you, (iii) our business or commercial purpose for collecting or, if applicable, selling that personal information, (iv) the categories of third parties with whom we share that personal information, (v) the specific data points or pieces of personal information we collected about you. If we disclosed for a business purpose or sold your personal information, we must also provide separate lists that (a) identify the personal information categories that were sold to each category of recipient in connection with sales of your personal information, and (b) identify the personal information categories that were provided to each category of recipient in connection with business purposes disclosures of your personal information.
8.2.3.2 Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and/or retained. Unless subject to a certain limited exception, once we receive and confirm your verifiable data deletion request, we will delete (and direct our service providers to delete) your personal information from our records. We will notify you promptly if we determine we must deny your deletion request.
8.2.3.3 Do Not Sell Opt-out Rights
You have the right to opt-out of any sales, as defined by the CCPA, of personal information by us. However, we do not sell your information.
8.2.4 Exercising Your Rights
To exercise your access, data portability, deletion, or do not sell opt-out rights described above, you may submit a verifiable consumer request by emailing privacy@ledgerdomain.com.
You may only make a certifiable consumer request for access or data portability up to two times within a 12-month period. You may make a verifiable do not sell opt-out request at any time. Any such request must: (i) provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information or an authorized representative thereof, and (ii) describe your request with sufficient detail such that we may understand, evaluate, and respond to it. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make verifiable consumer requests related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
8.2.4.1 Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you in writing of the extension period and the reason for it. We will deliver any required or requested responses or other communications in writing to you by email. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If applicable, the response we provide will also explain any reasons we cannot comply with a request. For data portability requests, we will provide your personal information in a format that is readily usable and transferable. We do not charge a fee to process or respond to your verifiable consumer request unless such requests become excessive, repetitive, or manifestly unfounded or as otherwise permitted by the CCPA. If we determine that a request warrants charging a fee, we will notify you and provide you with a cost estimate before completing your request.
