privacy notice pre
privacy notice post

Privacy Notice

Effective Date: March 18, 2024

Summary

Sapio Sciences, LLC (Sapio) is committed to protecting the privacy of the personal data it holds.  In this Privacy Notice, we explain how Sapio collects, uses, stores, shares, and protects your personal data.  Sapio adheres to applicable data protection laws and regulations including but not limited to, the European Union General Data Protection Regulation (GDPR), UK-GDPR, and the California Consumer Privacy Act (CCPA).   This Privacy Notice describes our general practices, but where local laws and regulations require that we process your personal data differently, we will comply with those as applicable.

Types of Personal Data Collected

Sapio collects different types of personal data depending on how you interact with us.  

  • Customer Data: Sapio’s software is intended to collect the data necessary to accomplish a customer’s LIMS and ELN goals. Users’ personal data may be collected including name, title, email, and Protected Health Information (PHI) in some clinical instances.  In this role, Sapio Sciences is a processor of customer data and the customer is the controller.  

We process customer data in accordance with customer’s instructions, including any applicable terms in a customer’s agreement with customer and customer’s use of Sapio’s functionality, and as required by applicable law.  This data may be used to perform customer-specific requirements of the software such as calculations, process tracking, sample, storage, and reagent inventory, etc., to follow the instructions of the customer who submitted the data, or in response to contractual requirements with our customers. This data is encrypted when Sapio provides the hosting. This data is in the control of the customer when they install Sapio on premises within their own administrator-controlled environments.

  • Job Applicants: Sapio collects personal data from job applicants to evaluate potential candidates for employment.  To do so, we may collect contact information, educational information, and professional experience and qualification details.  Sapio is the controller of this data for this purpose and our legal bases are consent, processing prior to entering into a contract, and our legitimate interest in evaluating potential candidates for hire. 
  • Website Visitors: Our website uses cookies which may capture personal data, such as your IP address. These cookies are used to make the user’s web browsing experience on our website better by providing sessions across multiple web pages or for use in various multimedia on it.  Sapio is the controller of this data, for data protection purposes and our legal basis for collection is our legitimate interest in running our sites efficiently and improving our websites and services.

Personal Data Usage and Sharing

Sapio Sciences uses a limited number of third-party providers to assist in providing consulting and hosting services. These third-party providers may be contractually requested by the customer or Sapio for consulting or IT services, or on behalf of Sapio to fulfill business requirements. We accept certain liability for data that is transferred to third parties on our behalf provided that data was not accessed improperly. The third parties are as follows:

Sapio will not disclose/share personal information outside of these third-party providers. These providers and Sapio may be located in countries that are different from your own.  Data protection laws in these countries may differ from your country of residence.  Sapio takes appropriate steps to ensure personal data is processed and transferred according to applicable laws.  When necessary, we ensure appropriate safeguards are in place through the use of written agreements, such as Standard Contractual Clauses, or participation in the EU-U.S. Data Privacy Framework (with the UK extension) and the Swiss-U.S. Data Privacy Framework.  

Individuals may request that their personal information not be shared with these entities by contacting the customer who owns the Sapio software that houses their data. Alternatively, individuals may also email support@sapiosciences.com to make this request and Sapio will work with the customer to ensure steps to prevent their personal data from being accessed in accordance with the individual’s request.

Sapio will never sell your personal data.

Data Subject Rights

You have certain rights with respect to your personal data, although some exceptions may apply depending on our basis for processing your personal data and the laws in your jurisdiction.  Depending on these, you may have the right to:

  • Access or request a copy of the personal information we hold about you;
  • Ask us to correct information you think is inaccurate or incomplete;
  • Ask us to delete your personal data;
  • Ask us to restrict the processing of your personal data;
  • Object to the processing of your personal data;
  • Ask us to transfer your personal data;
  • Withdraw your consent to process your personal data if you have provided it;
  • Complain to your local data protection authority, although we ask that you contact us first.

With regards to customer data, Sapio has a limited ability to identify and access an individual user’s personal data that a customer has submitted through Sapio software. If you wish to request access, limit use, or limit disclosure, we will first refer your request to the customer who submitted your personal data since they will administrate access control to their own data, and we will support them as needed.

To exercise any of these rights, please email us at dsar@sapiosciences.com.  If limitations apply, we will look at each circumstance and provide you with the reason if we cannot comply with your request.  As required by law, we may take steps to verify your identity prior to taking any actions with regard to your personal data.

Data Retention

Sapio will maintain your personal data only as long as is reasonably deemed required for legal, contractual, or business purposes.  During these periods, we apply appropriate technical and organizational measures to ensure that the privacy of your personal data is maintained.

Data Privacy Framework

Sapio follows the EU-U.S. Data Privacy Framework (with the UK extension) and the Swiss-U.S. Data Privacy Framework, which are established by the U.S. Department of Commerce to regulate the collection, use, and storage of personal information that is transferred from the European Union (EU), United Kingdom (UK), and Switzerland to the United States, respectively. Sapio has certified to the Department of Commerce that it respects the Data Privacy Framework Principles. If this Privacy Notice and the Data Privacy Framework Principles have any discrepancies, the Data Privacy Framework Principles will prevail. 

Individuals can learn more about the Data Privacy Framework program, individual rights, and our participation in the program by visiting: https://www.dataprivacyframework.gov/s/.

Sapio acknowledges that it is subject to the jurisdiction of the U.S. Federal Trade Commission for compliance and enforcement of the Data Privacy Framework applicable to the EEA, UK, and Switzerland.

Sapio may disclose personal information to contracted third parties who act as a Data Controller or other Processors on behalf of those Data Controllers. Sapio shall have a contract with third-party Data Controllers before disclosing personal information that requires that personal information may only be processed for a specific and limited purpose in line with the consent given by the individual, that third-party Data Controllers offer the same level of protection and inform Sapio if they can no longer comply with this obligation.

Under the Data Privacy Framework Principles, individuals have the right to opt out of (i) disclosures of their personal information to third parties; or (ii) uses of their personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. Sapio may share personal information with contracted third parties who act as an Agent and provide services to Sapio in furtherance of data processing. Sapio shall enter into a contract with third-party Agents prior to sharing personal information to obtain assurances that the Agent will safeguard personal information consistent with this Privacy Notice and Sapio’s obligations under the principles.

Sapio shall remain liable under the Data Privacy Framework Principles if its Agent processes such personal information in a manner inconsistent with the Principles, unless Sapio proves that it is not responsible for the event giving rise to the damage.

Recourse, Enforcement and Liability

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sapio Sciences commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

If you have a privacy or data use concern, we ask that you contact us first at privacy@sapio.com.  However, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, then you have the right to use your country’s data protection authority for dispute resolutions (free of charge).  To find your country’s data protection authority, visit https://edpb.europa.eu/about-edpb/about-edpb/members_en if you are located in the EEA, https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html if you are located in Switzerland, or ico.org.uk if you are located in the UK. 

This independent dispute resolution process is provided at no cost to the individual. 

Under certain conditions an individual may choose to invoke binding arbitration to resolve any unresolved complaints not resolved by Sapio, but prior to initiating such arbitration, a resident of an EEA country, UK or Switzerland must first (1) contact Sapio and afford us the opportunity to resolve the issue; (2) seek assistance from the US Department of Commerce directly or through their local data protection authority, and provide the Department time to attempt to resolve the issue.  If an EU or Swiss resident invokes binding arbitration, each party shall be responsible for its own attorneys’ fees.  Please be aware that the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief as necessary to remedy any violation of the privacy policy with respect to the resident.   If an individual formally invokes binding arbitration, Sapio will follow the terms set forth in Annex 1 of the Data Privacy Framework.  For more information on binding arbitration visit: https://www.dataprivacyframework.gov/s/.

Questions or Complaints

If you have any questions about how we protect your personal data or comply with data protection laws of your country or state of residence, you can contact us at support@sapiosciences.com or at our mailing address:

Sapio Sciences LLC
400 East Pratt St, Suite 800
Baltimore, MD 21202
United States

We will work with you to resolve your issue.

Requirement to Disclose

We may disclose personal data when we have a good faith belief that such action is necessary to: conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements; or to enforce our contractual obligations.

Changes to this Privacy Policy

Sapio reserves the right to change this Privacy Notice from time to time.  Sapio will maintain its current policy on this website so please check here to see the latest updates, which will be noted by the Effective Date.  Your continued use of the Sapio Sciences website, Sapio, and any other services offered by Sapio Sciences, LLC after such modifications will constitute your: (a) acknowledgment of the modified Privacy Notice; and (b) agreement to abide and be bound by that Notice.