RiverStar provides whole person health applications, community information exchange platforms and customer service solutions to companies and communities that need them. This includes development software used to develop applications to facilitate customer service, professional services (PS) work to develop custom web applications using our tools, and hosting of web applications developed by our customers or PS team on behalf of our customers. These web applications in turn sometimes collect personal information of our customer’s customers. All such data collected and the use to which such data are put, are controlled by our customers.
RiverStar as a hosting provider
Whole Person health and Community Information Exchange Products
From a product perspective, our products are designed to be configured and controlled by our clients as far as who has access to the applications and any data captured by those applications. In this case, we follow directives from our customer regarding privacy issues. We actively work with our customers to ensure that the applications are configured to adhere to our clients’ privacy management requirements. RiverStar does not control who accesses the applications or data, nor any sharing of the data. RiverStar does not access the data except to support the requests of our clients and generate requested reports of aggregated data for their use.
Custom Solutions developed by our Professional Services team
In a PS context, we may be (partially or fully) developing the web application specified by our customers. In this case, we follow directives from our customer regarding privacy issues. We actively work with our customer to ensure that the U.S.¬EU Privacy Shield Principles are followed in their environment if either:
- The customer is based in the EU
- The customer has specifically asked us to (if, for example, they also subscribe to the U.S.-EU Privacy Shield Privacy Principles)
U.S./EU Privacy Shield Principles
RiverStar is subject to the regulatory and enforcement authority of the United States Federal Trade Commission (FTC).
Below we describe the Privacy Shield Principles that the RiverStar PS team uses when helping a customer comply with EU privacy regulations:
RiverStar does not control what information is collected by our customers or the purposes of such data collection. RiverStar does not own the data hosted for our customers nor does RiverStar have the authority to provide access to such data to anyone except under direct legal order. RiverStar simply provides the tools used to build the applications and the applications used by our customers and the hosting for such applications and data. If contacted, RiverStar will provide information about how individuals can contact our customers with any inquiries or complaints and the types of third parties to which a customer discloses the information. RiverStar will work with our customers to notify individuals about the purposes for which they collect and use information about them.
RiverStar will work with our customers to ensure they understand the need to give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, RiverStar will work with our customers to ensure they understand the need to provide affirmative or explicit (opt in) choice, if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfers to Third Parties)
RiverStar will only provide onward transfer to third parties as directly requested and controlled by our customer. We will work with our customer to ensure that they understand the need for notice and choice principles to be followed. We will also remind our customer of onward transfer requirements, if we are a part of selecting third parties. RiverStar has no control over the transfer of personal data to third parties. Onward transfer is controlled by our customers. If RiverStar were to have control over the transfer of personal data to third parties, RiverStar would potentially be liable. Note that RiverStar may be required to release personal data in response to legal requests by public authorities including to meet national security or law enforcement requirements.
RiverStar will help our customers satisfy access requirements under EU-US privacy principles. Individuals have the right to access personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. RiverStar has no ability to grant access or change/ delete any information held on behalf of our customers. Our customers have all such control. In the normal course of business, RiverStar does not access any of the data held on behalf of our customers.
RiverStar will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
RiverStar will help our customers satisfy Data Integrity requirements under the U.S.¬EU Privacy Principles. Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. Again, RiverStar does not have any control over what data are collected or what use our customers make of such data.
Questions, comments or complaints regarding RiverStar’s Privacy Shield Policy can be mailed or emailed to:
Attn: Security Officer
20 Danada Square West
Wheaton, IL 60189
Privacy Complaints by European Union Citizens:
Attn: Security Officer
20 Danada Square West
Wheaton, IL 60189
RiverStar has further committed to refer unresolved privacy complaints under the U.S.¬EU Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by RiverStar, please visit the BBB EU PRIVACY SHIELD web site at https://www.bbb.org/EU-privacy-shield/file-a-complaint/ for more information or to file a complaint.
Finally, as a last resort and under limited circumstances EU individuals with unresolved privacy complaints may invoke binding arbitration before a Privacy Shield Panel.