HealthBoxed privacy policy.

1. Introduction

1.1 This policy sets out the policies and procedures of Anderson Health Services LLC DBA HealthBoxed (the "company") with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal identifying information data.

1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period to fulfill their services. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognises the importance of formulating clear and specific policies in relation to data retention.

2. Definitions

2.1 In this policy:

(a) "appointed person" means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;

(b) "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(c) "data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(d) "data subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(e) "deletion" means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and

(f) "personal data" means any information relating to a data subject.

3. Data retention, archiving and deletion

3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (the next section: data retention periods).

3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form only for:

(a) the fulfillment of any legal or contractual obligations of the company; and/or

(b) the establishment, exercise or defence of any legal claims.

3.3 The company must not delete data to the extent that:

(a) the company has a legal obligation to retain the data;

(b) the company has a contractual obligation to retain the data (providing that such contractual obligation is not overridden by any legal obligation to delete the data); and/or

(c) the retention of the data is reasonably required for the establishment, exercise or defence of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).

4. Default archiving and deletion methods

4.1 Data must be archived by the company’s specific methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).

4.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).

5. Reviewing and updating this policy

5.1 The appointed person shall be responsible for reviewing and updating this policy.

5.2 This policy must be reviewed and, if appropriate, updated annually on or around the 1st of January per calendar year.

5.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:

(a) the compliance of the company with applicable law, codes of conduct or industry best practice;

(b) the security of data stored and processed by the company; or

5.4 The following matters must be considered as part of each review of this policy:

(a) changes to the legal and regulatory environment;

(b) changes to any codes of conduct to which the company subscribes;

(d) any new data collected by the company;

(e) any new data processing activities undertaken by the company; and

(f) any security incidents affecting the company.

SCHEDULE 1 (DATA RETENTION PERIODS)

1. Introduction

1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.

2. Customer data: retention, archiving and deletion

2.1 In this policy, "customer data" means all customer relationship management records relating to the customers of the company, including the customer’s employees’ identity details and contact details, such as shipping addresses and names.

2.2 Customer data is stored by the company in the following databases: for each geographical data centre where HealthBoxed data is stored, Customer data will be stored in software protected, SQL-based database management systems, and configured in a high-availability pattern.

2.3 Customer data must be archived to this safe database daily.

2.4 Customer data must be deleted:

(a) within 48 hours of a Data Deletion Request from the customer

(i) the Data Deletion Request may be made by email at the following address: contact@healthboxed.com

2.5. Customer data will be deleted by deleting the backups from the storage medium.

2.6 The customer has full legal right to request deletion of the data and information they provided to the company at any time.