Data Privacy Policy
1. Overview
This Data Privacy Policy (“Policy”) sets forth the principles that govern our treatment of personal data and relates to customers, products and services connected with UK AH Animal Health (PVT) Ltd t/a Covetrus. All employees and those with whom we share personal data must adhere to this Policy.
Covetrus is committed to protecting the information that our customers, prospects, suppliers, vendors, employees or others have entrusted to us. We collect and use personal data in order to perform our business functions and provide quality veterinary technology products and services to our customers.
Consistent with our values, we treat any personal data that we obtain in accordance with the data privacy principles of transparency (including the right to information), purpose limitation, data minimisation, data quality, integrity and confidentiality, accountability, and privacy by design.
This Policy applies to all personal data in any format or medium, relating, inter alia, to all customers, vendors and others who do business with Covetrus.
2. Types of personal data we collect and use
In accordance with Regulation (EU) 2016/679 of 27 April 2016 (“GDPR“), we recognise personal data as any information related to an identified or identifiable individual. Depending on the context of your interactions with Covetrus, we collect and use different types of personal data from employees, contractors, candidates, customers, prospect customers and vendors. .
Types of personal data we collect from: · Employees, contractors and candidates: including contact and login information, employment details and history, benefits, compensation, performance, video images from security cameras, use of company resources for employees, contractors, and applicants all in connection with their role or potential role within Covetrus. Applicants can manage their opt in/out preferences here.
· Customers: including name, tax and financial information, contact information for key personnel, language, signature, communications and login information, segmentation and marketing attributes. .
· Prospect customers: including name and contact information. .
· Customers of our customers: we access and or process on your behalf personal data from customers (Pet Parents) held within your practice management system, which may include sensitive information, only when it is necessary to provide the services. In this context, we act on behalf of our customer, the practice owner, veterinarian hospital or laboratory. .
· Employees of our customers: we access and or process on your behalf personal data from practice owner’s employees through the provision of analytics that refer to individual performance. These analytics are presented through reports held in your practice management system or through optional analytic services such as Thrive .
· Vendors and suppliers: including name, tax and financial information, contact information for key personnel, language, communications and segmentation. .
· Visitors of an office building: including name, vehicle registration, contact information and video images from security cameras in some of our office buildings. .
Website, Customer Portal and social media users: In addition to the information visitors volunteer, we automatically collect the domain name, Internet Protocol (IP) address, browser type and version, operating system and platform, average time spent on our website, pages viewed, information searched for, access times and other relevant statistics. Our website also uses cookies, including Google Analytics. You can find our Cookies Policy [online] here. Further details on Google Analytics Policy here Google Analytics Policy
3. Our Cookies policy
Use of cookies and other information gathering technologies In addition to the personal data you volunteer, our web server automatically collects such information as the domain name of the web site providing you with internet access, the Internet protocol (IP) address used to connect your computer to the Internet, your browser type and version, operating system and platform, the average time spent on our web site, pages viewed, information searched for, access times and other relevant statistics. Covetrus uses this information in order to ensure that unauthorised users do not access the information on its web site, and in the aggregate to measure the use of its web site and to administer and improve it.
What type of cookies do we use? When you use our web site, the following categories of cookies may be set on your device: First-party cookies These cookies are set by Covetrus. For the most part, they are strictly necessary to enable you to move around the web site and use its features.
Third-party cookies In addition to our use of these applications, certain third parties and affiliates may set and access cookies on your computer in conjunction with web beacons.
Google Analytics Covetrus uses cookies from Google Analytics to track traffic on the web site with the purpose of improving the web site. The Google Analytics Cookie includes a retargeting cookie. With retargeting, Google stores a cookie on your computer/device. Click here to opt-out of Google Analytics.
Google AdWords The Google AdWords cookie is used to track conversions from ads in the Google search and on the Google Display network, as well as retargeting. The retargeting is anonymous targeting of ads across the Google display network. Click here to opt-out of Google AdWords.
How to manage cookies We will only set cookies on your device if you have provided consent. At no time can a cookie read any information from your hard drive. For further information please visit: https://www.aboutcookies.org You can set your browser not to accept cookies and you can remove it from your browser at any time. The above website tells you how to do this. However in a few cases some of our web site’s features may not function properly as a result.
4. Our policy towards children
Our services are not directed to children. We do not knowingly collect personal data from children. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, please contact us. If we become aware that a child has registered for a service and has provided us with personal data, we will delete such information from our files.
5. Sources of personal data
Covetrus receives and uses various types of personal data in order to conduct our day to day business activities. We apply the data minimisation principle in the collection and use of personal data ensuring that we only collect information that is necessary and by fair means, and providing notice and requiring consent when necessary.
Some of this data is collected directly from you in the following situations when: · You apply for a position with our company
· We negotiate and/or establish a contractual relationship (e.g. on employment or commercial terms)
· You provide us with any type of service, as a provider or vendor
· When we provide you, the practice owner, with any type of service, product or support. For example, when processing marketing campaigns to Pet Parents through Thrive on your behalf.
· When you browse, or use our website, e-commerce services, or social media pages
Sometimes we also obtain data from third parties including subsidiaries and affiliates of Covetrus worldwide, in the following situations:
· We may conduct analytics to determine additional product and services which reasonably may be of interest to you
· We may conduct surveys to monitor our customer service
· We may share data between subsidiaries or affiliates for internal administrative purposes
· We may share data between subsidiaries or affiliates for centralising CRM systems
· We may purchase data from external companies for marketing purposes
You can unsubscribe from all marketing communications from Covetrus;
If you wish to amend your preferences to opt out of specific types of marketing you can do this by clicking the link in the footer of any marketing email you have received. You can also update your preferences by sending an email to: ukahenquiries@covetrus.com. Please note that it may take us a couple of working days to process your request (usually not more than 7).
6. Uses and purposes of personal data
The purposes for which we collect and use your personal data may vary depending on the type of relationship you have with us, such as if you are one of our employees, customers or a web site user. Covetrus always collect and use personal data according to the purpose limitation principle. The use of personal data for new purposes should always guarantee consistency and your privacy expectations, otherwise we will request your authorisation.
· Employees and candidates: if you apply for a job, we use your personal data to consider you for employment and to administer your application and/or account. If you have an employment or commercial relationship with Covetrus, we use your personal data to develop our contractual relationship, to conduct performance evaluations and to comply with legal obligations, including tax and labour regulations.
· Customers: we use our customers’ information to maintain our commercial relationship, to ensure the proper operation of the day-to-day business, to comply with tax and other regulations, and to administering sales, and marketing activities.
· Customers of our customers (Pet Parents): we may provide processing services when required for marketing through our Covetrus products
· Prospect customers: information from prospects customers is used to respond to their requests for information, products or services, and for marketing activities.
· Vendors and suppliers: if you have a business or professional relationship with Covetrus, we will use your information to develop our business relationship with you, and to comply with tax and other regulations.
· 3rd Party Suppliers: we integrate directly or indirectly with a number of solutions to provide you with enhanced functionality and services; in certain circumstances additional contractual terms & conditions will apply. For example, affiliates we integrate with such as Covetrus Global Software Solutions, through Pharmtrax or Thrive are governed via the Covetrus data processing agreement; integrations with other services fall under contractual agreements made directly with the customer (practice owner) and the service supplier.
· Visitors of an office building: our buildings and premises generally have physical and technical access controls and some have video surveillance systems for security purposes.
· Website and social media users: we collect personal data from visitors and users of our website and our social media pages including Facebook, LinkedIn, Twitter. We use the information to manage your account registration, to store your preferences and settings, to provide interest-based advertising, to conduct statistics and to analyse how you use our website and online services including Google Analytics (please refer to Our Cookies Policy).
· We also may use personal data of our employees, customers, prospects, vendors or suppliers for other purposes based on our legitimate interests, such as to conduct analytics of website usage, employee engagement, customer service, for product development, to create statistics about function utilization.
7. Legal basis for data collection and use
Covetrus only collects and uses personal data when there is a fair and legal basis for its collection and use, for instance, when the collection of personal data is necessary to enter into a contract, to meet our legitimate interests, to comply with legal obligations or when we have your authorisation.
The information we collect when we enter into a contract or business relationship with you, except if we indicate otherwise, is mandatory to develop our contractual relationship and to comply with legal obligations. For instance, some tax laws, labour, anti-fraud or compliance laws require organisations to collect certain information that may vary depending on the local regulations. Without the required mandatory information, we would not be able to work with you.
Marketing activities are usually based on your consent or to an existing business relationship with us. However, you can opt-out of these communications anytime with effect for the future and free of charge.
When we use your personal data for our legitimate interests, we always conduct a balancing test in order to ensure that data subject rights are not overridden.
Finally, when we have access to personal data on behalf of our customers, in our role as data processors, there is always a written contract regulating the service, including specific instructions for the data processing and safeguards.
8. Retention periods
Covetrus applies the storage limitation principle in order to retain personal data in our records only for the length of time required to fulfil the purpose for which the data was collected. We do not keep personal data for longer than is necessary, and what is necessary depends on specific circumstances such as regulations requiring retaining information for a certain period of time and limitation periods of legal claims.
The retention period depends on the context in which we process data, such as data from use of our website, or when fulfilling a contractual obligation, Pet Parent data as part of a database conversion from one practice management system to another or employee data after an employee has left the company. The retention periods are established considering Covetrus’ legitimate business purposes and according to legal requirements.
9. Disclosures to their parties and processing activities
You agree that we have the right to share your personal data with the third party recipients (e.g. contractors, service providers, and other vendors) referred to below for the purposes set out in Sec. 7 above (Uses and purposes of Personal Data). Also, it may be necessary for us to share your customers’ personal information and in certain circumstances, including sensitive data. Therefore, you will need to ensure that you have all necessary appropriate consents and notices in place as required by the applicable data protection law to enable the lawful transfer of personal data to us and third parties that we work with to provide our services, so that we and the third parties we work with may lawfully use and process such data.
We engage with third party recipients, for example, through our Connected Partner Program, including the following services: analytics, marketing, online scheduling, insurance claims, hardware maintenance support, payment facilities.
In certain circumstances, Covetrus may be required to disclose your and/or your customers’ personal information when required by law, i.e. in order to comply with any legal or regulatory obligation or request; when required to protect our legal rights; or in an emergency situation where the health or security of an individual is endangered. This can, for example, be the case, if: Covetrus or substantially all of its assets are acquired by a third party, and when personal data held by it will be “transferred assets”;
· in order to (i) enforce or apply our terms and conditions and other agreements or to investigate potential breaches; or (ii) protect the rights, property or safety of Covetrus, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
Where this is necessary, we shall enter or (as the case may be) will enter into a written agreement with the third–party recipient which is consistent with this Policy and satisfies the requirements of the applicable data protection law. There are other circumstances where we may be required by law to disclose personal data to third parties such as public bodies or judicial authorities.
The third party recipients of your personal data include:
· any member of Covetrus, which means our affiliates, subsidiaries, our ultimate holding company and its subsidiaries, as defined in Sec. 1159 UK Companies Act 2006. This is necessary for our legitimate interests for running our business, to study how customers use our products and services, to develop them, to grow our business and to inform our marketing strategy;
· selected third party recipients including:
| Recipient | Category of data | Purpose |
|---|---|---|
| Banking services | Name, address, email address, banking details | Processing of payments; performance of our contract with you. |
| Business partners, suppliers or sub-contractors | Business entity information | Performance of any contract we enter into with you or for the taking of steps at your request with a view to entering into a contract. |
| Credit reference agencies | Name, address, date of birth, business entity information | Assessing your credit score [which may be a condition of us entering into a contract with you], for fraud prevention and/or to pursue debtors which is necessary for our legitimate interests. |
| Analytics and search engine providers | Aggregate anonymised information about users of our services | Improvement and optimisation of our services which is necessary (i) for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise and study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) and (ii) to comply with a legal obligation. |
| Affiliated Partners[BS1] | Aggregated and non aggregated data on Pet Parents, Pet clinical data, practice financial and performance related data |
Facilitating additional services to you under contract via the vetlogic API or other data extract servicese.g. Thrive and Pharmtrax. |
| Legal counsel | Name, address, business entity | Supporting Covetrus investigations which is necessary for (i) any contract we enter into with you or for the taking of steps at your request with a view to entering into a contract, (ii) to comply with a legal obligation and (iii) our legitimate interests (for running our business, provision of administration and IT services). |
The third party recipients of your pet parents personal data include:
| Recipient | Category of data | Purpose |
|---|---|---|
| Veterinarian laboratories, Insurance Companies |
Name, Address, Pet details, clinical history |
Provision of certain additional services via our applications in the performance of our contract with you. |
| Software development companies | Demographic data, aggregate information on Pet Parents | Provision of certain additional services via our applications and/or facilitate vet consultations with Pet Parents or prospective Pet Parents in the performance of our contract with you. |
| Payment providers | Name, address, email address, payment card details | Processing online payments in the performance of our contract with you. |
| Business partners, suppliers or sub-contractors |
Demographic data, aggregate information on Pet Parents | Performance of any contract we enter into with you or for the taking of steps at your request with a view to entering into a contract |
| Legal counsel | Name, address | Supporting Covetrus investigations which is necessary for (i) any contract we enter into with you or for the taking of steps at your request with a view to entering into a contract, (ii) to comply with a legal obligation and (iii) our legitimate interests (for running our business, provision of administration and IT services). |
| Clinical research and analytics partners |
Aggregate anonymised information about conditions, diseases or alike |
Improvement and optimisation of our products and services which is necessary (i) for our legitimate interests (for studying how effective products and services are and how to develop them or to use it for statistically (aggregated) industry profiling[BS1] ) and (ii) to comply with a legal obligation. |
10. Security
Covetrus is committed to the security, confidentiality and integrity principle. We take appropriate precautions to keep all third party’s personal information secure against unauthorized access and use and we periodically review our security measures. We are committed to processing your data in a secure manner and have put in place specific technical and organisational measures to prevent the personal data we hold from being accidentally or deliberately compromised.
For example, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
On our web sites, we use SSL for its security certificates. Please be aware that these protection tools do not protect information that is not collected through our web site, such as information provided to us by e-mail. The SSL certificates we use are;
· Symantec Class 3 Secure Server CA – G4
· AlphaSSL CA – SHA256 – G2 – GlobalSign nv-sa
· COMODO RSA Extended Validation Secure Server CA
· Go Daddy Secure Certificate Authority
We also conduct information risk assessments, we ensure that our staff understands the importance of protecting personal data, and we are responsibly managing access rights within the company. We include both physical security and IT security in our overall data security approach. We are diligent in selecting vendors that process personal data on our behalf so that they also ensure appropriate technical and organizational measures to protect the data.
We have put in place procedures to deal with any suspected personal data breach and, where legally necessary, will notify you and any applicable regulator of a breach. We create and maintain a breach notification and reporting protocol.
We also endorse the concept of privacy by design which is an approach to projects that promotes privacy and data protection compliance from the outset. This means considering the privacy and security implications for any new project or process throughout its lifecycle.
11. Your data protection rights and choices
If you reside or otherwise find yourself in the territory of Europe, Covetrus is committed to facilitate the exercise of your rights granted by the European data protection law. Otherwise you can contact us at any time to discuss your privacy concerns. Contact Covetrus.
Privacy rights under the European regulation:
Transparency and the right to information: we provide notice to our employees, customers, suppliers, vendors and others of how we use personal data in our day-to-day operations at the time of collecting personal data, or as soon thereafter as possible. We also publish this privacy notice for a greater transparency..
Right to access, rectification, restriction of processing, and erasure: we provide data subjects with access to their own personal data where required by applicable law. In addition, we will rectify their personal data when it is incorrect and inaccurate, and we will ensure the right to erasure and to restriction of processing when these rights are not compatible with local regulations. .
Right to object and withdraw consent at any time: for all marketing materials, you can opt-out anytime, and free of charge. The right to object for other processing activities will be balanced in order to ensure that it is not incompatible with local regulations or the legitimate interests of Covetrus.
Right to opt out of marketing We use our own website to manage your communication preferences and you can opt-out anytime by following the opt-out instructions in our commercial e-mails, email your request to ukahenquiries@covetrus.com. Please note that it may take us a couple of working days to process your request (usually not more than 7).
The following opt in/out categories are available to you:
“Important Customer Information” refers to important information that we wish to disseminate to our customers, where we are not delivering a marketing message. An example of this would be holiday opening hours.
“Marketing” refers to communications regarding, but not limited to, our products, services, blog articles / content, offers, events, or industry education publications (Whitepapers).
“Newsletters” refers to periodic email communications collating together information usually previously circulated individually as another communication type regarding, but not limited to, our products, services, blog articles / content, offers, events, or industry education publications. For example a monthly newsletter pulling together links to recently published articles, events and webinars into one communication.
“Webinars” refers to emails inviting you to register for our webinar. These can include product specific best practice guidance, product release notes and educational topics.
Right to data portability: based on your specific situation, we provide data subjects with the right to obtain and reuse your data across different services and includes transferring of your data to you, another controller or a trusted third party.
Right to lodge a complaint: These requests should be submitted as follows:
· To exercise the rest of your rights: you should send a communication in writing, providing the following information in order to verify your identity; one form of photograph identity and one form of address identity, for example a photocopy of your in date passport and a utility bill within the last 3 months. Covetrus will attend to your request in a timely manner (usually within 30 days) after receiving your request. If for any reason we need to extend this period of time, we will contact you.
· Right to lodge a complaint with a supervisory authority: you can have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement.
Contact Covetrus
12. International transfer of personal data
The majority of personal data that we collect from you or your customers will be processed and stored at a destination inside the EU or in countries who are recognised by the European Commission as have equivalent data protection standards.
However, there may be cases where such personal data may be transferred, processed and stored at a destination outside the EU to/in countries where protection for personal data are not as strong as those in the EU, including to the USA. This may be necessary in order for you to use our products and/or services and/or to enable Covetrus to discharge its obligations under a contract.
It may be processed by Covetrus or third party employees operating outside the EU who work for us or for one of our business partners, suppliers or sub-contractors. These staff members may be engaged in the booking of appointments, the processing of your payment details or the provision of support services. For example, Covetrus has support teams operating across the globe to provide the ultimate service and functionality to your practice. There are times that colleagues located outside of the EU are engaged with assisting you in a support request or provision of another service. For instance, you may provide a screenshot to provide an ‘Example’ of an error or functionality you require help with and accidently include the Pet Parent identifying information, in this situation we would remove this personal data element and/or delete the image once the support ticket has been resolved.
By submitting personal data, you agree to this transfer, storing or processing and you shall ensure that you are entitled to transfer any of your customers’ etc. personal data to us and third parties that we or the third party may lawfully use, process and transfer the personal data in accordance with this Policy on your behalf. You shall also ensure that all your customers etc. have been informed of, and have given their consent to such use, processing and transfer as required by the applicable data protection legislation.
We will take all steps reasonably necessary to ensure that the data is treated securely and in accordance with this Policy and the applicable data protection legislation. So whenever we transfer personal data outside of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
· we will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
· where we use certain service providers or when we send data to Covetrus companies, we may use specific contracts approved by the European Commission (EU Standard Contractual Model Clauses) which give personal data the same protection it has in Europe; or
· where we use service providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the USA.
13. Changes to this notice
We reserve the right to modify this Policy and related business practices at any time. We will duly inform you of any changes.
Changes in this Policy will be notified to you via email linking to our website we will give you the opportunity to express your consent for processing your data for different and new purposes, or we will in any case inform you about the legal basis of such processing other than consent. The time stamp you see on the Policy will indicate the last date it was revised.
14. Contact information
At Covetrus we are committed to apply this Policy and the accountability principle. For this reason, if you have any concern or questions about how your personal data is used, please feel free to contact us.
Data Protection Officer
Covetrus
College Mains Road
Dumfries
DG2 0NU
Or calling Covetrus on: +44 (0)1387 262626
You can also contact our Data Protection Officer at: ukahenquiries@covetrus.com We will promptly respond and make everything possible to address your concern.