Privacy Notice

General

MIMEDX, Inc. (“MIMEDX”) is a therapeutic biologics company based in Marietta, Georgia. MIMEDX collects and processes personal data by respecting your privacy as part of our commitment to ethical, compliant, and responsible practices. We process personal data collected for conducting our day-to-day business, including advanced wound care research studies.

This Privacy Notice provides you information on what we gather and do with the data you provide when you interact with us in a business or clinical context.

This Privacy Notice has been written in compliance with global privacy regulations and applies to personal data collected by MIMEDX in the course of our business activities. This includes information from our business partners, suppliers, their personnel and other health care professionals, patients, donors, or researchers and data subjects that participate in clinical or product trials that we sponsor.

NOTICE TO CALIFORNIA RESIDENTS: Please see the Special Notice to California Consumers section for additional information and to learn more about your privacy options under the California Consumer Privacy Act.

Personal Data We Collect

Personal data in this Privacy Notice means all information that can directly or indirectly identify you or other individuals. We collect different types of personal data depending on your interactions with MIMEDX.

MIMEDX collects the following types of personal data:

Personal data from patients or donors: when you consent to participate in or receive advanced wound care research studies from MIMEDX or MIMEDX products, information collected includes but may not be limited to your full name, gender or biological sex, age/age range, height, weight, medical condition, medical records, and other health data.

Personal data from clinical or product trial subjects: when you consent to participate in a clinical or product trial with MIMEDX, information collected includes but may not be limited to your full name, gender or biological sex, age/age range, height, weight, medical condition, medical records, and other health data.

Personal data from health care professionals, researchers and personnel from Clinical Research Organizations and our vendors: we collect personal data from the different entities and professionals that work with MIMEDX donors or patients or participate in the clinical or product trials that we sponsor, including their contact details, signatures, and qualifications or resumes.

Personal data from job applicants: when you apply for a job posting with MIMEDX, information collected includes your contact details, resume, employment history and other information that you submit for our consideration.

Personal data from public sources: including from internet sites such as clinicaltrials.gov to ensure we conduct the proper due diligence on professionals, physicians, etc. for purposes of clinical trials.

Other personal data provided directly by you: we collect your contact details if you request information or submit questions to us via email at [email protected], as well as other personal data that you decide to share with us.

How We Use Your Personal Data

The purposes for which we collect and use your personal data varies depending on your relationship or how you interact with us, such as if you are a clinical trial or study participant or applying for an open job position.

We will use your personal data:

  1. For our everyday business purposes, including recruitment practices;
  2. To provide you with requested information or answer your inquiry;
  3. To operate the MIMEDX website and applications;
  4. For marketing and analytics purposes;
  5. To comply with legal, regulatory, or contractual requirements;
  6. To provide products, services, and to maintain customer relationships;
  7. To provide company informational materials and content, as well as other communications that may include invitations to events or webinars hosted or sponsored by MIMEDX;
  8. To facilitate treatment to MIMEDX donors and patients;
  9. To identify clinical or product trial subjects, study sites and investigators and conducting clinical trial and research activities;
  10. To train and support hospitals and health care professionals who have contracted with MIMEDX to use our medical devices or services;
  11. To ensure quality assurance of devices and adjudicate customer inquiries or complaints;
  12. To comply with laws and regulations, including court orders, or in the course of litigation or defense from legal claims;
  13. To protect the rights, property, or safety of MIMEDX, or any of our respective business partners, or other third parties in accordance with Data Privacy Laws;
  14. To cooperate with law enforcement authorities in investigating and prosecuting users who violate our rules or engage in behavior that is illegal or harmful to other users, including suspected fraud, or situations involving potential threats to the physical safety of any person; and
  15. For other uses or purposes that you specifically authorize based on your consent.

Disclosure of Personal Data

At times, MIMEDX engages third party contractors or service providers to help us accomplish our business objectives. There are other circumstances where we are required by law to disclose personal data to third parties such as public bodies or judicial authorities.

Disclosures to Third Parties Assisting in Our Operations. We engage with contractors and service providers for email solutions or cloud hosting services, as well as agents, legal contacts, regulatory bodies, auditing organizations, and other professional and business advisors. Such recipients may be located in the United States (US) or in other jurisdictions such as the European Economic Area (EEA). If the engagement involves the transmission of personal data, we require the service provider to sign a data processing agreement consistent with this notice before any data is disclosed. These companies do not have any independent right to share or use this information.

Disclosures Required by Law. We may provide information about you, to respond to subpoenas, court orders, search warrants, legal processes or governmental regulations or inquiries, or to establish or exercise our legal rights or defend against legal claims.

Disclosures to Government Authorities. We may provide information about you to government authorities like the Federal Drug Administration (FDA) to comply with federal requirements.

Business Transfers. We may share your personal data with another business entity or affiliate in connection with the sale, assignment, merger, or other transfer of all or a portion of MIMEDX’s business to such business entity.

Other Parties with Your Consent or at Your Direction. In addition to the disclosures described in this Privacy Notice, we may share information about you with third parties when you consent to or request such sharing.

Privacy Settings/Opt-out/Changes/Access

You may review and request changes to your personal data that MIMEDX has collected, including the removal of your personal data from MIMEDX’s databases where it can be verified or validated in order to prevent receipt of future communications, by contacting us at [email protected].

All business marketing messages from MIMEDX include a means for the recipient to opt-out through an unsubscribe link.

Transfers of Personal Data Outside of Your Local Jurisdiction

If you are located outside the United States and you provide us personal data, then your personal data may be transferred to the United States or to other jurisdictions. However, we provide appropriate safeguards to ensure the same level of protection of your personal data.

We may transfer your personal data to the United States (US) when you interact with us. If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), please note that the US has not obtained adequacy status from the European Union, and therefore, the level of protection of your personal data is not deemed equivalent to the protection provided data in Europe. In the context of our studies or clinical trials, your personal data can be transferred to other jurisdictions with less stringent data privacy laws. However, we provide appropriate safeguards to ensure the same level of protection of your personal data including the use of Standard Contractual Clauses (data transfer agreements), that can be provided to you on request.

Data Protection Rights

If you reside or otherwise find yourself in the territory of the European Economic Area (EEA), Switzerland or the United Kingdom (UK), we are committed to facilitate the exercise of your rights granted by the data protection laws of these territories.

For the purposes of the European Data protection law, any personal data you provide to MIMEDX directly or MIMEDX is the sponsor of a clinical study, MIMEDX is considered the controller of your personal data. You can contact our Data Protection Officer at [email protected] or our EU Data Representative by sending an email to [email protected], quoting “MIMEDX, Inc.” in the subject line, or by contacting DataRep on the online webform at www.datarep.com/data-request with any inquiries you might have regarding the processing of your personal data.

MIMEDX assigns a legal basis for each data collection and use:

  • For our everyday business purposes, including our studies and clinical trials, legal communications, and responses to your requests: legitimate interest to conduct our day-to-day business, communicate with you or to respond to your inquiries.
  • Recruitment practices: legitimate interest of MIMEDX to process and review your resume submission or consent when you directly submit your job application and resume to MIMEDX.
  • Corporate or informational communications: legitimate interest of MIMEDX to send specific company material, or consent when you directly request this information.
  • Compliance with laws and regulations: compliance with legal obligation.
  • Protect the rights, property, and safety of MIMEDX or third parties: legitimate interest of MIMEDX or other third parties to protect their rights, property, or safety.
  • Uses that you specifically authorize us: consent.

MIMEDX recognizes your Data Privacy Rights:

Right to access, rectification, restriction of processing, erasure, and data portability. We provide you with access to your own personal data. In addition, we will rectify your personal data when it is incorrect or inaccurate, and we will ensure the right to erasure, portability, and to restriction of processing when these rights are not incompatible with other legal obligations or conflict with our legitimate interest to process.

Right to object. When MIMEDX distributes any promotional or marketing emails, we provide the option for individuals to opt-out anytime and free of charge via an unsubscribe link. The right to object for other processing activities will be balanced to ensure that it is not incompatible with local regulations or our legitimate interests.

Right to withdraw consent at any time. When we use your information based on your consent, you have the right to withdraw such consent at any time.

MIMEDX does not engage in automated decision making, including profiling.

Right to lodge a complaint with your supervisory authority. If you are not satisfied with our response or how we process your personal data, you can make a complaint to the data protection authority of your habitual residence.

Data Privacy Rights requests should be submitted as follows:

To exercise your rights, or for any further privacy-related question or concerns you may have, you can contact us by email at [email protected] or by phone at (888)-543-1917. We will attend to your request in a timely manner within 30 days after receiving your request. If for any reason we need to extend this period of time, we will contact you.

You also have the right to lodge a complaint with a supervisory authority: A list of the European authorities is available here, the contact of the Federal Data Protection and Information Commissioner of Switzerland is available here, and the contact of the Information Commissioner of the United Kingdom is available here.

Data Protection Officer and EU Data Representative

MIMEDX has appointed a Data Protection Officer and an EU Data Representative in the European territory.

For any inquiries with regard to this notice or about our handling of your information, you can contact our Data Protection Officer at [email protected], or contact our EU Data Representative  by sending an email to [email protected], quoting “MIMEDX, Inc.” in the subject line, or by contacting DataRep on the online webform at www.datarep.com/data-request.

Cookies/Tracking Technologies

MIMEDX may use web beacons, pixel tags, cookies, and other tracking technologies on our applications, websites, email messages, and online advertisements to collect information about our consumers. Such tracking technologies benefit consumers as well as MIMEDX by allowing for account maintenance, request form auto-population, location assistance, etc. MIMEDX uses information gathered from cookies to autofill location fields based on your IP address. We also may place pixel tags and web beacons in our emails to assess the effectiveness of email outreach to identify individuals who open or interact with an email message, when the email is opened, and how many times the email is forward.

We utilize cookies, pixel tags, web beacons, and other technologies on our websites to measure site activity, provider for a better interface experience, and tailor our marketing communications. MIMEDX may at times allow for third party advertising or personalization companies to use this information to develop more specific content based on that information.

Children’s Privacy Protection

You should be at least 18 years old to contact MIMEDX or provide us with any information.

MIMEDX does not knowingly collect personal data directly from minors. Any information we collect from minors is always with the consent of a parent or guardian. If you are under 18 years old, do not provide any information by contacting MIMEDX directly.

Retention Periods

MIMEDX retains personal data for the length of time required to fulfill the purpose for which the data was collected.

According to our retention policy, we only keep personal data in our records as long as they are necessary for the purposes they have been processed. After the retention period expires, the personal data is deleted. The retention periods are established considering the purposes defined in this Privacy Notice, all relevant legal requirements, and the context in which we process your personal data.

Security

MIMEDX understands that storing our data in a secure manner is essential. We take reasonable precautions to keep all information secure against unauthorized access and use.

MIMEDX stores personal data by using reasonable physical, technical, and administrative safeguards to secure data against foreseeable risks, such as unauthorized use, access, disclosure, destruction, or modification.

In addition, our information security team has developed policies, standards, and procedures to support and enforce preventive and detective operational controls to ensure the confidentiality, integrity, and availability of all data collected and managed by MIMEDX.

Special Notice to California Consumers

This section covers the collection, use, disclosure, and sale of California Consumers’ “Personal Information” (“PI”) as defined by the CCPA, except to the extent such PI is exempt from the notice obligations of the CCPA.  This Notice section covers rights California Consumers (“Consumers” “you” “your”) have under the CCPA, as well as the notices required by other California laws. Consistent with the CCPA, job applicants, current and former employees and contractors, and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered Consumers for purposes of this Notice or the rights described herein. This Notice section will be updated annually as required by the CCPA.

Personal Information Collection, Sources, and Purposes

We may collect PI that identifies or is reasonably capable of being associated with you or your device. PI does not include publicly available information from government records, or deidentified or aggregated Consumer information. Below is the list of categories of PI that we may collect within the last twelve (12) months:

CATEGORIES
OF PI
EXAMPLES OF PI SOURCES OF PI BUSINESS OR COMMERCIAL PURPOSES FOR PI COLLECTION
Internet or Other Network Activity This may include but is not limited to: browser information, online identifier, Internet Protocol address, and information about a consumer’s interaction with a website, applications, or advertisement.

Directly from you, the individual or consumer;

Directly from your device.

Analytics;

Marketing;

Operating the MIMEDX website.

Geolocation This may include but is not limited to: digital geolocation data.

Directly from you, the individual or consumer;

Directly from your device.

Analytics;

Marketing;

Operating the MIMEDX website.

Non-Public Education Information This may include but is not limited to: academic history, degrees, languages, and any education information included on a resume or CV. Directly from you, the individual or consumer.

Conducting clinical trials;

Delivering medical treatment to donors and patients;

Quality assurance;

Recruiting.

Personal Identifiers This may include but is not limited to:  alias, postal address, unique personal identifier, email address, telephone number, account name, Social Security Number, driver’s license number, passport number, physical characteristics or description, or other similar identifiers.

Directly from you, the individual or consumer;

From clinical trial sites or third-party tissue banks.

Conducting clinical trials;

Delivering medical treatment to donors and patients;

Meeting legal and regulatory compliance requirements;

Public health and safety;

Quality assurance;

Research and development;

Security and fraud prevention.

Personal Information Records This may include but is not limited to: name, signature, insurance policy number, bank account number, medical condition, medical history, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Directly from you, the individual or consumer;

From clinical trial sites or third-party tissue banks.

Analyzing clinical trial data;

Conducting clinical trials;

Delivering medical treatment to donors and patients;

Meeting legal and regulatory compliance requirements;

Public health and safety;

Quality assurance;

Research and development;

Security and fraud prevention.

Protected Classifications This may include but is not limited to: age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status and genetic information.

Directly from you, the individual or consumer;

From clinical trial sites or tissue banks.

Analyzing clinical trial data;

Conducting clinical trials;

Delivering medical treatment to donors and patients;

Legal and regulatory compliance requirements;

Public health and safety;

Quality assurance;

Research and development.

Professional or Employment Related Information This may include but is not limited to: industry, occupation, employment history, professional certifications, and any professional information included on a resume or CV. Directly from you, the individual or consumer.

Conducting clinical trials;

Delivering medical treatment to donors and patients;

Quality assurance;

Recruiting.

Personal Information Disclosed or Shared

CATEGORIES
OF PI
CATEGORIES OF THIRD PARTIES BUSINESS OR COMMERCIAL PURPOSES OF PI DISCLOSURE
Internet or Other Network Activity

Analytics Providers;

Internet Service Providers (ISPs);

Software and IT Providers.

Analytics;

Delivering products or services (to perform services on behalf of MIMEDX);

Marketing.

Geolocation

Analytics Providers;

Internet Service Providers (ISPs);

Software and IT Providers.

Analytics;

Conducting clinical trials;

Delivering products or services (to perform services on behalf of MIMEDX);

Legal and regulatory compliance;

Marketing.

Personal Identifiers

Analytics Providers;

Business Partners;

Clinical Trial Sites;

Consultants;

External Auditors;

Internet Service Providers (ISPs);

Physicians or Hospitals;

Public Authorities/Government Bodies;

Software and IT Providers.

Analytics;

Analyzing clinical trial data;

Delivering products or services (to perform services on behalf of MIMEDX);

Legal and regulatory compliance;

Marketing;

Providing treatment;

Quality assurance

Personal Records

Analytics Providers;

Business Partners;

Clinical Trial Sites;

Consultants;

External Auditors;

Internet Service Providers (ISPs);

Public Authorities/Government Bodies;

Software and IT Providers.

Analytics;

Analyzing clinical trial data;

Delivering products or services (to perform services on behalf of MIMEDX);

Legal and regulatory compliance;

Marketing;

Providing treatment;

Quality assurance

Professional or Employment Related Information Clinical Sites.

Medical Review;

Quality Assurance.

At times, MIMEDX engages service providers for the same business purposes for which we collect such PI as described in the previous section; to that end a contractual agreement is signed with each vendor to restrict the use of your PI. In certain circumstances, MIMEDX may disclose your PI when authorized by law, public authorities, courts, or law enforcement, or when required to protect our legal rights. For example, disclosures can be a part of a merger, acquisition, bankruptcy, or other transactions.

California Consumer Rights

The CCPA provides Consumers with specific rights regarding their PI.  Note that MIMEDX does not sell any PI from California Consumers. This section describes the CCPA right to know and right to delete and explains how to exercise those rights. We will not discriminate against you for exercising your CCPA rights.

Right to Know

You may have the right to send us a request, no more than twice in a 12-month period, for any of the following:

  • The categories of Personal Information we collect about you;
  • The categories of sources for the Personal Information we collect about you;
  • Our business or commercial purposes for collecting that Personal Information;
  • The categories of third parties with whom we share that Personal Information, and categories of Personal Information that each recipient received;
  • The specific pieces of Personal Information we collect about you;
  • A list of the categories of Personal Information disclosed for a business purpose in the prior 12 months, or that no disclosure occurred; and
  • A list of the categories of Personal Information sold about you in the prior 12 months, or that no sale occurred. If we sold your Personal Information, we will explain:
    • The categories of your Personal Information we have sold; and
    • The categories of third parties to which we sold Personal Information, by categories of Personal Information sold for each third party.

Right to Delete

You have the right to request that we delete any PI that it has collected from you and retained, subject to certain exceptions. For example, we may deny your deletion request if retaining the information is necessary for us to complete the transaction that you requested, detect security incidents, or enable internal uses that are reasonable aligned with your expectations.

Exercise Your Rights

To exercise the right to know and the right to delete, please submit a verifiable Consumer request to us by either:

Please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Any request that you submit to us is subject to an identification process to verify your identity or authority to make the request. MIMEDX will request data elements such as email address, home address, or phone number in order to verify your identity and fulfill the request. A reasonable charge may be made for providing requested information.

Designating an authorized agent: To exercise any of these privacy rights, you can also designate another person to act on your behalf. As permitted by the CCPA, any request you submit to us is subject to an identification and verification process and confirmation of the agent’s authority, which may include attestation under penalty of perjury.  Absent a power of attorney, we will also require the Consumer to verify their own identity.

Within 30 business days, or as required by law, of receiving your written request, we will send you the information. Consent to the use and disclosure of your personal information can be withdrawn, by notice in writing to the email address or toll-free number obtained above.

Do Not Sell

We do not believe that we “Sell” Consumer Personal Information as those terms are defined by the CCPA.  We also do not “Sell” PI of any minors as defined by the CCPA. If you direct us to share Personal Information we may do so, and that is not considered a sale under the CCPA. We do not treat disclosures required by applicable law to be made, such as to the government, to be sales. Also, disclosures amongst the entities that constitute Company as defined above are not a sale.

While there is not yet a consensus, data practices of third-party cookies and tracking devices associated with our websites may arguably constitute a “Sale” of your Personal Information as defined by the CCPA.  However, we do not think that these third-party technologies and activities are a “Sale” of your personal data by us, and until we are provided guidance otherwise, we do not intend to treat them as such.  Accordingly, “Do Not Sell” request to us will not affect these third-party technologies or activities. You can, however, exercise control over browser-based cookies by adjusting the settings on your browser.

Our Policy Towards Children

MIMEDX does not knowingly collect Personal Information directly from minors and does not sell PI of minors. Any information we collect from minors is always with the consent of a parent or guardian. If you are under 16 years old, do not use or provide any information on our website.

Non-Discrimination

We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

Limitations on Rights

Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your CCPA rights.  In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

Changes to this Privacy Notice

This Privacy Notice may be revised from time to time as we add new features, as laws change, and as industry privacy and security best practices evolve.

If we update the Privacy Notice, we will let you know about any changes that we consider material by placing a note on the MIMEDX website (https://www.mimedx.com). The most current version of the Privacy Notice will always be available on the website. You can check the “effective date” posted to see when the Privacy Notice was last updated.

Contact Information

If you have any questions about this Privacy Notice or about our handling of your information, please contact MIMEDX at [email protected] or (888)-543-1917.

MIMEDX, Inc. (att: Compliance Office)
1775 W Oak Commons Ct
Marietta, GA 30062
USA