Our data protection principles
We handle the data transferred to us in a trusting and responsible manner and observe the legal provisions on data protection, in particular the Virginia Consumer Data Protection Act 2021 (VCDPA), the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
- Personal data is only collected by us if and to the extent that you yourself provide it to us with your knowledge.
- We do not sell, lend or give away your personal data. We only pass on your data to third parties without your consent if we are legally entitled to do so, e.g. in the event of a corresponding court order.
- We use state-of-the-art security technologies to protect your data from misuse.
We want to provide you with a safe, smooth, efficient and personal user experience.
Overview of processing
Categories of data subjects
Relevant legal basis
- Consent (Art. 6 para. 1 p. 1 lit. a GDPR) – The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures carried out at the data subject’s request.
- Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Protection of vital interests (Art. 6 para. 1 p. 1 lit. d. GDPR) – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
GDPR Specific Rights
Under the GDPR you have a number of “Data Subject Rights” in particular you have the right to:
- Information about the processing of your personal data;
- Obtain access to the personal data held about you;
- Ask for incorrect, inaccurate or incomplete personal data to be corrected;
- Request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- Object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- Request the restriction of the processing of your personal data in specific cases;
- Receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- Request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision; and
- Where the processing of your personal information is based on consent, you have the right to withdraw that consent without detriment at any time through our contact form.
Virginia Specific Rights
According to the Virginia Consumer Data Protection Act, you have the right to:
- Confirmation whether your personal data is being processed by us;
- Correct inaccuracies in your data;
- Delete personal data obtained from or about you;
- Obtain a copy of the data you previously provided us in a portable and “readily usable” format; and
- Opt-out of data collection if the data is collected “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning on you.
Your HIPAA Rights
When it comes to your health information, you have additional rights, in particular:
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
- You can ask us to correct health information about you that you think is incorrect or incomplete.
- You can ask us to contact you in a specific way (for example, home or office phone) or at a specific location (for example, to send mail to a different address).
- You can tell us your choices about what we share.
- You can ask us to limit what we use or share
- You can get a list of those with whom we have shared information
- You can get a copy of this Notice
- You can choose someone to act for you
- You can file a complaint if you feel your rights are violated
If you wish to rely on any of your data subject rights or have a request, please contact us.
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of and segregation of the data. We also have procedures in place to ensure the exercise of data subjects’ rights, the deletion of data and responses to data compromise. Furthermore, we already take the protection of personal data into account in the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
SSL encryption (https)
Transmission and disclosure of personal data
Data processing in third countries
If we process data in a third country (i.e., outside the United States) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only be done in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, contractual obligation through so-called standard contractual clauses, in the presence of certifications or binding internal data protection regulations.
Care and business services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g. to answer inquiries.
We inform the contractual partners which data is required for the aforementioned purposes before or in the course of data collection, e.g. in online forms, by means of special labeling (e.g. colors) or symbols (e.g. asterisks or similar), or in person.
We delete the data after the expiry of legal warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be kept for legal archiving reasons (e.g. for tax purposes generally 10 years). We delete data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications of the order, generally after the end of the order.
If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Economic analyzes and market research
For business reasons and in order to be able to recognize market trends, wishes of contractual partners and users, we analyze the data we have on business transactions, contracts, inquiries, etc., whereby the group of persons concerned may include contractual partners, interested parties, customers, visitors and users of our website.
The analyzes are carried out for the purpose of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). In doing so, we may, if available, take into account the profiles of registered users together with their details, e.g. regarding services used. The analyzes serve us alone and are not disclosed externally, unless they are anonymous analyzes with summarized, i.e. anonymised values. Furthermore, we take the privacy of the users into consideration and process the data for the analysis purposes as pseudonymouzly as possible and, if feasible, anonymously (e.g. as summarized data).
Provision of the website and web hosting
In order to provide our website securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the website can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.
The data processed in the course of providing the hosting service may include all information relating to the users of our online service that is generated in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of websites to browsers, and all entries made within our website or websites.
Collection of access data and log files
We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the websites and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
The server log files may be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability.
Newsletters and electronic notifications
We send newsletters, e-mails and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or a legal permission. If the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us.
In order to subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address in the newsletter, or further details, if these are necessary for the purposes of the newsletter.
The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.
The newsletter is sent on the basis of the recipients’ consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of advertising to existing customers. Insofar as we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to demonstrate that it has been carried out in accordance with the law.
Web analysis, monitoring and optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our website and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, recognize at what time our website or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization.
In addition to web analysis, we may also use test procedures, e.g. to test and optimize different versions of our website or its components.
For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures may be used with the same purpose. This information may include, for example, content viewed, websites visited and elements used there and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.
The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, testing and optimization, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.
We process personal data for online marketing purposes, which may include, in particular, marketing advertising space or displaying promotional and other content (collectively, “content”) based on potential user interests and measuring its effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures are used, by means of which the information about the user relevant to the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed.
The IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored within the scope of the online marketing process, but pseudonyms. This means that we as well as the providers of the online marketing procedures do not know the actual identity of the users, but only the information stored in their profiles.
The information in the profiles is usually stored in the cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing procedure and analyzed for the purpose of displaying content as well as supplemented with further data and stored on the server of the online marketing procedure provider.
Exceptionally, clear data can be assigned to the profiles. This is the case if, for example, the users are members of a social network whose online marketing procedure we use and the network links the users’ profiles with the aforementioned data. We ask you to note that users may enter into additional agreements with the providers, e.g. by giving their consent as part of the registration process.
In principle, we only receive access to summarized information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to a conclusion of a contract with us. The conversion measurement is used solely to analyze the success of our marketing measures.
Unless otherwise stated, we ask you to assume that cookies used will be stored for a period of two years.
We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our website or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called “Remarketing Audiences”, or “Google Analytics Audiences”). With the help of Remarketing Audiences, we also want to ensure that our advertisements correspond to the potential interest of the users.
We use Google Analytics in the form of Universal Analytics “Universal Analytics” refers to a method of Google Analytics in which user analysis is carried out on the basis of a pseudonymous user ID and thus a pseudonymous profile of the user is created with information from the use of different devices (so-called “cross-device tracking”).
Protection of personal data
The security of your personal data is of particular concern to us. We therefore take appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, deletion of data and response to data compromise. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware and software, in accordance with the principle of data protection through technology design and through data protection-friendly default settings. We also transfer our understanding of security to those processors used by us.
If you apply for a role or job, we process the information we receive from you as part of the application process, e.g. through your letter of application, CV, references, correspondence, telephone or verbal details. In addition to your contact details, information about your education, qualifications, work experience and skills is particularly relevant to us.
Your data will initially be processed solely for the purpose of carrying out the application process. If your application is successful, it will become part of your personnel file and will be used to carry out and terminate your employment and will be deleted in accordance with the rules applicable to personnel files. If we are unable to offer you employment, we will continue to process your data for up to six months after sending the rejection in order to defend ourselves against any legal claims, in particular alleged discrimination in the application process.
The legal basis for processing data during the application process is consent and, if you have given your consent, for example by sending us information that is not necessary for the application process. The legal basis for data processing after a rejection is our legitimate interest.
As a rule, we do not require any special categories of personal data within the meaning of VCDPA and GDPR for the application process. We ask you not to provide us with any such information from the outset. If such information is relevant to the application process, we process it together with your other data. Your data will not be used by us for automated decision-making or profiling, nor will it be passed on to third parties. Your data will be processed by us or on our behalf.
You are not obliged to provide us with personal data. However, we can only assess your suitability for the respective position under consideration if we receive information in particular about your education, work experience and skills, and we cannot include you in the application process without providing your contact details.
When you send a data subject access request
The legal basis for the processing of your personal data in the context of handling your data subject access request is our legal obligation and the legal basis for the subsequent documentation of t data subject access request is both our legitimate interest and our legal obligation.
The purpose of processing your personal data in the context of processing data when you send a data subject access request is to respond to your request. The subsequent documentation of the data subject access request serves to fulfill the legally required accountability.
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the processing of a data subject access request, this is three years after the end of the respective process.
You have the possibility at any time to object to the processing of your personal data in the context of the processing of a data subject access request for the future. In this case, however, we will not be able to further process your request. The documentation of the legally compliant processing of the respective data subject access request is mandatory. Consequently, there is no possibility for you to object.
Legal defense and enforcement of our rights
The legal basis for the processing of your personal data in the context of legal defense and enforcement of our rights is our legitimate interest.
The purpose of processing your personal data in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights. Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement of our rights. Consequently, there is no possibility for you to object.
Deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not necessary for the purpose).
If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
Further information on the deletion of personal data can also be found in the individual privacy policies of this privacy statement.
Virginia Personal Identity Information (PII) Statement
Commercial Partners: Individual(s) or companies that have been approved by us as a recipient of organizational PII and from which Amani Home Care has received confirmation of their data protection practices conformance with the requirements of this policy. Commercial Partners include all external providers of services to Amani Home Care and include proposed Commercial Partners. No PII information can be transmitted to any vendor in any method unless the vendor has been pre-certified for the receipt of such information.
PII Training: All new hires entering Amani Home Care who may have access to PII are provided with introductory training regarding the provisions of this policy, a copy of this policy and implementing procedures for the department to which they are assigned. Employees in positions with regular ongoing access to PII or those transferred into such positions are provided with training reinforcing this policy and procedures for the maintenance of PII data and shall receive annual training regarding the security and protection of PII data and company proprietary data
PII Audit(s): Amani Home Care conducts audits of PII information maintained by Amani Home Care in conjunction with fiscal year closing activities to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PII information. Where the need no longer exists, PII information will be destroyed in accordance with protocols for destruction of such records and logs maintained for the dates of destruction.
Data Breaches/Notification: Databases or data sets that include PII may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, Amani Home Care will notify all affected individuals whose PII data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after the breach was discovered.
Confirmation of Confidentiality: All company employees must maintain the confidentiality of PII as well as company proprietary data to which they may have access and understand that that such PII is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgment reminders annually attesting to their understanding of this company requirement.
Violations of PII Policies and Procedures: Amani Home Care views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under Amani Home Care’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in Amani Home Care’s PII on-boarding and refresher training to reinforce Amani Home Care’s continuing commitment to ensuring that this data is protected by the highest standards.
Health Insurance Portability and Accountability Act (HIPAA) Statement
The following categories describe different ways that we are permitted to use and disclose your health information.
- We may use or disclose your Protected Health Information (PHI) for to provide our services
- We can use and share your health information to run our testing locations, improve your care, and contact you when necessary.
- We can use and share your health information to bill and get payment.
- We may provide your PHI to other companies or individuals that need the information to provide services to us.
- We may use and disclose your health information for other purposes if we have de-identified it in accordance with applicable law.
- We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes.
- We will share information about you if laws require it, including with the United States Department of Health and Human Services (HHS), if it wants to see that we are complying with privacy law.
- We can share health information with a coroner, medical examiner, or funeral director when an individual dies.
- We can share health information about you in response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful process in certain situations.
Hosting and Content Delivery Networks (CDN)
This website is hosted by an external service provider (WordPress, 29th Street #343 San Francisco CA 94110-4929 (https://wordpress.org/)). The personal data collected on this website is stored on the WordPress’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.
WordPress is used for the purpose of fulfilling contracts with our potential and existing customers and in the interest of a secure, fast and efficient provision of our online offer by a professional provider.
WordPress will process your data only to the extent necessary to fulfill its performance obligations and to comply with our instructions regarding such data.