Sotera Health Company, with its global headquarters located at 9100 South Hills Boulevard, Suite 300 Broadview Heights, Ohio 44147, United States of America, and its affiliates (hereafter, together and individually: “Sotera Health”, “we”, “our” or “us”) is committed to protecting and respecting your privacy. This Privacy Policy (“Policy”) describes how we gather and use your information. This Policy applies to the information we collect, or you provide, through any of Sotera Health’s digital resources (for example, via our websites, applications, email correspondence, marketing materials, and other online or downloadable tools) (collectively, “online resources”) that reference or display a link to this Policy. By using our online resources that reference or display a link to this Policy, you are accepting and agreeing to the practices described herein.
This Policy is supported by our Cookie Policy, which describes the way our websites and other online resources use cookies. Your use of these online resources also is subject to our Terms of Use.
1. How We Collect Your Information
Sotera Health operates and provides online resources to provide you with information about our businesses and the products and services we offer. Some of the online resources we offer are in collaboration with third-party service providers. Our relationships with these service providers are governed by agreements that require your information to be processed and held securely. There are three ways in which we gather information:
- You give us information: We collect information that you give us by filling in forms or data fields on our websites, or by corresponding with us by phone, email or otherwise. This includes information you provide to us when you complete a contact form, register on our website, or subscribe to Sotera Health communications. The information you give us may include your name, date of birth, contact information (postal address, email address, phone number), professional credentials, function, contact preferences, username and password, and resume. To the extent necessary to process a payment, you may also give us certain of your financial information, including credit card information, bank details, tax data, or information regarding credit history.
- We collect information from your computer or electronic device: When you visit our websites or otherwise use Sotera Health online resources, we (or a third-party designated by us) may collect information about the computer or electronic device you are using. Information we collect may include the following:
- technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information provided by tracking technologies, such as cookies, single-pixel tags, local share objects (Flash), local storage, E-tags and scripts;
- information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), the products or services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page and any phone number used to call our customer service number;
- if you use a mobile device to access our website or online resources, we may collect information about your device, including your device ID and device type, as well as usage information about your device and your use of our mobile websites and other mobile resources.
- We receive information from other sources: This is information we receive about you from public sources, including trade and business registers or directories, trade fairs, exhibitions, and news or internet sources. We engage third-party service providers who provide us with technical services, including related to payment processing, data analytics, and advertising, from whom we receive and process information about you. We may also receive information about you from business associations, credit agencies, and insurance companies.
2. How We Use Your Information
We use information we hold about you for legitimate business purposes and in accordance with the legal basis further described in this Policy in Section 3, and in accordance with applicable national or local data protection laws, and applicable provisions of the European General Data Protection Regulation (“GDPR”).
- We use the information you give to us:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, goods and services that you request from us;
- to provide you with information about other goods or services we offer that are similar to those that you have already used or inquired about;
- to provide you with information about goods or services we believe may interest you;
- to provide you with the possibility to pay online for the goods or services you have requested from us;
- to review and assess your job application;
- to notify you about changes to our products or services, or changes to regulatory requirements that may affect our products or services or your use of them; and
- to ensure that the content from our website is presented in the most effective manner for you and for your computer or device.
- Information collected from your computer or electronic device: We (or a third party designated by us) use this information as follows:
- to improve our website and ensure that content is presented in the most effective manner for you and your computer or device;
- to measure or understand the effectiveness of advertising we deliver to you and others, and to deliver relevant advertising to you; and
- to make suggestions and recommendations to you and other users of our website about goods or services that may interest you or them.
- Information we receive from other sources: Sometimes we combine the information given to us by you with the information we have collected and the information we have from other sources. We use this information, including the combined information, for the following purposes:
- to measure or understand the effectiveness of advertising we deliver to you and others, and to deliver relevant advertising to you; and,
- to make suggestions and recommendations to you and other users of our website about goods or services that may interest you or them.
3. Legal Basis
We process your information on the following legal bases:
- If it is necessary for pursuit of, or to safeguard, the legitimate interests of Sotera Health, provided that these interests are not overridden by your fundamental rights and freedoms. For example, we use your information to better personalize our product and service offerings, to provide improved customer service, to prevent fraud, and to secure our website.
- If it is necessary to fulfill our contractual obligations. The extent and purpose of our use of your information depends on the contract that we have concluded.
- If it is required to comply with our legal obligations. These obligations may arise from applicable provisions of national or European laws or regulations, including regarding commerce, trade, and tax.
- If you consent to our use of your information. If you have given us your prior express consent we will use your information in a manner consistent with the scope of that consent.
4. Disclosure of Your Information
If permitted pursuant to our contractual obligations with you, we may share your information with other entities in the Sotera Health group of companies. We make your information available to our affiliates as necessary to fulfil legal and contractual obligations. For example, where permitted, we share your information with our affiliates to facilitate the provision of centralized supplier or customer management services, centralized IT services, and internal finance and accounting shared services. If permitted, we also may share your information with other Sotera Health affiliates so that they may offer you products or services complementary to those you already receive from us.
We work closely with third-party service providers to fulfil certain of our contractual and legal obligations as well. Typical examples of this include the hosting of IT infrastructure, certain payment processing services, and logistics and delivery. You agree that we have the right to share your information with those third-party service providers used to support our business, including:
- Providers of marketing related services and solutions;
- Providers of legal and compliance services and solutions;
- Providers of whistleblowing services;
- Public authorities and national administrations;
- Providers of auditing services;
- Providers of IT related services and solutions;
- Providers of banking services and solutions;
- Providers of online payment services.
We will also disclose your information to third parties:
- In the event we sell or buy any business or assets in connection with an acquisition, merger into another entity or consolidation, share exchange, combination, bankruptcy or reorganization proceeding, in which case we may disclose and transfer your information to the prospective seller or buyer of such business or assets;
- If Sotera Health or substantially all or some of its assets are acquired by a third party, in which case information held by it about its customers may be one of the transferred assets;
- If we are under a duty to disclose or share your information in order to comply with any legal obligation or to protect the rights, property, or safety of Sotera Health, our customers, or others. This includes exchanging information with public authorities (including judicial and police authorities) in the event of, for example, a cyber security incident;
- If appropriate to achieve any of the purposes set out in Section 2 of this Policy.
5. Transfer of Your Information
If you are based in the European Union, we may transfer your information to a destination outside the European Economic Area (“EEA”), which might include transfers to Canada and the United States of America. Such transfers can be performed, if appropriate to (i) achieve any of the purposes set out in Section 2, or (ii) disclose your information to a third party, in accordance with Section 4.
If we transfer information originating in the EEA to a destination outside the EEA, we will make sure that such information is protected by the following safeguards:
- The laws of the country to which the information is transferred ensure an adequate level of data protection (Article 45, GDPR));
- The transfer is subject to data protection clauses approved by the European Commission (Article 46.2, GDPR) or is subject to the EU-US Privacy Shield; or
- The transfer is based on Binding Corporate Rules (Article 47, GDPR); an approved Code of Conduct (Article 40, GDPR); an approved certification mechanism (Article 42, GDPR); an approved data transfer agreement (Article 46.3, GDPR).
If you wish to receive more information relating to the transfers of such information originating from the EEA or the safeguards that have been implemented (including on how to receive a copy thereof), you can contact us as set out in Section 12 below.
6. Your Rights
A. Europe
If you are a resident of the European Union, you have certain rights regarding the personal information we hold about you.
- You have the right to access this information – we want you to be aware of the information we have about you and enable you to verify whether we process your information in accordance with applicable data protection laws and regulations.
- You have the right, under certain circumstances, to block or restrict our further use of your information.
- If your information is inaccurate or incomplete, you have the right to request rectification of your information.
- You have the right, under certain circumstances, to request deletion or removal of your information from our systems.
- If our processing of your personal information is based specifically on your consent, you have the right to withdraw that consent at any time.
- You have the right to obtain from us, under certain circumstances, your information in a structured, commonly used and machine-readable format so you can reuse it for your own purposes across different services.
- You have the right to object to certain types of processing, including processing for direct marketing purposes.
- If you are unsatisfied with our handling of your personal information, you also have the right to lodge a complaint with your national data protection authority. A list of the relevant data protection authorities can be found here.
If you would like to exercise or discuss any of these rights please contact us as set forth in Section 12, below.
B. California
If you are a resident of California, the California Consumer Privacy Act (“CCPA”) provides you with additional rights regarding your personal information depending on your relationship with Sotera Health.
Collection of Personal Information
In the preceding twelve (12) months, we may have collected from you the following categories of personal information, as defined under the CCPA:
- Identifiers: Name, postal address, email address, IP address, device ID, account name and password.
- Personal information categories listed in the California Customer Records statute: Phone number, financial account numbers, including credit card information, bank details, tax data, or information regarding credit history.
- Commercial information: Records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Internet or other electronic network activity information: Browsing history, search history, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and information regarding interactions with our online resources or advertisement.
- Geolocation data: physical location or movements.
- Professional information: resume, cover letter, and other information you want to provide us with when applying for a job with us.
- Inferences drawn from other personal information: inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information
We collect this information from you, from third-party service providers, such us for payment processing, data analytics, and advertising, or from others such as business associations, and credit agencies.
Purposes for Collecting and Using Personal Information
In the preceding twelve (12) months, we may have collected and used your personal information for business purposes as described in Section 2 above, including for:
- Auditing consumer interactions.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- For our short-term, transient use.
- Providing services (including maintaining and servicing accounts, providing customer service, verifying customer information).
- Undertaking activities to maintain the quality or safety of the service and to improve, upgrade, or enhance the online resources and our services.
We also may have collected and used personal information for commercial purposes, including to deliver relevant advertising and to make suggestions and recommendations to you and other users of our online resources about goods or services that may interest you or them, or as otherwise described in Section 2 of this Policy.
Disclosure of Personal Information
In the preceding twelve (12) months, we may have disclosed your personal information for certain business purposes, including to the following categories of third parties:
Categories of personal information | Categories of third parties with whom we share your personal information |
Identifiers | Our affiliates
Data analytics providers Customer service Auditors IT services providers Delivery service providers |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Our affiliates
Auditors Online payment service providers Banking service providers |
Commercial information | Our affiliates
Auditors Data analytics providers Marketing solutions providers Advertising networks |
Internet or other similar network activity | Our affiliates
Data analytics providers Marketing solutions providers Advertising networks |
Geolocation data | Our affiliates
Data analytics providers Customer Service Marketing solutions providers Advertising networks |
Professional or employment-related information | Our affiliates
Service providers (to process applicants) Other third parties (e.g., recruiters) Auditors |
Inferences drawn from personal information | Our affiliates
Data analytics providers Advertising networks Auditors |
In the preceding twelve (12) months, we may have shared for commercial purposes:
Internet or Other Similar Network Activity personal information obtained through the use of cookies with the following categories of third parties: our affiliates, advertising networks and data analytics providers.
California Resident Privacy Rights
If you are a California resident, you may have the following rights depending on your relationship with Sotera Health:
- Right to Access Specific Information. You may request access to the specific pieces of personal information we have collected, used, and disclosed about you in the twelve (12) months preceding your request.
- Right to Know Personal Information. You may request to know the categories of personal information we have collected about you and the purposes for doing so; the categories of sources of that data; the categories of third parties with whom we shared it for a business purpose and our purposes for doing so.
- Right to Delete. You may request that we delete your personal information.
- Right to Opt-Out. You have the right to opt out of the sale of your personal information, as defined in the CCPA. The term “sale” is defined broadly under the CCPA. We do not consider the ways we share your personal information to comprise a “sale” of your information. However, to the extent that “sale” under the CCPA is interpreted to include interest-based advertising or other data uses described in the “How We Use Your Information” Section above, we will comply with applicable law as to those activities. To opt out from receiving interest-based advertising, please review our Cookie Policy to disable cookies. You also may follow the unsubscribe instructions in the communications that you receive.
- Right of Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.
You may also ask us to rectify or make changes to your personal information.
Exercising your Rights, Verification and Authorized Agent
To exercise your rights, you may email us at [email protected] or mail us at Attn: General Counsel, 9100 South Hills Boulevard, Suite 300 Broadview Heights, Ohio 44147, United States of America.
We will confirm receipt of your request within 10 business days, and respond within 45 calendar days, unless additional time is needed, in which case we will provide notice and an explanation of the reason. We may verify your identity or authority to make the request by asking you to provide information to confirm your identity. In some instances, we may ask you to declare under penalty of perjury that you are the consumer, investor or partner whose personal information is the subject of the request. If we cannot verify your identity, we may reject your request in whole or in part.
You also may designate an authorized agent to make a request for you. To use an authorized agent, you or your authorized agent must: submit proof that the authorized agent is registered with the California Secretary of State and that you have authorized your agent to act on your behalf; submit evidence that you have provided the authorized agent with power of attorney pursuant to the California Probate Code; or provide the authorized agent written and signed permission to act on your behalf, verify your identity with us, and directly confirm with us that you have provided the authorized agent permission to submit the request. We may deny a request from an authorized agent who does not submit sufficient proof to act on your behalf.
7. Security of Collected Information
We have implemented security features throughout our online resources to prevent the unauthorized release of, or access to, information we collect and receive from you. While we endeavor to create online resources that are always secure and reliable, we cannot guarantee the confidentiality of communications or materials transmitted to or from us (or to or from any other party), via the Sotera Health website or other online resources. We accept no responsibility and are in no way liable for the security of the information transmitted via our website or other online resources.
8. Do Not Track
Some web browsers incorporate a “Do Not Track” feature. Our online resources do not currently alter their practices when they receive Do Not Track signals. To find out more about “Do Not Track,” you may wish to visit http://www.allaboutdnt.com.
9. Retention of Your Information
We do not keep your information longer than necessary to achieve the purposes stated in this Policy, unless we are required to do so to comply with applicable legal obligations, including laws and regulations related to the maintenance of commercial and tax documentation and evidence. The retention period for your information is determined based on several criteria, including:
- Time elapsed since your last interaction with us;
- End of your contractual relationship with us;
- Sensitivity of the information or personal information;
- Security reasons;
- Applicable statutes of limitation;
- Ongoing or potential litigation or dispute (e.g., we need this information to establish or defend legal claims);
- Applicable regulatory or legal obligations
10. External Websites
Our online resources may, from time to time, contain links to third-party websites. If you access a third-party website by clicking on a hyperlink, or advertisement incorporating a hyperlink, consult the privacy policies of those websites before you submit information to them. Sotera Health is not responsible for the privacy practices of third-party websites.
11. Agreement for the Collection and Use of Your Information; Changes to Our Privacy Policy
By using Sotera Health websites or other online resources, you acknowledge that you have read the terms of this Policy and you agree with the collection and the use of your information as set out above.
We may amend this Policy from time to time. Changes we make to the Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to the Policy. Your continued use of our websites and online resources following the posting of changes to this Policy will indicate your acceptance of the Policy changes.
12. Contact Details
Questions, comments and requests regarding the Policy must be addressed to our General Counsel at [email protected].
Recent Changes to Our Privacy Policy
The privacy and security of your information is important to us. We have made changes to the Privacy Policy that apply with respect to information that you provide on or after the date indicated in the “Last Modified” legend above. These changes include a note for California residents that includes:
(1) Detailed information regarding what personal information and other information we collect from you, how we collect it, and how it is used;
(2) Further descriptions of the parties with whom and for what purposes your data is shared; and
(3) What rights are available to residents of California.
To learn more, please review the full Privacy Policy above.
Biometric Data Privacy Policy and Notice
This Biometric Data Privacy Policy and Notice (this “Policy”) describes Sotera Health Company’s (“Sotera Health,” “we,” “us”) collection, protection, retention, use, disclosure, and destruction of certain personal information within the United States.
Scope
This Policy applies to all Sotera Health employees, agents, and representatives, including any contractor or third-party service provider to Sotera Health (“Third-Party Service Provider”) who have access to Biometric Data on behalf of Sotera Health. This Policy applies to all Biometric Data collected, maintained, transmitted, stored, retained, or otherwise used by Sotera Health regardless of the media on which such information is stored.
Biometric Data Defined
As used in this Policy, “Biometric Identifiers” means images of your fingerprints, voiceprints, scans of hand or face geometry, and retina or iris scans.
Biometric Identifiers do not include information such as writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.
Biometric Identifiers do not include information captured from a patient in a healthcare setting or the any of the following:
- Information captured from a patient in a healthcare setting.
- Information collected, used, or stored for healthcare treatment, payment, or operations under the Health Insurance Portability and Accountability Act (HIPAA).
- Donated organs, tissues, or parts as defined by applicable state and federal laws in the United States, including but not limited to the Illinois Anatomical Gift Act, or blood or serum stored in connection with organ transplants.
- Biological materials regulated under the federal Genetic Information Privacy Act.
- Information collected, used, or stored from a Sotera Health employee, agent or representative outside of the United States.
“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual.
Collectively, as used in this Policy, “Biometric Identifiers” and “Biometric Information” is collectively referred to as “Biometric Data.”
Why Sotera Collects and Uses Biometric Data
When you access our facilities, we may scan and collect Biometric Data, including (without limitation) images of your fingerprints and retina or iris scans for security purposes, as further described in this Policy. Sotera Health and the vendors and/or licensors of our security software collect, store, and use certain Biometric Data, including images of fingerprints and retina or iris scans from employees in order to increase security and access controls to Sotera Health’s facilities. Specifically, Sotera Health and the vendors and/or licensors collect Biometric Data from individuals before they access the irradiator room for the purpose of enhancing security of the facility.
Before collecting Biometric Data from you, Sotera Health will obtain your written consent to the collection.
Data Disclosure
Sotera Health discloses the Biometric Data to its third-party vendors and/or licensors in order to facilitate ongoing technical support of the security software.
Sotera Health does not sell, lease, trade, or otherwise profit from the Biometric Data.
Sotera Health prohibits any further disclosure or re-disclosure of Biometric Data unless the disclosure:
- Is consented to by the individual or the individual’s legally authorized representative;
- Is required by state or federal law, or required by municipal ordinance; or
- Is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction requesting Biometric Data.
Data Security
Sotera Health is committed to collecting and processing Biometric Data responsibly and in accordance with applicable law. Sotera Health stores, transmits, and protects all Biometric Data using a reasonable standard of care with measures that are at least equivalent to measures that Sotera Health uses to store, transmit, and protect its other confidential and sensitive information. These measures include storing and transmitting Biometric Data in encrypted format.
Sotera Health prohibits any further disclosure or re-disclosure of Biometric Data unless:
- The individual or the individual’s legally authorized representative consents to the disclosure;
- The disclosure is required by applicable law or regulation; or
- The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Retention Schedule and Destruction
Sotera Health retains the Biometric Data until the first of the following occurs:
- The initial purpose for the collection has been satisfied (e.g., so long as the individual from whom it collects Biometric Data maintains an employment relationship with Sotera Health); or
- For no longer than three years from the employee’s last interaction with Sotera Health.
Unless otherwise required by law or legal process, once the retention schedule no longer authorizes Sotera Health to retain the Biometric Data, Sotera Health securely and permanently destroys the Biometric Data.