FlowJo Data Privacy Notice
Last revised 10/11/2022
FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA, (“Company”, “we” or “our”) and each of its affiliates and subsidiaries (collectively, the “Becton Dickinson Group” or “BD Group”) take data privacy seriously.
Company is responsible for the processing of personal data as it decides why and how it is processed, thereby acting as the “controller” in the meaning of the EU General Data Protection Regulation “GDPR”.
We are committed to respecting and safeguarding your privacy by handling your personal data in accordance with applicable data protection laws. This Data Privacy Notice (“Notice”) informs the users of SeqGeq™, FlowJo™, FlowJo Portal, flowjo.com, and BD® Research Cloud ("FlowJo Products") how we collect and process the personal data and other information of such users (hereinafter "you" or "your") in connection with their usage of the FlowJo Products.
FlowJo Data Privacy Notice
1. What personal data do we process about you, why and how is this justified?
2. Who has access to your personal data?
3. How long do we store your personal data?
4. What are your rights and how can you exercise them?
5. Cookies and other tracking technologies
6. How do we protect your personal data?
7. Changes to this Notice
8. How can you contact us?
9. Supplemental Privacy Notice to California Residents
What personal data do we process about you, why and how is this justified?
1.1. Personal data you actively provide to us
Types of personal data and processing purposes:
- Registration Data: When you register with FlowJo to receive a quote, trial or license for authorized usage of FlowJo Products, you will be asked to provide the following personal data about you: your first and last name, organization or institution (if applicable), country code, telephone number, email address, hardware address, and password.
- If you register for the BD Research Cloud, in addition to the Registration Data, we also process your zipcode.
- We process your Registration Data for purposes of access control, license administration, sales and support interactions with you, and for defending, establishing and exercising legal claims, for providing customer care services, for IT and network security purposes, for complying with legal obligations, and for providing marketing materials to the extent permitted by applicable law.
- Financial or payment data: We process your credit card details, bank account details, VAT or other tax identification number, dates and amounts of payments made or received to bill you for requested products and services, and accounting purposes.
- Custom Fields: Any other information you may want to provide to us for license administration when you register for a group license is stored in the system to merely fulfil your request and for your own convenience.
The provision of Registration and Financial or payment data is necessary to enter into the license agreement with us and to register with and use the FlowJo Products as requested by you. If you choose to not provide your personal data, you may not be able to use the FlowJo Products.
Legal ground for processing:
- the processing is necessary for the performance of the license agreement and/or the end-user license agreement or to take steps at your request prior to entering into such agreements (e.g., for providing quotations, administering the license agreement, or providing you with products and services as requested by you, and for billing you for requested products and services).
- the processing is necessary for the purposes of our and BD Group's legitimate business interests, in particular for access control, license administration, IT and network security, customer care services, marketing, as far as permitted by applicable laws, improvement of the quality and services of the FlowJo Products, as well as other products and services offered by the BD Group.
- the processing is necessary for compliance with a legal obligation to which we are subject, such as reporting cases of adverse events related to our products to authorities, or for accounting purposes.
- the processing is necessary for defending, establishing, and exercising legal claims.
- subject to your consent, we will add you to our marketing database and market products and services which we think may be of interest to you or to communicate with you for other purposes about which we inform you when we collect your personal data. You can unsubscribe from marketing communications by clicking the “Unsubscribe” link included in each message.
1.2. Personal data automatically collected when you use the FlowJo Products:
Company uses common automated data collection technologies, such as cookies, to assess how our FlowJo Products are used, to personalize your experience, and to deliver content tailored to your interests. Through these technologies, some information may be collected automatically, when you use the FlowJo Products, such as the IP address, Mac address, browser type and version, operating system and interface, version of the FlowJo Products, device and reagent information, underlying license information, date and time of the FlowJo Products usage.
- When you use the BD Research Cloud, we automatically process your lab name, fluorescent panel information, workflow information, reagent information, cytometer information and organization profile. We also process any uploaded files, including FCS files, for the purpose of storing those files.
Such metadata will be processed based on our and BD Group’s legitimate business interest to enable and control the access to the FlowJo Products, to ensure compliance with licence restrictions and for IT and network security purposes.
Subject to your explicit consent, where required, we may use the metadata and other information collected through cookies and other common technologies, to assess how our FlowJo Products are used, to personalize your experience, and to deliver content tailored to your interests and for research and product development purposes.
In particular, we would like to understand:
- The engagement with the use of FlowJo Products, in particular the BD Research Cloud per organization or per individual
- Users’ usage of specific features within the software.
- Users’ login frequency and last login time.
- Total periodic logins and per organizations logins.
- Location of the engagement by postal code.
- Cytometer market information
- Which cytometers (BD and/or competitor) are utilized by organizations.
- What configurations of cytometers are utilized by organizations.
- Reagent and panel information
- Which reagents are users looking for and which reagents are they selecting.
- What reagents are users manually entering into the software.
- What panels are users selecting and are they moving through to purchase those panels.
- How many markers are users utilizing in their panels, and how does that relate to the number of detectors in their cytometer.
- In what ways can we influence users purchasing decisions towards BD Products
- Where do users exit from the buying process.
- Offering targeted discounts, information, or educational opportunities.
Who has access to your personal data?
You should expect that we will share your personal data with third parties for the processing purposes described above as follows:
- Within the Company: Your personal data will be processed and used by the Company located in the USA. Depending on the categories of personal data and the purposes for which the personal data has been collected, different departments within the Company, including, for example, our R&D, IT, Sales, Legal, Marketing and Finance departments have access to your personal data on a need-to-know basis.
- Within the BD Group: Our parent entity, Becton, Dickinson and Company, in the USA and other affiliates in the USA (each affiliate including us referred to as "BD Affiliate") may receive your personal data as necessary for the following purposes: product improvement, marketing, and cyber-security. Internally, the following departments may have access for such purposes: R&D, IT, Sales, Legal, Marketing and Finance departments. Details of BD affiliates can be found at flowjo.com/legal_entities
- With data processors: Certain third-party service providers, whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the processing purposes described above, such as hosting providers, customer care providers, marketing service providers, IT support service providers, and other service providers who support us in maintaining our commercial relationship with you. The Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed. A list with the main Processors can be found here www.flowjo.com/policies/partners.
- Other recipients: We may transfer—in compliance with applicable data protection law—personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or selected business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. We will not disclose your personal data to third parties for advertising or marketing purposes or for any other purposes without permission.
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfil their job responsibilities.
The above mentioned third parties are contractually obliged to protect the confidentiality and security of your personal data in compliance with applicable laws. However, your personal data may also be accessed by or transferred to any national and/or international regulatory, enforcement, or public body or court when we are required to do so by applicable laws or regulations or at their request.
International transfers. Your personal data will be processed by the Company in the USA, that may not provide the same level of data protection than in your country and where there is a risk of access by US authorities. You should expect that the recipients identified above which will receive or have access to your personal data, are also located outside the European Union and the European Economic Area (together "EEA"), UK, or Switzerland, in particular in the USA.
By registering on one of our portals (FlowJo Portal, flowjo.com or BD Research Cloud), you explicitly agree to the processing of your personal data in the US and other third countries as specified above.
Before disclosing any personal data from the EEA, Switzerland or the UK to persons in countries outside the EEA or Switzerland, we take appropriate safeguards as required by applicable laws, such as assessing data importers to ensure that they can effectively protect your personal data as expected under EU and Swiss data protection laws and entering into Standard Contractual Clauses as approved by the EU Commission and the Swiss Federal Data Protection and Information Commissioner respectively. For further information about these safeguards or to receive a copy, please contact us as described in this Notice.
How long do we store your personal data?
Your personal data will be retained for the period of the license agreement and/or your registration with FlowJo Products. This is necessary to provide you with access to FlowJo Products. Once the license agreement or your registration has lapsed, we may retain your personal data for a further period, depending on the type of personal data we have to process (registration data, financial or payment data, custom fields), but - in any case - no longer than 10 years. On request, we will restrict further processing of your personal data by anonymizing it. Legal or regulatory obligations or pending legal claims may require a longer retention and processing period. Also, we will retain and actively process your contact details and interests in the FlowJo Products for a longer period of time if the Company is allowed to send you marketing materials based on your explicit consent. Prior to deleting any personal data, we may anonymize your personal data for future statistical and reporting purposes.
What are your rights and how can you exercise them?
Right to withdraw your consent: If you have declared your consent regarding certain collecting, processing, and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can withdraw your consent via instructions available at this link www.flowjo.com/policies/how-to.
Additional data privacy rights: Pursuant to applicable data protection law and under the conditions and within the limits outlined in the law, you may have right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data (including objection to direct marketing and profiling). Please note that these rights might be limited under the applicable local data protection law.
You can exercise your rights via instructions at this link www.flowjo.com/policies/how-to or by contacting us as stated under Section 8 below. You also have the right to lodge a complaint with the competent data protection supervisory authority in the relevant Member State (e.g., the place where you reside, work, or of an alleged infringement of the GDPR). Contact details can be found here.
Cookies and other tracking technologies
How do we protect your personal data?
We take appropriate technical and organizational measures to secure your personal data from unauthorized access, loss, and misuse. These measures include instructions to employees, access regulations and restrictions as well as the encryption of data carriers.
Changes to this Notice
We may update this Notice from time to time in response to changing legal, regulatory, or operational requirements. We will notify you of any such changes, including when they will take effect, by updating the "Last revised" date above or as otherwise required by applicable law. If you do not accept updates to this Notice, you should stop using the FlowJo Products.
How can you contact us?
If you have any questions about this Notice or if you want to exercise your rights as stated above in Section 4, please contact us at: FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA, firstname.lastname@example.org.
The Company's Data Protection Contact Person can be contacted at email@example.com or via postal letter to Data Protection, FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA.
The contact details of our representative within the EU are as follows: BD GmbH, Tullastr. 8-12, 69126 Heidelberg, Germany, GDPR@bd.com.
Supplemental Privacy Notice to California Residents
If you reside in California and we receive or collect CA Personal Information about you in a manner that is not an exception that is excluded by applicable law, we are required to provide additional information to you about how we use and disclose your information, and you may have additional rights with regard to how we use your information. We have included this California-specific information below.
California Consumer Privacy Act of 2018 (CCPA)
California Personal Data. Consistent with the "What personal data do we process about you, why and how is this justified?" section above, we collect certain categories and specific pieces of information about California consumers or households that are considered "Personal Data" in California ("CA Personal Data"). For example, and specific to CA Personal Data, BD may have collected the following categories of information about you:
- Personal Data under the California Customer Records statute – such as: signature, physical characteristics or description, telephone number, medical information, health insurance information
- Protected classifications under California or federal law – such as: sex, age, physical or mental disability
- Commercial information – such as: products or services obtained or considered, or other purchasing or consuming histories
- Internet or other similar network activity – such as: information regarding a consumer’s interaction with a website or application
CA Personal Data does NOT include information that is:
- Publicly available from government records
- De-identified or aggregated consumer information
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
- Collected in the context of BD's business-to-business interactions
- Other personal or financial information that is covered under certain sector-specific privacy laws.
Sources. We may collect certain categories of CA Personal Data from you and other third parties as described in the "What personal data do we process about you, why and how is this justified?" section above.
Purposes. Consistent with the "What personal data do we process about you, why and how is this justified?" section above, we may share and/or disclose your CA Personal Data for business or commercial purposes, as follows:
Sharing your CA Personal Data for business purposes: As described in the "Who has access to your personal data?" section above, in the past twelve months, we may have used or disclosed (shared) the following categories of your CA Personal Data with service providers, affiliates, third party partners, public or government authorities and future business partners for one or more of our operational or business purposes:
- To provide products and services to consumers
- To respond to consumer requests
- To improve and personalize the consumer experience on our Site
- For analytical purposes to improve or further develop products or services
- To monitor the safe and effective use of our products (or services)
- For any activity described to a consumer that engages with BD digitally and provides Personal Data or as otherwise permitted under the CCPA
- To conduct troubleshooting, audits, or other quality control activities related to the Site or other micro-sites, products, or services
- To detect and protect against security incidents and potential deceptive, malicious, or fraudulent activity
- To maintain and repair any BD Services
- As described above, examples of business purposes include business-related functions, internal operations, prevention of fraud and other harm, and legal or regulatory compliance.
Sharing your CA Personal Data as a “sale” under California law: We do not sell the Personal Data of California consumers. If BD determines that any activity that BD is engaged in may constitute a "sale" under California law, BD will modify this notice and add a Do Not Sell button to the Site. Note that none of the following types of disclosures constitute a “sale” under the CCPA:
- requests or direction from consumers to disclose their Personal Data
- instances where a consumer tells BD to interact with a third party that does not sell Personal Data of California consumers
- situations where BD shares Personal Data pursuant to a written contract with a service provider that is necessary to perform a business purpose where that third party is limited to only using the Personal Data to perform under that contract
- cases where a consumer’s Personal Data is transferred as part of a transaction (merger or acquisition) under which the third party assumes full or partial control of one of our businesses.
California Consumer Rights. Subject to certain exceptions, as a California resident, you may have the following rights to your CA Personal Data: (i) Access. Request access to your CA Personal Data that we collect, use, disclose, or sell (if applicable); (ii) Deletion. Request deletion of your CA Personal Data , although BD may deny the request for a number of reasons authorized under California or other applicable law; and (iii) CA Personal Data Sold or Disclosed for Business Purposes. Request information about the CA Personal Data we have "sold" (as defined under CCPA) or disclosed for business purposes within the preceding 12 months. As noted above, BD does not sell consumers’ Personal Data . To the extent permitted by applicable law, we may be required to retain some of your CA Personal Data and certain CA Personal Data is strictly necessary in order for us to fulfil the purposes described in this Privacy Statement.
Exercising California consumer rights. If you are a California resident and wish to exercise any of these rights, you may submit a verifiable request to us as follows : (a) contact us via e-mail: firstname.lastname@example.org as described in the “How to Contact BD” section below with the specific nature of your request, referencing “Your California Privacy Rights”; or (b) call the following toll-free number: (800) 490-2177. We are not responsible for requests that are not labelled or sent properly, or do not have complete information. We will verify your identity prior to providing any information in response to a consumer rights request. Please note that you are limited by law in the number of requests you may submit per year. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf (Authorized Agent), may attempt to make a consumer request for you. We cannot respond to a request if we are unable to verify your identity or confirm your Authorized Agent.
Follow these steps if you wish to submit a request to exercise your rights under California law:
- Give us enough information to reasonably verify you are a California resident and entitled to rights under California law;
- Describe your request with enough detail to allow us to understand and respond to your request; and
- Tell us how you prefer to receive a written response – by USPS mail or e-mail. Note that if you do not specify your preference, BD will respond to a verified request by e-mail.
We will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of products, based solely upon you exercising your rights to your CA Personal Data. Finally, making a verifiable consumer request does not require you to create an account with BD.
Right to Removal of Posted Information—California Minors
If you are under 18 years of age, reside in California, and have provided us with information, you have the right to request removal of unwanted information that you publicly post on the Site. To request removal of such information, you can contact us as provided below. Upon receiving such a request, we will make sure that the information is not publicly available on the Site, but the information may not be completely or comprehensively removed from our systems and databases.
How to Contact BD:
Additional options for California Residents Only:
Toll Free Phone Number: (800) 490-2177