Employee/Contractor/Applicant Privacy Policy

Policy Name: Cynosure Privacy Policy for Employees, Contractors, and Applicants Policy Effective Date: 11/1/2023

Locations on MyCynosure: Policies

Policy Owner: Data Protection Committee

Applies to: All Cynosure Employees, Contractors, and Applicants

 

Cynosure Privacy Policy for Employees, Contractors, and Applicants (this “Privacy Policy”).

 

This Privacy Policy relates to information collected online and offline by Cynosure, LLC (along with Cynosure, LLC’s Corporate Affiliates (as defined below), collectively, “Cynosure” “we” or “us” or “our”) from or about you solely in your capacity as a Cynosure employee (each, an “Employee”), as an independent contractor who is a natural person and has been engaged by Cynosure (including without limitation social media influencers (each, an “Influencer”) and professionals (including healthcare professionals): (i) who have contracted with Cynosure as key opinion leaders (each, a “KOL”), or (ii) who have contracted with Cynosure as members of our medical advisory board (each, an “Advisor”) (each, a “Contractor”), or as an applicant for employment with Cynosure as an Employee or engagement by Cynosure as a Contractor (each, an “Applicant”). This Privacy Policy has been prepared for your information and understanding of the policies, philosophies, and practices of Cynosure and shall be effective from and after November 1, 2023 (the “Effective Date”). As used herein, “you” and “your” means any Employee, Contractor, or Applicant. This Privacy Policy will apply to you only if: (i) our Processing of your Personal Data is regulated by the European Data Protection Laws; and/or (ii) you are a California resident. Cynosure, LLC is based in the United States of America. Cynosure, LLC’s main office is 5 Carlisle Road, Westford, MA 01886.

 

As of the Effective Date, Cynosure, LLC’s Corporate Affiliates include:

 

Corporate Affiliate	Address
Lotus Parent, Inc.	5 Carlisle Road, Westford, MA 01886
Lotus Buyer, Inc.	5 Carlisle Road, Westford, MA 01886
Cynosure Canada Medical Devices Company ULC	203 Exeter Road, Unit F, London, ON, N6L 1A4
Cynosure France SARL	132 Boulevard de Verdun, Courbevoie, France
Cynosure Maroc SARL	Rue 2 N°40 Wakanati, Route d’azemmour, Ain Diab
Cynosure GmbH	Schillerstraße 2,60313 Frankfurt am Main   Robert-Bosch-Str. 11A ; 63225 Langen /Baze c/o
Cynosure K.K.	2-17 Kagurazaka, Shinjuku-ku, Tokyo 162-0825   7-22-17 Nishigtotanda, Shinagawa-ku, Tokyo 141- 0031   5-14-22 Nishinakajima, Osaka-si Yodogawa-ku, Osaka 532-0011
Cynosure Korea Limited	6F Samwon Bldg, 651 Eonju-ro, Gangnam-gu, Seoul 06104 Korea   1F Plaza654 Bldg, 551 Eonju-ro, Gangnam-gu, Seoul, 06138 Korea B1F, Songam Bldg, 709 Eonju-ro, Gangnam-gu, Seoul 06053 Korea   #A-3003, 32 Centum 3-ro, Haeundae-gu, Busan 48060 Korea
Cynosure Mexico, S. de R.L. de C.V.	ALLE TIHUATLAN 41 602 SAN JERONIMO ACULCO DISTRITO FEDERAL 10400
Cynosure UK Ltd	Chiswick Tower, Floor 17, 389 Chiswick High Road, W4 4AJ   898 Plymouth Road, Slough Trading Estate, SL1 4LP
Palomar Medical Technologies, LLC	5 Carlisle Road, Westford, MA 01886
Cynosure B.V.	Veemarkt 143, 1019 CC Amsterdam, Netherlands
Cynosure Pty Ltd	31 Sabre Drive, Port Melbourne, VIC, 3207   14-16 Suakin Street, Pymble, NSW, 2073
Cynosure Spain S.L.	Edificio Ferbocar, 1º derecha Avenida de Quitapesares, 17, 28670 Villaviciosa de Odón, Madrid, Spain
Cynosure Portugal, Unipessoal, Limitada	Avda. da Republica, número 6 7 esquerdo 1050-191 Lisboa
Suzhou Cynosure Medical Devices Company Ltd	Room 1706-1707, No 555 Dongfeng Road, Yuexiu District, Guangzhou   Room Numbers: 03-110-2P and 03-109-4P 2A Worker Stadium North Road Chaoyang District, Beijing, China (PRC)   5F, Yuan Dong Da Sha, 575 Chang Xu Road, Suzhou Room: 203-204(1) Room: 204(2)-205 Room: 303 Room: 502-503 Room: 504-510

 

Alternative formats of this Privacy Policy are available to individuals with a disability. Please contact [email protected] for assistance.

 

If you provide us with information of an emergency contact, spouse, partner, dependent, or any other third party, it is your responsibility to obtain consent from that third party prior to sharing their information with us. If you are an Applicant, if you intend to provide us with information of a reference or any other third party as part of your application process, it is your responsibility to obtain consent from that third party prior to sharing their information with us.

 

If you are an Influencer, you may also be a consumer (as defined in Cynosure’s general Privacy Notice (available at https://www.cynosure.com/privacy-policy/ (the “General Privacy Notice”))). Such General Privacy Notice will apply to you to the extent you are a consumer (as defined therein) in your capacity as a consumer (as defined therein).

 

If you are a KOL, Influencer, or Advisor, you also may be a professional (as defined in Cynosure’s General Privacy Notice). Such General Privacy Notice will apply to you to the extent you are a professional (as defined therein) in your capacity as a professional (as defined therein).

 

Article I – In General

 

1. Definitions:

 

• “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively with any regulations promulgated thereunder).

 

• “European Data Protection Laws” means the GDPR and/or the UK Data Protection Laws, in each case to the extent applicable.

 

• “European Personal Data” means Personal Data to the extent our Processing of such Personal Data is regulated by the European Data Protection Laws.

 

• “GDPR” means the General Data Protection Regulation (EU) 2016/679.

 

• “Personal Data” means any information relating to any identified or identifiable Employee, Contractor or Applicant, and includes, without limitation, CCPA Information (as defined below). Personal Data excludes anonymous or de-identified data that cannot identify any natural person or household by any means reasonably available to anyone.

 

• “Processing” (including grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, erasure or destruction.

 

• “Sensitive Data” means European Personal Data: (i) that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) that constitutes genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; or (iii) relating to criminal convictions and offenses.

 

• “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).

 

• “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.

 

2. Personal Data Cynosure Collects: We may collect, store, and use the following types of Personal Data about you:

 

• Full legal name;
• Username;
• Date of birth;
• Address;
• Telephone number;
• Email address;
• Password;
• Social Security card and number (or equivalent);
• Spouse/partner/dependent/family information (including relationship to any existing Cynosure personnel);
• Race (the disclosure of this data element is voluntary);
• Sex;
• Gender;
• Ethnicity (the disclosure of this data element is voluntary);
• Pregnancy or childbirth and related medical conditions;
• Request for pregnancy disability leave;
• Medical condition;
• Request for family care leave;
• Request for leave for health issue;
• Trade union membership (the disclosure of this data element is voluntary);
• Immigration visa;
• Work eligibility;
• Income tax elections;
• Tax identification number;
• Driver’s license image and number;
• Non-driver identification card image and number;
• State-issued identification card image and number;
• Passport image and number;
• Military identification number;
• Military or veteran status (the disclosure of this data element is optional as part of the application process);
• Other unique identification number issued on a government document;
• Signature;
• Health Insurance policy information, including policy number and subscriber identification number;
• Health insurance application and claims history;
• Background check summary data;
• Education records (including grades);
• Transcripts;
• Employment;
• Current and past employer and job history;
• Reference checks;
• Bank account number;
• Records of products or services purchased for expense reimbursement purposes;
• Marital status;
• Browsing history;
• Search history;
• Information on your interaction with a website, application, or advertisement;
• Photograph (including “before and after” photographs if you are an Influencer);
• Resume;
• Curriculum vitae (“CV“);
• Substantive areas of expertise;
• Professional licenses and certifications;
• Cover letter;
• Payroll withholding information;
• Rate of pay and any other compensation paid;
• Starting date of employment or contract engagement;
• Job or contract applications, and/or other forms of employment or contract engagement inquiries submitted to us;
• Waivers and other employment or contractual engagement agreements;
• Termination notices;
• Documents related to discipline;
• Performance evaluations and other information related to job performance;
• GPS tracking data of company-owned service vehicle location, including real-time vehicle location and status, fuel usage, routes taken, driver location, trip tagging and miles per state, safe driving data such as speeding, braking, stop time, idle time, cornering, sudden acceleration, scoring based on driver behavior, data analytics based on the foregoing data;
• Monitoring and blocking of cell phone activities, including incoming and outgoing calls, sending and receiving text messages and accessing navigation and other applications;
• Audio and visual recordings, including of webinars/trainings;
• Call center telephone calls;
• If you are an Applicant who is not located in the European Economic Area, psychological and behavioral assessment data reflecting behavior and aptitude tendencies;
• Content you create or otherwise provide to us (including social media content you create if you are an Advisor, Influencer, or KOL);
• Content of interviews in which you may participate with medical writers and/or other media (if you are KOL);
• Social media handle and related information;
• Back-end social media performance metrics (if you are a KOL or Influencer);
• Feedback regarding our products and services (if you are a KOL or Advisor);
• Products owned, purchased, and/or considered (if you are a KOL or Advisor);
• Financial and payment disclosure information, including stocks and proprietary interests;
• Content of messages sent to or from Cynosure accounts, devices, or systems;
• Other similar identifiers.

 

With respect to Employees, Applicants, and Contractors, we may obtain the above information from you, from third-party sources (including recruiters) and/or from publicly available sources, such as government data bases and social media sites, including LinkedIn.

 

Except where otherwise noted above, our collection, storage, use, and Processing of the foregoing types of Personal Data is required in order to facilitate the Employment Relationship (as defined below) or Contractor Relationship (as defined below) or, in the case of Applicants, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).

 

3. Use of Personal Data: We Process Personal Data for the following business or commercial purposes: (i) in the case of Employees, to facilitate, administer and carry out the employer-employee relationship between you and Cynosure (including, without limitation, staffing of projects, verifying eligibility for employment, evaluating eligibility for prospective future positions, benefits administration and payroll and human resources functions, and serving as a reference for prospective employees, the “Employment Relationship“); (ii) in the case of Contractors, to facilitate the business relationship between you and Cynosure, including to facilitate your provision of services to Cynosure and Cynosure’s payment to you in consideration for such services, in each case in accordance with the terms and conditions of your agreement with Cynosure (the “Contractor Relationship“); and (iii) in the case of Applicants, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable). Without limitation of the foregoing, if you are an Employee who is a member of our service team, we may use your address to send parts to your home to enable you to perform your tasks in furtherance of the Employment Relationship. In addition, we may Process certain Personal Data for the protection of Cynosure’s rights and the rights of third parties.

 

• Lawful Basis for Processing. This Article I Section 3.1 shall apply only to European Personal Data. Cynosure acts as the controller (as defined in the European Data Protection Laws) of your European Personal Data that Cynosure Processes under this Privacy Policy. We will Process your European Personal Data only to the extent the law allows us to do so. Most commonly, we will use your European Personal Data in the following circumstances:

 

• Where we need to Process your European Personal Data in order to perform the contract we have entered into with you.

 

• Where we need to comply with a legal obligation.

 

• Where it is necessary for our legitimate interests (or those of a third party) in facilitating the Employment Relationship or Contractor Relationship or, in the case of Applicants, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable), and where your interests and fundamental rights do not override those interests.

 

We may also Process your European Personal Data in the following situations, which are likely to be rare: (i) where we need to protect your interests (or someone else’s interests); or (ii) where it is needed in the public interest or for official purposes.

 

• Sensitive Data: This Article I Section 3.2 shall apply only to European Personal Data. In general, we will not Process Sensitive Data about you unless it is necessary in facilitating the Employment Relationship or Contractor Relationship or, in the case of Applicants, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable). On rare occasions, there may be other reasons for Processing, such as it is in the public interest to do so. Apart from Processing as necessary in facilitating the Employment Relationship or Contractor Relationship or, in the case of Applicants, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable), the situations in which we will Process your Sensitive Data are listed below. We have indicated the purpose or purposes for which we are Processing or will Process your Sensitive Data.

 

• We may use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions, and permanent health insurance. We need to Process this information to exercise rights and perform obligations in connection with your employment.

 

• We may use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting and for work permit purposes.

 

• We may use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.

 

• Retention. We will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of that information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

4. Disclosures of Personal Data for a Business or Commercial Purpose: Cynosure may disclose your Personal Data described above to the following categories of third parties for the business or commercial purposes described below.

 

• Cynosure Customers, Prospective Customers, and Social Media Followers: Cynosure may disclose the Personal Data of Employees and/or Contractors to Cynosure’s customers (in connection with Cynosure’s provision of services to customers) and/or prospective customers (in connection with Cynosure’s business development efforts with respect to prospective customers). Cynosure may also disclose your CV information, substantive areas of expertise, and your photograph to its social media followers.

 

• Laws and Legal Rights: Cynosure may disclose your Personal Data if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, lawful requests by public authorities, including to meet national security or law enforcement requirements, or other valid legal process. We may disclose Personal Data in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating a contract with us, to detect fraud, for assistance with a delinquent account, or to protect the safety and/or security of our employees, users, Cynosure’s intellectual property or the general public.

 

• Outside Contractors: We may employ independent contractors, vendors and suppliers (collectively, “Outside Contractors”) to provide specific services and products related to our business, including the Employment Relationship or Contractor Relationship, such as (in the case of Employees only) facilitating payroll or administering benefits, or (in the case of Applicants) facilitating the application process, or (in the case of Employees, Contractors, and Applicants) data storage and hosting providers. In the course of providing products or services to us, these Outside Contractors may have access to your Personal Data. We use reasonable efforts intended to ensure that these Outside Contractors are capable of protecting the security of your Personal Data. Without limitation of the foregoing, if you are an Influencer, we may share your Personal Data with KOLs and if you are a KOL we may share your Personal Data with Influencers.

 

• Investment in, or Sale of, Business: We reserve the right to transfer Personal Data to a third party in connection with a sale, merger or other transfer of all or substantially all of the assets of Cynosure or any of its Corporate Affiliates (as defined below), or that portion of Cynosure or any of its Corporate Affiliates to which the Employment Relationship or Contractor Relationship relates, or in connection with a strategic investment by a third party in Cynosure, or in the event that we discontinue our business or file a petition or have filed against us a petition in bankruptcy, reorganization or similar proceeding.

 

• Corporate Affiliates: We may disclose your Personal Data to our Corporate Affiliates. “Corporate Affiliate” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Cynosure, LLC, whether by ownership or otherwise; and “control” means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of fifty percent (50%) or more of the voting securities, by contract or otherwise.

 

Article II – European Data Protection Laws Rights

 

This Article II shall apply only to European Personal Data. Under certain circumstances and in compliance with the European Data Protection Laws, you may have the right to:

 

Request access to your European Personal Data (commonly known as a subject access request). This enables you to receive a copy of the European Personal Data we hold about you and to check that we are lawfully Processing it;

 

Request correction of the European Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

 

Request erasure of your European Personal Data. This enables you to ask us to delete or remove your European Personal Data where there is no good reason for us to continue Processing it. You also have the right to ask us to delete or remove all of your European Personal Data in certain circumstances;

 

Object to Processing of your European Personal Data where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to Processing on this ground;

 

Request the restriction of Processing of your European Personal Data. This enables you to ask us to suspend the Processing of your European Personal Data, for example, if you want us to establish its accuracy or the reason for Processing it;

 

Request the transfer of your European Personal Data to another party; and

 

Lodge a complaint with the relevant supervisory authority (as defined in the European Data Protection Laws). If you have any complaints about the way we Process your European Personal Data, please do contact us. Alternatively, you may lodge a complaint with the supervisory authority which is established in your country.

 

If you wish to exercise any of the rights set out above, please contact us at [email protected]. Please note that Cynosure reserves the right to refuse any request to exercise such rights to the extent permitted by applicable law.

 

Article III – International Data Transfers

 

This Article III shall apply only to your European Personal Data. European Personal Data collected by Cynosure under this Privacy Policy may be transferred from time to time to our offices or personnel, or to third parties, located throughout the world, including countries that may not have laws of general applicability regulating the use and transfer of such European Personal Data or that do not ensure adequate protection for European Personal Data (as determined by the European Commission or the UK Information Commissioner’s Office (as applicable)), including without limitation the United States. To the extent required by applicable law: whenever we transfer your European Personal Data to third parties located in countries that do not ensure adequate protection for European Personal Data (as determined by the European Commission or the UK Information Commissioner’s Office (as applicable), and including without limitation the United States, each, an “Inadequate Jurisdiction”), we ensure a similar degree of protection is afforded to it; we may use specific contracts approved by the European Commission or the UK Information Commissioner’s Office (as applicable) which give European Personal Data the same protection it has in the European Economic Area or the United Kingdom (as applicable) under the European Data Protection Laws; and if we rely on another basis to transfer your European Personal Data to an Inadequate Jurisdiction, we will keep you updated or contact you if required. Please contact us if you want further information on the specific mechanisms used by us when transferring your European Personal Data to an Inadequate Jurisdiction.

 

Article IV – Privacy Notice for California Employees, Contractors, and Applicants

 

This Article IV shall apply only to the extent that we are regulated as a business under the CCPA. This Article IV shall apply to you only if you are a California resident.

 

As used in this Article IV, “sell” (including any grammatically inflected forms thereof) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, CCPA Information (as defined below) to a third party for monetary or other valuable consideration.

 

“Selling” does not include (i) disclosing CCPA Information to a third party at your direction, (ii) where you intentionally interact with one or more third parties, or (iii) transfers of your CCPA Information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of Cynosure, provided that information is used or shared consistent with the CCPA.

 

As used in this Article IV, “share” (including any grammatically inflected forms thereof) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, CCPA Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions with a third party for cross-context behavioral advertising for our benefit in which no money is exchanged.

 

“Sharing” does not include (i) disclosing CCPA Information to a third party at your direction, (ii) where you intentionally interact with one or more third parties, or (iii) transfers of your CCPA Information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of Cynosure, provided that information is used or shared consistently with the CCPA.

 

1. CCPA Information Collected: We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household to the extent you are a California resident (“CCPA Information”). CCPA Information does not include deidentified or aggregated information, publicly available information or lawfully obtained, truthful information that is a matter of public concern, or any other information that is excepted from the definition of “personal information” under the CCPA, or any information that is otherwise not regulated by the CCPA. For purposes of this Section 1, “publicly available information” means information that is lawfully made available from federal, state, or local government records, or information that we have a reasonable basis to believe is lawfully made available to the general public by you or from widely distributed media, or information made available by a person to whom you have disclosed the information if you have not restricted the information to a specific audience.

 

For purposes hereof, “Sensitive CCPA Information” means: (1) CCPA Information that reveals (A) your social security, driver’s license, state identification card, or passport number; (B) your account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) your precise geolocation; (D) your racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of your mail, email, and text messages, unless we are the intended recipient of the communication; (F) your genetic data; and (2)(A) CCPA Information consisting of biometric information Processed for the purpose of uniquely identifying you; (B) CCPA Information collected and analyzed concerning your health; or (C) CCPA Information collected and analyzed concerning your sex life or sexual orientation. We use or disclose your Sensitive CCPA Information, provided that we only use or disclose your Sensitive CCPA Information for the purposes specified in Section 7027(m) of the CCPA regulations, and we only collect or Process Sensitive CCPA Information without the purpose of inferring characteristics about you.

 

In particular, with respect to Employees, Applicants, and Contractors, we have collected the following categories of CCPA Information within the last twelve (12) months and we may collect the following categories of CCPA Information:

 

Category	CCPA Information collected	Purposes (including business or commercial purposes) for which we collect or use CCPA Information	Categories of third parties with whom we have shared CCPA Information and the business or commercial purpose for sharing such CCPA Information	Categories of third parties to whom we have sold CCPA Information and the business or commercial purpose for selling such CCPA Information	Categories of third parties to whom we have disclosed CCPA Information for a business purpose and the business or commercial purposes for disclosing CCPA Information	Categories of sources from which CCPA Information is collected
A. Identifiers.	Full legal name, username, password, date of birth, Social Security card and number (or equivalent), email address, address, telephone number, gender, signature, photograph (including “before and after” photographs if you are an Influencer), spouse/partner/dependent/ family information (including relationship to any existing Cynosure personnel), emergency contact information, immigration visa, driver’s license image and number, non-driver identification card image and number, state-issued identification card image and number, tax identification number, passport image and number, military identification number, or other unique identification number issued on a government document, content you create or otherwise provide to us (including social media content you create if you are an Advisor, Influencer, or KOL), content of interviews in which you may participate with medical writers and/or other media (if you are KOL), social media handle and related information, financial and payment disclosure information, including stocks and proprietary interests (if you are an Advisor), content of messages sent to or from Cynosure accounts, devices, or systems, and other similar identifiers.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable). Protection of Cynosure’s rights and the rights of third parties.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates. Company customers and prospective customers. KOLs (if you are an Influencer). Influencers (if you are a KOL).	Submitted to us by you or by employment recruiters.   Collected from publicly available sources, such as LinkedIn. Collected through our IT systems when you use them.
B. Personal information described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	Name, Social Security card and number (or equivalent), email address, address, education, employment, employment history, medical information, bank account number, health insurance policy information, including policy number and subscriber identification number, health insurance application and claims history, driver’s license image and number, non-driver identification card image and number, state-issued identification card image and number, tax identification number, passport image and number, military identification number, or other unique identification number issued on a government document.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates. Company customers and prospective customers (but only to the extent such CCPA Information elements are also listed in Category A above).	Submitted to us by you or by employment recruiters.   Collected from publicly available sources, such as LinkedIn.
C. Protected classification characteristics under California or federal law.	Race (the disclosure of this data element is voluntary), ethnicity (the disclosure of this data element is voluntary), sex, gender, pregnancy or childbirth and related medical conditions, income tax elections, trade union membership (the disclosure of this data element is voluntary), military or veteran status; marital status, medical condition, request for family care leave, request for leave for health issue, request for pregnancy disability leave.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. KOLs (if you are an Influencer). Corporate Affiliates.	Submitted to us by you or by employment recruiters.
D. Commercial information.	Records of products or services purchased for expense reimbursement purposes; feedback regarding our products and services (if you are a KOL or Advisor); products owned, purchased, and/or considered (if you are a KOL or Advisor).	If you are an Employee or a Contractor, to facilitate expense reimbursement.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you.
E. Biometric information.	N/A	N/A	N/A	N/A	N/A	N/A
F. Internet or other electronic network activity information.	Browsing history, search history, back-end social media performance metrics (if you are a KOL or Influencer), information on your interaction with a website, application, or advertisement.	If you are an Employee or a Contractor, to facilitate the Employment or Contractor relationship (as applicable) and to protect the integrity of our systems, hardware, infrastructure, and general ethical well-being.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Collected when you interact with our IT systems.
G. Geolocation data.	GPS tracking data of company-owned service vehicle location, including real-time vehicle location and status, fuel usage, routes taken, driver location, trip tagging and miles per state, safe driving data such as speeding, braking, stop time, idle time, cornering, sudden acceleration, scoring based on driver behavior, data analytics based on the foregoing data. Monitoring and blocking of cell phone activities, including incoming and outgoing calls, sending and receiving text messages and accessing navigation and other applications.	To monitor usage of Company-owned service vehicles for safety and other purposes and to facilitate the Employee or Contractor relationship as applicable.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Collected through our IT systems when you operate a company-owned service vehicle.
H. Audio, electronic, visual, thermal, olfactory, or similar information.	Audio and visual recordings, including of webinars/trainings, call center telephone calls.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates. Customers. Website users.	Collected when you interact with our IT systems.
I. Professional or employment-related information.	Employment, current and past employer and job history, performance evaluations other information related to job performance, substantive areas of expertise, professional licenses and certifications, payroll withholding information, work eligibility, background check summary data, reference checks, rate of pay and any other compensation paid, starting date of employment or contract engagement, resume, CV, cover letter, job or contract applications, and/or other forms of employment or contract engagement inquiries submitted to us, waivers and other employment or contractual engagement agreements, termination notices, documents related to discipline.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).			In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you or by employment recruiters.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records including grades, transcripts.	If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you or by employment recruiters.
K. Inferences drawn from other personal information.	Psychological and behavioral assessment data reflecting behavior and aptitude tendencies.	If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Generated by us or by a third party on our behalf.

 

Sensitive CCPA Information Category	Sensitive CCPA Information collected	Purposes (including business or commercial purposes) for which we collect or use Sensitive CCPA Information	Categories of third parties with whom we have shared Sensitive CCPA Information and the business or commercial purpose for sharing such Sensitive CCPA Information	Categories of third parties to whom we have sold Sensitive CCPA Information and the business or commercial purpose for selling such Sensitive CCPA Information	Categories of third parties to whom we have disclosed Sensitive CCPA Information for a business purpose and the business or commercial purposes for disclosing Sensitive CCPA Information	Categories of sources from which Sensitive CCPA Information is collected
A. Government identifiers (social security, driver’s license, state identification card, or passport number)	Social security card and number (or equivalent), Tax identification number, driver’s license image and number, non-driver identification card image and number, state-issued identification card image and number, passport image and number, military identification number, other unique identification number issued on a government document.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you or by employment recruiters.
B. Complete account access credentials (account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account)	Username and password.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. If you are an Applicant, to evaluate whether or not to enter into an Employment Relationship with you or to engage you as a Contractor (as applicable).	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you or by employment recruiters.
C. Precise geolocation	GPS tracking data of company-owned service vehicle location, including real-time vehicle location and status, fuel usage, routes taken, driver location, trip tagging and miles per state, safe driving data such as speeding, braking, stop time, idle time, cornering, sudden acceleration, scoring based on driver behavior, data analytics based on the foregoing data. Monitoring and blocking of cell phone activities, including incoming and outgoing calls, sending and receiving text messages and accessing navigation and other applications.	To monitor usage of Company-owned service vehicles for safety and other purposes and to facilitate the Employee or Contractor relationship as applicable.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Collected through our IT systems when you operate a company-owned service vehicle.
D. Racial or ethnic origin	Race (the disclosure of this data element is voluntary) and ethnicity (the disclosure of this data element is voluntary).	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. KOLs (if you are an Influencer). Corporate Affiliates.	Submitted to us by you or by employment recruiters.
E. Religious or philosophical beliefs	N/A	N/A	N/A	N/A	N/A	N/A
F. Union membership	Trade union membership (the disclosure of this data element is voluntary).	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you or by employment recruiters.
G. Genetic data	N/A	N/A	N/A	N/A	N/A	N/A
H.	Content of messages sent to or from Cynosure accounts, devices, or systems.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship. Protection of Cynosure’s rights and the rights of third parties.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Collected through our IT systems when you use them.
I. Biometric information Processed for the purpose of uniquely identifying you	N/A	N/A	N/A	N/A	N/A	N/A
J. Health information	Pregnancy or childbirth and related medical conditions, request for pregnancy disability leave, medical condition, request for family care leave, request for leave for health issue, health Insurance policy information, including policy number and subscriber identification number, and health insurance application and claims history.	If you are an Employee, to facilitate the Employment Relationship. If you are a Contractor, to facilitate the Contractor Relationship.	N/A	N/A	In each case for the business or commercial purpose as set out in column 3 of this table: Outside Contractors, as further described in Article I Section 4.3 above. Corporate Affiliates.	Submitted to us by you.
K. Information concerning sex life or sexual orientation	N/A	N/A	N/A	N/A	N/A	N/A

 

2. Purposes for Collection of CCPA Information; Categories of Sources: We collect CCPA Information for the business or commercial purposes described in the tables above and as described in Article I Section 3 of this Privacy Policy with respect to Personal Data. Regarding the categories of sources from which CCPA Information is collected, we collect CCPA Information from the categories of sources described in the tables above and in the manner described in Article I Section 2 of this Privacy Policy with respect to Personal Data.

 

3. Disclosures of CCPA Information for a Business or Commercial Purpose: Cynosure may disclose your CCPA Information described in the tables above to a third party for a business or commercial purpose, as described in the tables above and in Article I Section 4 of this Privacy Policy with respect to Personal Data. In the preceding twelve (12) months, Cynosure has disclosed each of the categories of CCPA Information described in the tables above for a business or commercial purpose to the categories of third parties described in the tables above.

 

4. Sharing and Sales of CCPA Information:

 

1. In the preceding twelve (12) months, Cynosure has not shared or sold, nor does it or will it share or sell, CCPA Information that is subject to this Privacy Policy.

 

5. California Residents’ Rights and Choices: The CCPA provides California residents with specific rights regarding their CCPA Information. This Article IV Section 5 describes your CCPA rights (to the extent applicable to you) and explains how to exercise those rights.

 

1. Access to Specific Information and Data Portability Rights: You may have the right to request that Cynosure disclose certain information to you about our collection and use of your CCPA Information over the past twelve (12) months or such other period required by the CCPA. Once we receive and confirm your verifiable request (in the manner described in Section 6 below), to the extent required by the CCPA, we will disclose to you:

 

• The categories of CCPA Information we collected about you.

 

• The categories of sources for the CCPA Information we collected about you.

 

• Our business or commercial purpose for collecting that CCPA Information.

 

• The categories of third parties to whom we disclose that CCPA Information.

 

• The specific pieces of CCPA Information we collected about you (also called a data portability request).

 

• If we disclosed your CCPA Information for a business or commercial purpose, a list disclosing disclosures for a business or commercial purpose, identifying the categories of recipients to whom such CCPA Information was disclosed and the CCPA Information categories that each category of recipient obtained.

 

2. Deletion Request Rights: You have the right to request that Cynosure delete any of your CCPA Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable request from you or your authorized agent (in each case if you are a California resident) in the manner described in Section 6 below (“verifiable request”), we will delete (and notify our service providers and/or contractors to delete, unless this proves impossible or involves disproportionate effort) your CCPA Information from our records, unless an exception applies or retention of your CCPA Information is otherwise permitted by the CCPA. We may deny your deletion request if retaining the information is reasonably necessary for us or our service provider(s) and/or contractor(s) to:

 

• Complete the transaction for which we collected the CCPA Information, provide a product or service that you requested, take actions reasonably anticipated by you within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.

 

• Help to ensure security and integrity to the extent the use of your CCPA Information is reasonably necessary and proportionate for those purposes.

 

• Debug to identify and repair errors that impair existing intended functionality.

 

• Exercise free speech, ensure the right of another individual to exercise that individual’s free speech rights, or exercise another right provided for by law.

 

• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).

 

• Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the ability to complete the research, if you have provided informed consent.

 

• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us and compatible with the context in which you provided the information.

 

• Comply with a legal obligation.

 

• Correction Request Rights: You have the right to request that we correct inaccurate CCPA Information about you that we maintain, taking into account the nature of the CCPA Information and the purposes of the Processing of the CCPA Information. If we receive a verifiable request from you to correct inaccurate CCPA Information, we will use commercially reasonable efforts to correct such inaccurate CCPA Information as directed by you, pursuant to Section 1798.130 of the CCPA and regulations adopted pursuant to the CCPA.

 

6. Exercising Access, Data Portability, Correction, and Deletion Rights:

 

1. To exercise the access, data portability, correction, and deletion rights described in Section 5 above, please submit a verifiable request to us by either: (1) calling us at 800.886.2966; (2) visiting cynosure.com; or (3) contacting us at [email protected]. Only you, or someone legally authorized to act on your behalf (such as an authorized agent), may make a verifiable request related to your CCPA Information. Someone legally authorized to act on your behalf (such as an authorized agent) may make a verifiable request on your behalf, provided that you have duly authorized that person or entity to make such a verifiable request on your behalf and provided that that person or entity can provide verification of their authority to make such a request on your behalf where required. You may also make a verifiable request on behalf of your minor child. You may make a verifiable request for access or data portability no more than twice within a twelve (12) month period. The verifiable request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected CCPA Information or an authorized agent; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with CCPA Information if we cannot verify your identity or authority to make the request and confirm the CCPA Information relates to you. Making a verifiable request does not require you to create an account with us. We will only use CCPA Information provided for the purposes of verification of a verifiable request to verify the requestor’s identity or authority to make the request. In the event you make a request under this Article IV Section 6.1, where necessary, we may take various approaches to verify your identity depending on the nature of your request.

 

2. We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. If you have an account with us, we may deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your CCPA Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify you of the reason for refusing the request.

 

7. Non-Discrimination

 

• We will not discriminate against you for exercising any of your CCPA rights, including, unless permitted by the CCPA, by:

 

• Denying you goods or services;

 

• Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;

 

• Providing you a different level or quality of goods or services;

 

• Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services; or

 

• Retaliating against an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145 of the CCPA for exercising their rights under the CCPA.

8. CCPA Information Retention. We will only retain your CCPA Information (including sensitive CCPA Information) for as long as necessary to fulfill the purposes for which we collected it or as otherwise permitted by applicable law. To determine the appropriate retention period for CCPA Information, we consider the amount, nature, and sensitivity of that CCPA Information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we Process your CCPA Information and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

9. Contact. If you have any questions or concerns relating to this Privacy Policy and/or our CCPA Information practices, please contact us at [email protected].

 

Article V – Miscellaneous

 

In this Privacy Policy, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) the titles and subtitles used in this Privacy Policy are used for convenience only and are not to be considered in construing or interpreting this Privacy Policy; (iii) “hereunder,” “hereof,” “hereto,”  and words of similar import shall be deemed references to this Privacy Policy as a whole and not to any particular Section or Subsection of this Privacy Policy; (iv) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term; and (viii) where not inconsistent with the context, the word “or” is not exclusive.