Privacy Policy

Data privacy and security is important to OnCore.

Please read the following carefully. Your privacy is of supreme importance to OnCore Inc., (hereinafter referred to as “OnCore“, “we“, “us” or “our“, which terms shall also include our Affiliates. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with us.) This privacy and cookies policy (“Privacy Policy“) applies to all SaaS offered by OnCore (the “Service”).

This Privacy Policy sets out the basis on which any Personal Data which we collect from you, or that you provide to us, will be processed by us. In this Privacy Policy, the term “Personal Data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, our possession, and includes personal data as described in Data Protection Legislation (as defined below).

By sharing information on “Contact” page and “Demo” page of our website www.oncorehcm.com indicates that you have reviewed this Privacy Policy and have agreed to abide by it. You will be required to explicitly accept this Privacy Policy before registering your request for application demo. If you do not agree to these terms you must leave our website immediately. If you choose to accept this Privacy Policy, we will keep a record of your acceptance in this regard.

We will handle your Personal Data in accordance with Data Protection Legislation. “Data Protection Legislation” means the Data Protection Acts 1988 and 2003 and Directive 95/46/EC, any other applicable law or regulation relating to the processing of personal data and to privacy (including the E-Privacy Directive), as such legislation shall be amended, revised or replaced from time to time, including by operation of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) (and laws implementing or supplementing the GDPR).

Information we gather from you

We fully respect your right to privacy in relation to your interactions with the Service and endeavor to be transparent in our dealings with you as to what information we will collect and how we will use your information. Also, we only collect and use individual’s information where we are legally entitled to do so.

You may use forms on the “Contact” page and “Demo” page in order to register your demo request with us. The registration process asks for a name, phone number, and email address. When you visit our website, our servers automatically record information that your browser sends. These server logs may include information such as your web request, Internet Protocol address, browser type and settings, browser language, the address of the web page visited before using the Service, the date and time the website was used, information about browser configuration and plugins, language preferences and one or more cookies that may uniquely identify your browser. When you send email or other communication to OnCore, we may retain those communications in order to process your inquiries, respond to your requests and improve our Service (any Personal Data that we collect from you for these purposes is hereinafter referred to together as “Your Data”). OnCore is a Data Controller and / Processor (as defined in Data Protection Legislation) in respect of Your Data. The legal basis upon which we process Your Data is our legitimate interest to provide the Services to you.

Your Data is separate from and should be distinguished from User Uploaded Data. “User Uploaded Data” is data (which may include Personal Data) uploaded by you or others through “Contact” page. OnCore is a Data Controller and / Data Processor (as defined in Data Protection Legislation) in respect of the User Uploaded Data.

You can change your stated interests in respect of whether or not you wish to receive direct marketing from us by clicking ‘unsubscribe’ on any direct marketing electronic communication which you receive from us.

If you are aged 18 or under, please get your parent/guardian’s permission before you provide Your Data to us.

Why we collect/have access to your information

OnCore only processes Your Data for the purpose of responding, providing, improving, and ensuring the delivery of the Service. Specifically, we may collect (i) names, phone number and email addresses for uniquely identifying users and for communication to users, (ii) IP addresses for identifying the latency for user and having an IP address helps us establish better path and protocol; to identify misuse of our service from one IP address/region or country; and (iii) information through the use of cookies (see cookies section below).

Cookies

A cookie is a small text file that is placed on your device by a web server which enables a website to recognize repeat users, facilitate the user’s ongoing access to and use of a website and allows the website to track usage behavior and compile aggregate data that will allow content improvements and targeted advertising. We collate information on in relation to the Service, which is represented in aggregate format through cookies. They help us to improve our Service and to deliver many of the functions that make your browser experience more user friendly.

By using the Service and accepting the terms of this Privacy Policy, you are consenting to the use of cookies as described in this Privacy Policy (i.e. you are agreeing to the placement of cookies on your device unless you specifically choose not to receive cookies). The ‘Help Menu’ on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on’s settings or visiting the website of its manufacturer.

However, because cookies allow you to take advantage of some of the Service’s essential features, we recommend you leave them turned on as otherwise you may not be able to fully experience the interactive features of the Service or other related websites which you visit.

We may contact you:

  • to respond to your queries about our services in respect to the choices you made on the Contact form.
  • to provide you with information about our Service, activities, including sending e-newsletters or similar correspondence and updates or responding to any contact you have made with us, e.g. on our website, by email or via the ‘Contact’ facility.

Where we wish to use Your Data in any other way, we will ensure that we notify you and get your consent first. You will be given the opportunity to withhold or withdraw your consent for the use of Your Data for purposes other than those listed in this Privacy Policy.

Withdrawal of consents 

If you no longer consent to our processing of Your Data (in respect of any matter referred to in this Privacy Policy as requiring your consent), you may request that we cease such processing by contacting us via email or phone facility. Please note that if you withdraw your consent to such processing, for example in respect of the use of cookies, it may not be possible for us to provide all/part of the Service to you.

In the case of User Uploaded Data, OnCore is the data controller and / processor – withdrawals of consent in respect of User Uploaded Data must be made by the relevant data subject to us, and we can then take action in relation to the processing of such User Uploaded Data – this in reality means that it may not be possible to continue to use the Service in respect of such User Uploaded Data.

Who we share your data with

OnCore will not share Your Data without your consent or unless required by law (except as set out in this Privacy Policy). If OnCore becomes involved in a merger, acquisition, or any form of sale of some of all of its assets, we will provide notice before Your Data is transferred to any third party.

Your Data may be transferred to, stored at, or accessed from a destination outside the European Economic Area (“EEA”) for the purposes of us providing the Service. It may also be processed by staff operating outside the EEA who work for us.

By submitting Your Data, you explicitly consent to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that Your Data is treated securely and in accordance with this Policy. The safeguards in place with regard to the transfer of Your Data outside of the EEA are the entry by us into appropriate contracts with all transferees of such data. All information you provide to us is stored on our (or contracted third party) secure servers.

How do we protect your personal information 

We do our utmost to protect user privacy through the appropriate use of security technology. We restrict access to Your Data to employees, contractors and agents who need to know such Your Data in order to operate, develop or improve the services that we provide. We ensure that we have appropriate physical and technological security measures to protect your information; and we ensure that when we outsource any processes that the service provider has appropriate security measures in place. However, the Service may contain hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies, including cookies. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.

We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing of Your Data. In particular, we will consider the risks presented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Your Data transmitted, stored or otherwise processed.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect Your Data, we cannot guarantee the security of any data transmitted to us and any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. To the extent permitted by law, we are not responsible for any delays, delivery failures, or any other loss or damage resulting from (i) the transfer of data over communications networks and facilities, including the internet, or (ii) any delay or delivery failure on the part of any other service provider not contracted by us, and you acknowledge that the Service may be subject to limitations, delays and other problems inherent in the use of such communications facilities. You will appreciate that we cannot guarantee the absolute prevention of cyber-attacks such as hacking, spyware and viruses. Accordingly, you will not hold us liable for any unauthorized disclosure, loss or destruction of Your Data arising from such risks.

Breach reporting 

We will notify serious data breaches in respect of Your Data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, we will record a reasoned justification for the delay; however, it is not necessary to notify the DPC where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A Personal Data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

We will keep a record of any data breaches, including their effects and the remedial action taken, and will notify you of any data breach affecting your Personal Data (which poses a high risk to you) when we are required to do so under Data Protection Legislation.

We will not be required to notify you of a data breach where:

  •  we have implemented appropriate technical and organizational measures that render the Personal Data unintelligible to anyone not authorized to access it, such as encryption; or
  •  we have taken subsequent measures which ensure that the high risk to data subjects is not likely to materialize; or
  • it would involve disproportionate effort, in which case we may make a public communication instead.

In the event of a serious data breach in respect of User Uploaded Data, we will notify the relevant Data Controller of such breach as soon as reasonably practical.

Retention of personal data 

In general, User Uploaded Data that you provide to us, and any logs created by us relating to User Uploaded Data, will be kept and stored for 365 days from the date of upload/creation, after which point OnCore may delete personal data.

Your Data will be kept and stored for such period as we deem necessary taking into account the purpose for which it was collected in the first instance and our obligations under Data Protection Legislation. This may include retaining Your Data as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.

Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyze personal characteristics about you.

Amendments to Privacy Policy

OnCore may change its Privacy Policy from time to time and at OnCore’s sole discretion. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to use the Service to submit Your Data. If material changes are made to the Privacy Policy, we will notify you by placing a prominent notice on our website or by sending you a notification in relation to this. We will not process Your Data in a manner not contemplated by this Privacy Policy without your consent.

How to contact us 

If you need to contact us with regard to any of your rights as set out in this Policy, all such requests should be made in writing by email to 

getintouch@oncorehcm.com.

 

 

OnCore HIPAA PRIVACY POLICY


Data privacy and security is important to OnCore Human Capital Management

 

At Oncore, we understand the importance of maintaining privacy of your personal information. The prime objective of introducing the HIPAA Privacy Policy is to assure you that we take proactive measures to protect your Personal Health Information (PHI). The policy will explain how we use, disclose and protect your PHI in compliance with Health Insurance Portability and Accountability Act (HIPAA) as amended by the HITECH (Health Information Technology for Economic and Clinical Health) Act Title XIII of Division A of the American Recovery and Reinvestment Act, 2009.

 


 Business Associate Agreement:

 

A Business Associate (BA) Agreement is the formal written contract between Business Associate and Covered Entity that requires Business Associate to comply with specified requirements related to PHI.

As per HIPAA rules, “Covered Entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”

As a OnCore user, if you disclose any specific individually identifiable information or PHI with OnCore, then receipt and use of such information by OnCore under its agreements will make OnCore a “Business Associate” to you, as defined by HIPAA. Thus, in accordance to HIPAA, Covered Entity and OnCore must agree in writing in the form of a BA Agreement to comply with certain provisions relating to PHI’s uses, disclosures and safeguards.

The BA agreement applies to you only when you already are or become a Covered Entity as per HIPAA rules and OnCore is or becomes your Business Associate as defined by HIPAA. The agreement execution does not automatically entitle you to become a Covered Entity or OnCore to become a Business Associate.

The BA agreement will replace all other agreements between you and OnCore with respect to the subject matter therein, unless there is an otherwise written agreement between the two parties.

To get answer to any questions related to the Business Associate Agreement, please contact your OnCore representative.


Use and Disclosure of PHI

We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to Covered Entities, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.

In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.

We may also use PHI to report violations of law to appropriate federal and state authorities.


Safeguards

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity.

Such safeguards include:

  •  Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
  •  Providing appropriate training for our staff to assure that our staff complies with our security policies;
  • Making use of appropriate encryption when transmitting PHI over the Internet;
  • Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
  • Utilizing appropriate authentication and access controls to safeguard PHI;
  • Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
  • Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

Mitigation of Harm

In the event of a use or disclosure of PHI that is in violation of the requirements of the BA agreement, we will mitigate, to the extent practicable, any harmful effect resulting from the violation.

Such mitigation will include:

  •  Reporting any use or disclosure of PHI not provided for by the BA Agreement and any security incident of which we become aware to the Covered Entity; and
  •  Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Access to PHI

As provided in the BA Agreement, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.


Changes in HIPAA Privacy Policy

This HIPAA Privacy Policy is subject to changes. In case, any changes occur, it will be notified to you through a proper notice. The changes will appear on the website and other locations depending upon the extent and scope of changes.


Acceptance of HIPAA Privacy Policy

When you access and use the OnCore website, it will be assumed that you have acknowledged and accepted our HIPAA Privacy Policy along with the terms and conditions of the Business Associate Agreement.


Contact Us

If you have any questions about our HIPAA Privacy Policy, you may contact us at getintouch@oncorehcm.com.