ZS|Medullan Privacy Policy

Medullan Privacy Policy

Medullan, Inc. is committed to protecting your privacy and providing you with a positive experience. This Privacy Policy applies to both the Medullan Website and Medullan’s consulting and/or product platform and design services. We refer to all of these as “Services” in this policy. The policy identifies the information collected, how it is used, shared, stored, secured, and the access and control of your information. When required for the Services, we may also transfer or process that information internationally. Please note, to the extent a notice is provided at the time of collection, on a website, or a solution specific privacy statement, conflicts with this Privacy Policy, such specific notice or supplemental privacy statement will control.

Medullan is now a part of ZS whose data privacy practices can be reviewed in their Privacy Policy.

Data collected may include personal information collected about you, as you use our website, interact with us, and utilize the Services. “Personal Information” is any information that can be used to identify an individual, and may include name, address, email address, phone number, login information (account number, password), marketing preferences, payment information including name/contact/billing and tax information, and content you provide when participating in any interactive surveys, activities, or events.

Medullan will gather some information automatically when you visit this website, and when you use our Services. 

Medullan uses Google Analytics to gather this data to determine customer and Website needs, and to optimize the website for your viewing. Medullan may also use the information to deliver, support, analyze, and improve the Services solution you have requested. Generic information will not reveal the identity of the visitor to this website.


Third Parties

Medullan will only disclose personal data to third parties other than law enforcement or a sub-processor at the instruction of the user where there is a lawful basis to do so. Medullan will also share, transfer, or disclose the information in our databases and server logs in the event of our sale, merger, reorganization, dissolution, or similar event.

Requirement to Disclose

Medullan may disclose personal data in special cases when we have a good faith belief that such action is necessary to: a) conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements; b) protect and defend our rights or property; c) enforce the website Terms and Conditions; d) act to protect the interests of our users or others. 

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal basis for doing so under applicable EU laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your information only where:

We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;

It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the services and to protect our legal rights and interests;

You give us consent to do so for a specific purpose;

We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.


Medullan implements physical, administrative, and technical safeguards designed to protect your Personal Information from unauthorized access, use, or disclosure. We also contractually require that our suppliers protect such information from unauthorized access, use, and disclosure. The Internet, however; cannot be guaranteed 100% secure, and we cannot therefore ensure or warrant the security of any personal information you provide to us.


EU-US & Swiss-US Privacy Shield

As an international company, Medullan may need to transmit the Personal Information from the European Union to the United States. Although no longer a valid basis for lawful data transfers in light of the judgment of the Court of Justice of the European Union in Case C-311/18, Medullan, Inc. continues to comply with the EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield  Framework(s) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and/or Switzerland, to the United States.  Medullan, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Medullan commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield should first contact Medullan at Medullan Privacy Officer 240 Elm St. 2nd Floor, Somerville, MA 0214, USA or privacy@medullan.com.

Medullan has further committed to refer unresolved Privacy Shield complaints to JAMS EU PRIVACY SHIELD, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit JAMS EU Privacy Shield for more information or to file a complaint. The services of JAMS EU Privacy Shield are provided at no cost to you.

Investigatory and Enforcement powers of the FTC

Medullan is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Medullan is also committed to cooperating with EEA and Swiss data protection authorities. If Medullan shares Personal Data with a third-party service provider that processes the data solely on Medullan’s behalf, them Medullan will be liable for that third-party’s processing of Personal Data in violation of the Principles, unless Medullan can provide that it is not responsible for the event giving rise to the damage. In cases of Onward Transfer to third parties of Personal Data of EU individuals received pursuant to the EU-US Privacy Shield, Medullan is potentially liable.


If you are located in the EEA or Switzerland and have exhausted all other means to resolve your concern regarding a potential violation of Medullan’s obligations under the Privacy Shield principles, you may seek resolution via binding arbitration. For additional information about the arbitration process please visit the Privacy Shield website.


By using our website and the Services or by providing any personal information to Medullan, where applicable law permits, you consent to the transfer, processing, and storage of such information outside of your country of residence where the data protection standards may be different. For data stored and used to support the Services, and to respond to any request for such data to be deleted, Medullan has a CRM system. If you choose to provide Medullan with a third party’s personal information (such as name, email, and phone number), you represent that you have the third party’s permission to do so. Your personal data is stored on the secure servers of the CRM system within the US. Medullan retains the data for the duration of your business relationship with us, and otherwise as required under applicable law. If you are located in the EEA (European Economic Area), if you withdraw your consent for the processing of your personal data, all your personal data will be deleted unless we are required to retain this personal data by law or to comply with our regulatory obligations.

How to Access & Control Your Personal Data
Reviewing, Correcting and Removing Your Personal Information

You have the following data protection rights:

You can request access, correction, updates or deletion of your personal information.

You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.

If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries (including the US and Canada) are available here.

To exercise any of the rights listed above, please contact us at privacy@medullan.com or by mail to Medullan, Inc. 240 Elm St. 2nd Floor, Somerville, MA 02144 USA, Attention: Privacy. We will respond to your request to change, correct, or delete your information within a reasonable timeframe and notify you of the action we have taken.

When you visit the Medullan website, we may send one or more cookies – a small file containing a string of characters – to your hard drive that uniquely identifies your browser. Any use of cookies will be solely for the purposes of improving the quality of the Website by storing user preferences, and tracking user trends, such as how users engage with the Website. Most browsers initially default to accept cookies, but you can reset your browser to refuse all cookies, or to alert you when a cookie is being sent.

This Privacy Policy applies to this website only. We do not exercise control over any sites that you may visit from a link on our website. These other sites may place their own cookies or other files on your computer, collect data or solicit personal information from you, please reference the Privacy Policy on third party websites to learn about their specific Privacy Policies.

If you have any questions about this Privacy Policy, or you wish to inquire about additional website/marketing permissions, please contact us through this website, via email at privacy@medullan.com, or at Medullan Inc., 240 Elm Street, 2nd Floor, Somerville, Massachusetts, 02144, United States of America.

Please note that this Privacy Policy may change from time to time. We expect most such changes will be minor. In any case, we will post any changes we may make in the future on this page or specifically on the relevant website page(s) where information is submitted/collected.