ORGANOGENESIS WEBSITE PRIVACY POLICY

Organogenesis respects the privacy of visitors to our website and related online services (collectively, our "Website"). This Privacy Policy applies to any information provided to us via our Website.

What Information Do We Collect and How Do We Collect It?

Organogenesis collects Personal Information through our Website. Under this Policy, "Personal Information" is defined as information that can be used to identify a user, including names, addresses, e-mail addresses, phone numbers, and National Provider Identifier (NPI) numbers. Additionally, when you contact us via our Website, we will also collect the contents of your message and any attachments you choose to provide. When you make inquiries concerning career opportunities, you may submit your contact information and your resume online. We will collect the information you choose to provide on your resume, such as your highest level of education, employment experience, and information about the type of job you are seeking.

Organogenesis also collects Identifiers, defined as digital information such as cookies and internet protocol (IP) addresses, when you visit our Website, if you consent to our doing so. A cookie is a data file placed on a device (such as your computer or smartphone) when it is used to visit our Website. Cookies may generally be disabled or removed by tools that are available as part of most commercial browsers, and in some but not all instances can be blocked in the future by selecting certain settings. Each browser you use will need to be set separately and different browsers offer different functionality and options in this regard. You may opt-out of allowing us to collect cookies at any time. Please be aware that if you disable or remove cookies on your device, some parts of our Website might not function properly, and that when you revisit our Website your ability to limit cookies is subject to your browser settings and limitations.

An IP address is numerical label assigned to the device you use to connect onto our Website. The IP address of the device you use can be used to view what webpages you have visited and may provide an approximate geographical location of the device you are using. The IP address we collect may be linked to other Personal Information you voluntarily provide to us. You may opt-out of allowing us to collect your IP address at any time.

If you choose to submit comments, photos, or content to our pages on third-party platforms, including social media platforms such as Facebook or LinkedIn, you may choose to include personal information. In such a case, we may receive information about you, including your profile photo, name, and other information you choose to provide. If you wish to limit the information available to us, you should visit the privacy settings of your third-party accounts to learn about your options.

We also may receive additional information about you from third parties such as your healthcare professional and/or our marketing partners.

What Do We Do With the Information We Collect?

We collect Personal Information and Identifiers and store them in a database. We will use Personal Information and Identifiers as follows:

  • For the purpose for which you have provided it to us, as indicated on the form that you fill out and/or questions that you answer;
  • To contact you to provide you with updates and other information relating to our services, provide information that you request, respond to comments and questions, and otherwise provide customer support; and
  • To learn how visitors use our Website, and to improve, maintain, provide, and enhance our services and our Website. We may de-identify and aggregate information collected and use it for our business purposes.

If you do not wish to provide the information requested on a given screen, or if you have concerns about maintaining the confidentiality of any information, we suggest that you not provide the information.

When Do We Provide Information to Third Parties?

We use Google Analytics to track the number of visitors to our site and the number of visitors to various sections of our site for the purpose of determining trends and visitor needs.

We may access, use, preserve, transfer and disclose your Personal Information to third parties: (i) to satisfy any applicable law, regulation, subpoenas, governmental requests or legal process if in our good faith opinion such is required or permitted by law; (ii) to protect and/or defend the policies applicable to the Website, including investigation of potential violations thereof; (iii) to protect the safety, rights, property or security of the Website, Organogenesis, or any third party; and/or (iv) to detect, prevent or otherwise address fraud, security or technical issues.

We reserve the right to disclose and transfer all such information: (i) to a subsequent owner, co-owner or operator of the Website or applicable database; or (ii) in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, including, without limitation, during the course of any due diligence process.

Do You Retain and Delete My Data?

We will retain your personal information for as long as necessary to fulfill the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

What if I Am Located in the United Kingdom, European Economic Area, or Switzerland?

Organogenesis does not have an establishment in the United Kingdom (UK) or European Union, does not target residents of the UK or the European Economic Area (EEA) for marketing goods or services, and does not monitor residents of the UK or EEA. Accordingly, the General Data Protection Regulation (GDPR) and its implementing laws does not generally apply to Organogenesis.

Nevertheless, Organogenesis will respect your privacy rights under the GDPR if you are a resident of the UK or the EEA (and equivalent data protection laws if you are a resident of Switzerland). If you are a UK, EEA, or Swiss resident, you may

  • Request an accounting of all personal information that we possess that pertains to you in an electronically portable format (e.g., electronic copies of information attached to an email).
  • Request that we change any personal information that pertains to you.
  • Request that we delete any personal information that pertains to you.
  • Fully or partially withdraw your consent to the collection, processing, and/or transfer of your personal information.

To request an accounting of your personal information, a change to your personal information, deletion of your personal information, or to withdraw your consent to the collection, processing, and/or transfer of your personal information, contact Privacy@organo.com. Once we have received notification that you withdraw your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there are compelling legitimate grounds for further processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

We obtain your Personal Information and Identifiers, and transfer it to the United States, through your consent as specified in the form by which you have provided that information.

What if I Am a California Resident?

If you are a California resident, please see our California Resident Privacy Notice below for supplemental information and disclosures regarding rights of California residents.

How Do I Change My Information and Communications Preferences?

You are responsible for maintaining the accuracy of the information you submit to us. You may provide updates and changes by contacting us at Privacy@organo.com. If so, we will make good faith efforts to make requested changes in our then active databases as soon as reasonably practicable.

Please note that we reserve the right to send you certain communications relating to use of our Website, such as administrative and service announcements, and these transactional account messages may be unaffected if you choose to opt-out from receiving our marketing communications. If you have any questions about this Privacy Policy or the practices described in it, you should contact us by e-mail at Privacy@organo.com.

What Should Parents Know About Children?

This is a general audience Website and we do not knowingly collect any personal information from children younger than the age of eighteen (18) through this website. We will delete any personal information collected that we later determine to be from a user younger than the age of eighteen (18). If you are a parent or guardian of a child under the age of eighteen (18) and believe he or she has disclosed personal information to us, please contact us at Privacy@organo.com.

What About Security?

We incorporate reasonable technical, administrative, and physical safeguards to help protect and secure your Personal Information. However, no data transmission over the Internet, mobile networks, wireless transmission or electronic storage of information can be guaranteed to be 100% secure. Please note that we cannot ensure the security of any information you transmit to us, and you use our Website and provide us with your information at your own risk.

What Are My Obligations?

This site acts as a venue for information collected for a number of purposes specified by visitors. We have no control over the quality, truth or accuracy of information submitted by visitors, and undertake no responsibility for such information submitted. Each visitor is responsible for the quality, truth and accuracy of the information he/she submits.

By providing information to us on this Website, you authorize us to use the information supplied for the purposes for which it was provided. We have no obligation to use or retain any of the information a visitor submits, and reserve the right to delete or destroy the information. We may, for any reason, suspend or terminate a visitor's right to submit information to this site.

Will This Policy Change?

We reserve the right to change this Privacy Policy at any time without notice to you. Any changes will be effective immediately upon the posting of the revised Privacy Policy. If we materially change the ways in which we use or disclose information from or about you or your devices previously collected from you, we will make reasonable efforts to notify you of the changes by sending a notice to the primary email address provided to us and/or by placing a notice on our Website. To the extent any provision of this Privacy Policy is found by a competent tribunal to be invalid or unenforceable, such provision shall be severed to the extent necessary for the remainder to be valid and enforceable.

What About Accessibility?

Any person with a disability that prevents or restricts them from accessing this Privacy Policy through this Website may request a copy of the Privacy Policy in an alternative format by contacting us at Privacy@organo.com.

Effective Date: December 1, 2022


Organogenesis California Resident Privacy Notice

This California Resident Privacy Notice supplements the information and disclosures contained in our Privacy Policy. It applies to individuals residing in California from whom we collect Personal Information as a business under the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time ("CCPA").

Personal Information Collection, Disclosure, and Sale

For the purposes of this notice, Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the CCPA.

Personal Information does not include information that is:

  • Publicly available or lawfully obtained and a matter of public concern.
  • Deidentified or aggregated.
  • Otherwise excluded from the scope of the CCPA, which includes medical information governed by the Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5) rules.

The chart below provides the categories of Personal Information (as defined by the CCPA) we have collected, sold, shared, or otherwise disclosed or used for business or commercial purposes in the 12-month period that precedes the date this Privacy Policy is being viewed. The examples of Personal Information provided for each category reflect each category's statutory definition and may not reflect all of the specific types of Personal Information associated with each category.

Please note that we contract with each of the following service providers or contractors for data collection services: colddata, LLC and HMP Global. As a result, these service providers or contractors are authorized to collect Personal Information and information about our business practices through our website and certain webinar events.

Category of Personal Information Do We Collect? Do We Disclose? (See "Disclosure of Personal Information" Section Below) Do We Sell to or "Share" With Third Parties? (See "Disclosure of Personal Information" Section Below)
Sensitive Personal Information

Examples: Personal information that reveals a consumer's Social Security, driver's license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation (within 1850 feet of the consumer); racial or ethnic origin, religious or philosophical beliefs, or union membership; mail, email, or text message contents (unless Organogenesis is the intended recipient of the communication); or genetic data. Sensitive personal information also includes the processing of biometric information for the purpose of uniquely identifying a consumer and personal information collected and analyzed concerning a consumer's health, sex life, or sexual orientation.

Yes Yes No
Identifiers

Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers.

Yes Yes No
Categories of Personal Information in Cal. Civ. Code Section 1798.80(e)

Examples: Name, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, or debit card number (to the extent not already identified as Sensitive Personal Information), or any other financial information, medical information, or health insurance information.

Yes Yes No
Commercial Information

Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Yes Yes No
Biometric Information

Examples: To the extent not already identified as Sensitive Personal Information, physiological, biological, or behavioral characteristics, including information pertaining to DNA, that can be used, is, or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Not collected in the past 12 months N/A N/A
Internet or Other Electric Network Activity Information

Examples: Browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement.

Yes Yes No
Geolocation Data

Examples: Physical location (to the extent not already identified as Sensitive Personal Information).

Not collected in the past 12 months N/A N/A
Sensory Information

Examples: Audio, electronic, visual, thermal, olfactory, or similar information.

Not collected in the past 12 months N/A N/A
Professional or employment-related information

Examples: If you apply for a job with us, job application or resume information, past and current job history, and job performance information.

Yes Yes No
Non-Public Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part //99)

Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.

Yes Yes No
Inferences Drawn from Personal Information

Examples: Consumer profiles reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Yes Yes No

Use of Personal Information

Upon collection, we will typically retain each category of your Personal Information listed above for the amount of time necessary to fulfill the purposes for which it was collected, consistent with all applicable law and our internal retention schedule. In general, as permitted by the CCPA, Personal Information may be used in a manner that is reasonably necessary and proportionate for any of the specific business and commercial purposes listed below:

  1. Providing Services: Providing our products and services.
  2. Communicating: Maintaining or servicing customer accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or communicating with you (including providing updates and answering any questions) regarding our products and services.
  3. Fraud and Incident Prevention: Detecting and investigating security incidents that may compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
  4. Resisting Illegal Actions: Resisting malicious, deceptive, fraudulent, or illegal actions and prosecuting those responsible for such actions.
  5. Safety Issues: Responding to safety issues and ensuring the physical safety of natural persons.
  6. Transient Use: Short-term transient use, including non-personalized advertising shown as part of a customer's current interaction with us.
  7. Improving Our Services: Verifying or maintaining the quality or safety of our services or any products or devices that we own, manufacture, or control, or improving, upgrading, or enhancing any such service, product, or device.
  8. Marketing: Marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable or otherwise of interest to you.
  9. Personalization: Personalizing your experience on our services such as presenting tailored content.
  10. Deidentification and Aggregation: De-identifying and aggregating information collected through our services and using it for any lawful purpose.
  11. Job Applications: Processing your job application.
  12. Compliance: For compliance purposes, including enforcing our Terms and Conditions or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
  13. Auditing Interactions: Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
  14. Debugging: Debugging to identify and repair errors that impair existing intended functionality.
  15. Contracting Vendors: Contracting with service providers or contractors to perform services on our behalf or on their behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider or contractor.
  16. Research: Undertaking research for technological development and demonstration, including clinical trials.
  17. Enabling Transactions: Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
  18. Notified Purpose: For other purposes for which we provide specific notice at the time the information is collected.
  19. Investor Relations: For the purpose of communicating investor relations information.

Collection of Personal Information

In the preceding twelve months since this notice was last updated, we have collected Personal Information from the following categories of sources:

  1. You/Your Devices.
  2. Our Affiliates.
  3. Social Media Networks and Other Third Parties.
  4. Internet Service Providers.
  5. Analytics Providers.
  6. OS/Platform Providers.
  7. Our Websites.
  8. Business Partners and Customers.
  9. Government Entities.
  10. Publicly Available Sources.

Disclosure of Personal Information

As permitted by the CCPA and all applicable law, for each category of your Personal Information that we collect and disclose as stated in the above chart, we may disclose it to any of the following types of persons or entities.

  1. Our Affiliates.
  2. Government Entities.
  3. Service Providers and Contractors (for Business Purposes).
  4. Third Parties as legally required.
  5. Third Parties in connection with a merger/acquisition.
  6. Third Parties with your consent.

As stated in the chart above, we do not sell any Personal Information to, or "share" any Personal Information with, any third party. Under the CCPA, the term "share" specifically refers to the transfer of Personal Information to a third party for cross-context behavioral advertising.

Your California Privacy Rights

If you are a California resident, you have the rights listed below, which may be exercised according to the instructions in the following section of this Privacy Policy.

Right to Know and Access. You have the right to know what Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the specific business or commercial purpose for collecting, selling, or sharing the Personal Information, the categories of third-parties to whom we disclosed the Personal Information, and the specific pieces of Personal Information that we have collected about you.

Right to Delete. Subject to certain exceptions, you have the right to delete Personal Information about you that we have collected from you.

Right to Correct. Subject to certain exceptions, you have the right to correct inaccurate personal information about you that we have collected from you and maintain.

Right to Opt-Out. Consumers generally have the right to opt out of the sale or sharing of their Personal Information (i.e., prevent a business that collects their Personal Information from selling or sharing it). As stated in the chart above, we do not sell or "share" any Personal Information that we collect. Under the CCPA, the term "share" specifically refers to the transfer of Personal Information to a third-party for cross-context behavioral advertising.

Right to Limit Use and Disclosure of Sensitive Personal Information. Subject to certain exceptions, which are listed in the Request Form (a link to which is included below), you generally have the right to prevent your Sensitive Personal Information from being used or disclosed for business and commercial purposes.

Right to Equal Service and Price. Subject to certain exceptions, you have the right not to receive discriminatory treatment from us for the exercise of your CCPA privacy rights, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.

Shine the Light. We do not rent, sell, or share Personal Information with nonaffiliated companies for their direct marketing uses as contemplated by California's "Shine the Light" law (Civil Code § 1798.83), except as described above.

Exercising Your Rights

To submit a Request to Know and Access, Delete, or Correct your Personal Information or Limit the Use and Disclosure of Your Sensitive Personal Information, you may complete our Request Form which is available here or call our Customer Service Department at 1-888-432-5232. As mentioned in the previous section, we do not sell or "share" any Personal Information that we collect.

Verification and Use of an Authorized Agent

Upon receipt of a Request to Know and Access, Delete, or Correct from you, we may take reasonable steps to verify your identify to ensure that you are, in fact, the consumer about whom the Personal Information in question has been collected. In particular, we may ask you to confirm your name, email address, or other Personal Information that you have previously provided to us. We may also require a signed statement from you confirming your identify. Any verification steps that we take will comply with all requirements of the CCPA.

You may authorize an agent to exercise your rights on your behalf. To do so, you or the agent must prepare a written authorization in which you clearly identify the agent and authorize the agent to act on your behalf. The written authorization must be signed by you and the agent. As applicable, you may send the written authorization to us at Privacy@organo.com. Under some circumstances, we may request additional proof regarding the agent's authorization, including asking to verify your own identity and/or directly confirm that you authorized the agent to exercise your rights.

Do Not Track

There is currently no accepted standard on how to respond to Do Not Track signals, and we do not respond to such signals.

Contact Information

If you have any questions, comments, or concerns about this notice or our processing activities, or you would like to exercise your privacy rights, please email us at Privacy@organo.com. Any person with a disability that prevents or restricts them from accessing this policy through our website may request a copy of the policy in an alternative format by contacting us at Privacy@organo.com.

Effective Date: December 1, 2022

Notwithstanding the Effective Date of this California Resident Privacy Notice, please note that the above chart that lists the categories of Personal Information that we have collected, sold, shared, or otherwise disclosed or used for business or commercial purposes is applicable to the 12-month period that precedes the current date (as opposed to the Effective Date).