Privacy Policy

Updated February 6, 2020

M2S, Inc. Privacy Policy

This Privacy Policy (this ” Policy”) applies to information that M2S collects, receives, or uses on or in connection with websites, applications, products, features, services, or any portion thereof owned or operated by M2S, Inc., a Delaware corporation, including


In general, you may visit the M2S website without identifying yourself or revealing any personal data. M2S may collect domain information from your visit to customize and improve your experience on our website.

M2S will not collect any personal data through the M2S website that you do not volunteer, and we are the sole owner of all information collected on this site. We do not sell, share, or rent this information to others in any way.

Collection, Tracking, and Use of Cookies

When you visit M2S’s website and/or cloud-based applications (including PEMS®, Pathways™ Clinical Data Performance Platform, and this website), M2S may send one or more cookies—a small text file containing a string of alphanumeric characters—to your browser or mobile device. M2S may also sometimes collect analytics information from visits you make to our websites and/or cloud-based applications to measure traffic, usage, and to help us provide better services. This information is sent by your browser or mobile device, including the pages and/or applications you visit and other information that assists us in improving our products and/or services. M2S may share this information with third party organizations that help us provide services to you, such as Google Analytics.

Additional information regarding how Google Analytics’ uses the data collected can be found here:

Personal Data Protection Policy

This Personal Data Protection Policy has been prepared to assist in understanding how M2S collects, uses, and discloses your Personal Data. M2S is committed to the protection of your Personal Data. M2S collects, uses, discloses, and retains Patient Data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health Act (“HITECH”), applicable state law, and M2S’s own policies and procedures. For Personal Data collected from individuals located in the European Union and other applicable countries, the General Data Protection Regulation (GDPR) and Privacy Shield shall apply.

This Personal Data Protection Policy (the “Policy”) applies to all Personal Data received by M2S, recorded in any form (including electronic, paper, or verbal).


The following definitions shall apply throughout this Policy:

  • “Agent” means any third party that uses Personal Data provided to us to perform tasks on behalf of and under the instruction of M2S.
  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • “Personal Data” means Information or a set of information that identifies or could be used by or on behalf of M2S to identify an individual. Personal Data does not include information that is encoded, anonymous, aggregated or publicly available information that has not been combined with non-public Personal Data.
  • “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • “Sensitive Personal Data” means Personal Data that reveals racial, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or information that specifies the health or sex life of the individual. In addition, M2S will treat any information as Sensitive Personal Data, which received from a third party where that third party treats and identifies the information as sensitive.

Data Collected 

As a Processor, M2S collects Personal Data at the direction of the Controller. The following types of Personal Data may be collected: medical records, including name, date of birth, social security number, medical images, patient outcomes, and other sensitive individually-identifiable data. 

Purpose of and Lawful Basis for Data Processing

The lawful basis of M2S’s data collection is the “legitimate interests” lawful basis. As a service provider and Processor, M2S collects, processes, and maintains Personal Data on behalf and at the request of the Controller(s).

Privacy Principles

  1. Notice

When M2S collects Personal Data directly from individuals, we will inform them about the purposes for which we collect and use their Personal Data, the types of third parties (other than Agents), if any, to which we disclose that information, and the choices and means, if any, that we offer individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to M2S, or as soon as practicable thereafter, and in any event before we use the information for a purpose other than that for which it was originally collected. If M2S receives Personal Data from its affiliates or other entities in which we do business, M2S will use such information in accordance with the notices such entities provided and the choices made by the individuals to whom such Personal Data relates.

  1. Choice

When M2S collects Personal Data directly from individuals, we will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a third party (other than an Agent), or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

For Sensitive Personal Data, M2S will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to (a) the disclosure of the information to a third party, or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. M2S will provide individuals with reasonable methods to exercise their choices. M2S may disclose personal information to third parties in the following instances:

Website Consultants and Service Providers. M2S may disclose personal information to third party consultants and service providers (such as providers of hosting services, support, maintenance and remedial and repair services) to the extent that they require access to M2S’s databases, or the information contained in M2S’s databases, to service us and our customers under the conditions set out in the Principles.

Enforcement of Rights / Security. M2S reserves the right to release personal information (i) when M2S is under legal compulsion to do so (e.g. we have received a subpoena) or M2S otherwise believes that the law requires us to do so, (ii) when M2S believes it is necessary to protect and/or enforce the rights, property interests, or safety of M2S, our customers, or others, or (iii) as M2S deems necessary to resolve disputes, troubleshoot problems, prevent fraud and/or enforce the Principles.

Reorganization or Sale. In the event that M2S is merged with or becomes part of another organization, or in the event that our company is sold or it sells all or substantially all of its assets or is otherwise reorganized, the information you provide may be one of the transferred assets to the acquiring or reorganized entity.

As Otherwise Allowed by Law. M2S may transfer personal information to third parties where we are expressly authorized by Applicable Law and the Principles to do so.  M2S also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.

  1. Accountability For Onward Transfers

Information collected by M2S may be stored, processed in, or transferred between any of the countries in which M2S, its affiliates, or agents operate in to enable M2S to use the information in accordance with this Policy. M2S will obtain assurances from our Subcontractors and Agents that they will safeguard Personal Data consistently with this Policy. If M2S has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy, we will take reasonable steps to prevent or stop the use or disclosure. In cases of Onward Transfer, M2S, Inc. remains liable. M2S relies on the Privacy Shield Principles and/or the use of model contractual clauses as a legitimate transfer mechanism for locations outside of the U.S. All Agents with locations outside of the U.S. shall enter into agreements with M2S that obligate them to comply with all Applicable U.S. Federal Law and the terms of this Policy. In the event that any Agent is not Privacy Shield certified, model clauses will be the valid transfer mechanism in place.

  1. Security

M2S will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

  1. Data Integrity & Purpose Limitation

M2S will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual or Controller, as applicable. M2S will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.

  1. Access

Upon request, M2S will grant individuals reasonable access to Personal Data that we hold about them, and we will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. M2S may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. If an individual desires to correct, amend, or delete Personal Data that was provided to M2S by third parties (and not directly by the individual), you may contact us to access, correct, or remove your information from our files. M2S will use its best efforts to make provide any access, or to correct or remove your information. M2S will use its best efforts to provide requested access, or to correct or remove your information. M2S reserves the right to retain a single copy of any data needed for archival purposes or to meet record retention requirements under Applicable Law.  An individual should also contact the applicable third party to whom provided the data to correct, amend, or delete such Personal Data.

  1. Resource, Enforcement, And Liability

M2S will conduct compliance audits of our relevant privacy practices to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

Data Retention

M2S may retain Personal Data for archival purposes, to meet legal obligations such as record retention requirements, to resolve disputes, or to enforce agreements. When M2S no longer has a business need to process the Personal Data, M2S may either delete or destroy the data, pursuant to Applicable Law. Individuals may also request that M2S delete your Personal Data at any time, and M2S will do so provided that we may retain any records needed for archival purposes or to meet record retention requirements pursuant to Applicable Law. If M2S cannot delete or destroy any such Personal Data, such as when it is archived in M2S’s backup systems, then M2S will store, but not otherwise further process, that Personal Data until it is deleted or destroyed pursuant to M2S’s data retention policies. 

E.U. – U.S. Data Transfers for EU Individuals

The European Union (“E.U.”) General Data Protection Regulation (“GDPR”) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data protection laws across Europe.

The United States Department of Commerce has worked with the European Commission to develop the E.U. – U.S. Privacy Shield Principles to allow U.S. companies to meet the E.U. law requirements that Personal Data transferred from the E.U. to the United States be adequately protected.

Consistent with its pledge to protect personal privacy, M2S adheres to GDPR and the Privacy Shield Principles. If there is any conflict between the provisions in this Policy and GDPR and/or the Privacy Shield Principles, the GDPR and/or the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield program, and to view our certification page, please visit

Dispute Resolution and Enforcement

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to us at the address given below. M2S will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy within thirty (30) days of receiving a complaint. For complaints that cannot be resolved between M2S and the complainant, we have agreed to participate in the dispute resolution procedures pursuant to the Privacy Shield Principles.

M2S is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).  Should an individual be unable to resolve a complaint with M2S, they may contact the FTC at the following address:

Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580

M2S has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

EU Persons (EU Data Subjects) may make complaints to their home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

Changes to M2S’s Personal Data Protection Policy

This Policy may be amended from time to time, consistent with the requirements of HIPAA, HI-TECH, the Privacy Shield Principles, GDPR, and/or other Applicable Law. M2S will provide appropriate public notice about such amendments.

Contact Information

Questions or comments regarding this Policy should be submitted to us by mail or e-mail as follows:

M2S, Inc.

Attn: Privacy Officer / Legal Dept.

12 Commerce Avenue

West Lebanon, NH 03784

[email protected]