FlowJo Data Privacy Notice
effective date – October 11, 2022
Last revised - March 28, 2024
FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA, (“Company”, “we” or “our”) and each of its affiliates and subsidiaries (collectively, the “Becton Dickinson Group” or “BD Group”) take data privacy seriously.
Company is responsible for the processing of personal data as it decides why and how it is processed, thereby acting as the “controller” in the meaning of the EU General Data Protection Regulation “GDPR”.
We are committed to respecting and safeguarding your privacy by handling your personal data in accordance with applicable data protection laws. This Data Privacy Notice (“Notice”) informs the users of SeqGeq™, FlowJo™, FlowJo Portal, flowjo.com, and BD® Research Cloud ("FlowJo Products") how we collect and process the personal data and other information of such users (hereinafter "you" or "your") in connection with their usage of the FlowJo Products.
FlowJo Data Privacy Notice
1. What personal data do we process about you, why and how is this justified?
2. Who has access to your personal data?
3. How long do we store your personal data?
4. What are your rights and how can you exercise them?
5. Cookies and other tracking technologies
6. How do we protect your personal data?
7. Changes to this Notice
8. How can you contact us?
9. Supplemental Privacy Notice to US Residents
What personal data do we process about you, why and how is this justified?
1.1. Personal data you actively provide to us
Types of personal data and processing purposes:
- Registration Data: When you register with FlowJo to receive a quote, trial or license for authorized usage of FlowJo Products, you may be asked to provide the following personal data about you: your first and last name, organization or institution (if applicable), country code, telephone number, email address, hardware address, and password. If you register for the BD Research Cloud, in addition to the above, we also process your zip code, together with the Registration Data. We process your Registration Data for purposes of access control, license administration, sales and support interactions with you, and for defending, establishing and exercising legal claims, for providing customer care services or inquiries, to improve and personalize your user experience, for analytical purposes to improve or further develop our Flow Jo products, to conduct troubleshooting, audits, or other quality activities, for IT and network security purposes, for complying with legal obligations, and for providing marketing materials to the extent permitted by applicable law.
- Financial or payment data: We process your credit card details, bank account details, VAT or other tax identification number, dates and amounts of payments made or received to bill you for requested products and services, and accounting purposes.
- Custom Fields: Any other information you may want to provide to us for license administration when you register for a group license is stored in the system to merely fulfil your request and for your own convenience.
The provision of Registration and Financial or payment data is necessary to enter into the license agreement with us and to register with and use the FlowJo Products as requested by you. If you choose to not provide your personal data, you may not be able to use the FlowJo Products.
Legal ground for processing:
- the processing is necessary for the performance of the license agreement and/or the end-user license agreement or to take steps at your request prior to entering into such agreements (e.g., for providing quotations, administering the license agreement, or providing you with products and services as requested by you, and for billing you for requested products and services).
- the processing is necessary for the purposes of our and BD Group's legitimate business interests, in particular for access control, license administration, IT and network security, customer care services, marketing, as far as permitted by applicable laws, improvement of the quality and services of the FlowJo Products, as well as other products and services offered by the BD Group.
- the processing is necessary for compliance with a legal obligation to which we are subject, such as reporting cases of adverse events related to our products to authorities, or for accounting purposes.
- the processing is necessary for defending, establishing, and exercising legal claims.
- subject to your consent, we will add you to our marketing database and market products and services which we think may be of interest to you or to communicate with you for other purposes about which we inform you when we collect your personal data. You can unsubscribe from marketing communications by clicking the “Unsubscribe” link included in each message.
1.2. Personal data automatically collected when you use the FlowJo Products:
Company uses common automated data collection technologies, such as cookies, to assess how our FlowJo Products are used, to personalize your experience, and to deliver content tailored to your interests. Through these technologies, some information may be collected automatically, when you use the FlowJo Products, such as the IP address, Mac address, browser type and version, operating system and interface, version of the FlowJo Products, device and reagent information, underlying license information, date and time of the FlowJo Products usage. To learn more about our Cookie practices and the use of opt out or Global Privacy Controls (GPC), please see Section 5 of this Notice.
When you use the BD Research Cloud, we automatically process your lab name, fluorescent panel information, workflow information, reagent information, cytometer information and organization profile. We also process any uploaded files, including FCS files, for the purpose of storing those files.
Such metadata will be processed based on our and BD Group’s legitimate business interest to enable and control the access to the FlowJo Products, to ensure compliance with license restrictions and for IT and network security purposes.
Subject to your explicit consent, where required, we may use the metadata and other information about you collected through cookies and other common tracking technologies, to assess how our FlowJo Products are used, to assess and personalize your user experience, and to deliver content and targeted ads tailored to your interests, to improve the content and performance of the Flow Jo Products, and for research and product development purposes.
For example, we may monitor how many users visit our Flow Jo Products in a given time, users’ login frequency, which components or pages are most popular and where users exit from the buying process, which reagents and panel information is used, which domains you come from, which browsers you use, and how you navigate our Flow Jo Products.
Who has access to your personal data?
You should expect that we will share your personal data with third parties for the processing purposes described above as follows:
- Within the Company: Your personal data will be processed and used by the Company located in the USA. Depending on the categories of personal data and the purposes for which the personal data has been collected, different departments within the Company, including, for example, our R&D, IT, Sales, Legal, Marketing and Finance departments have access to your personal data on a need-to-know basis.
- Within the BD Group: Our parent entity, Becton, Dickinson and Company, in the USA and other affiliates in the USA (each affiliate including us referred to as "BD Affiliate") may receive your personal data as necessary for the following purposes: product improvement, marketing, and cyber-security. Internally, the following departments may have access for such purposes: R&D, IT, Sales, Legal, Marketing and Finance departments. Details of BD affiliates can be found at www.flowjo.com/legal_entities
- With data processors: Certain third-party service providers, whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the processing purposes described above, such as hosting providers, customer care providers, marketing service providers, IT support service providers, and other service providers who support us in maintaining our commercial relationship with you. The Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed. A list with the main Processors can be found here www.flowjo.com/policies/partners.
- Other recipients: We may transfer—in compliance with applicable data protection law—personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or selected business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. We will not disclose your personal data to third parties for advertising or marketing purposes or for any other purposes without permission.
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfil their job responsibilities.
The above mentioned third parties are contractually obliged to protect the confidentiality and security of your personal data in compliance with applicable laws. However, your personal data may also be accessed by or transferred to any national and/or international regulatory, enforcement, or public body or court when we are required to do so by applicable laws or regulations or at their request.
International transfers. Your personal data will be processed by the Company in the USA, that may not provide the same level of data protection than in your country and where there is a risk of access by US authorities. You should expect that the recipients identified above which will receive or have access to your personal data, are also located outside the European Union and the European Economic Area (together "EEA"), UK, or Switzerland, in particular in the USA.
By registering on one of our portals (FlowJo Portal, flowjo.com or BD Research Cloud), you explicitly agree to the processing of your personal data in the US and other third countries as specified above.
Before disclosing any personal data from Canada, the EEA, Switzerland or the UK to persons in countries outside the EEA or Switzerland, we take appropriate safeguards as required by applicable laws, such as assessing data importers to ensure that they can effectively protect your personal data as expected under Canadian, EU and Swiss data protection laws and entering into Processing Agreements, and Standard Contractual Clauses as required and/ or approved by Applicable Law, and as may be approved by the EU Commission and the Swiss Federal Data Protection and Information Commissioner respectively. For further information about these safeguards or to receive a copy, please contact us as described in this Notice.
How long do we store your personal data?
Your personal data will be retained for the period of the license agreement and/or your registration with FlowJo Products. This is necessary to provide you with access to FlowJo Products. Once the license agreement or your registration has lapsed, we may retain your personal data for a further period, depending on the type of personal data we have to process (registration data, financial or payment data, custom fields), but - in any case - no longer than 5 years. On request, we will restrict further processing of your personal data by anonymizing it. Legal or regulatory obligations or pending legal claims may require a longer retention and processing period. Also, we will retain and actively process your contact details and interests in the FlowJo Products for a longer period of time if the Company is allowed to send you marketing materials based on your explicit consent. Prior to deleting any personal data, we may anonymize your personal data for future statistical and reporting purposes.
What are your rights and how can you exercise them?
Right to withdraw your consent: If you have declared your consent regarding certain collecting, processing, and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can withdraw your consent via instructions available at this link www.flowjo.com/policies/how-to.
Additional data privacy rights: Depending on the jurisdiction in which you reside and pursuant to Applicable Law, you may have right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data (including objection to direct marketing and profiling). Please note that these rights might be limited under the applicable local data protection law.
EU Member residents can exercise your rights via instructions at this link www.flowjo.com/policies/how-to or by contacting us as stated under Section 8 below. You also have the right to lodge a complaint with the competent data protection supervisory authority in the relevant Member State (e.g., the place where you reside, work, or of an alleged infringement of the GDPR). Contact details can be found here. US residents, please see Section 9 of this Notice.
Cookies and other tracking technologies
FlowJo uses cookies and other tracking technologies. When you access FlowJo Products, we collect information through cookies and tracking technologies based on your explicit consent. Cookies are small text files that are stored on your computer. We collect this information either directly or through third parties to provide our services and store your preferences and settings, provide interest-based marketing, combat fraud, and analyze the performance of our services. For more information about the use of cookies, please visit our Cookie Policy on www.flowjo.com/policies/cookie-policy.
How do we protect your personal data?
We take appropriate technical and organizational measures to secure your personal data from unauthorized access, loss, and misuse. These measures include instructions to employees, access regulations and restrictions as well as the encryption of data carriers.
Changes to this Notice
We may update this Notice from time to time in response to changing legal, regulatory, or operational requirements. We will notify you of any such changes, including when they will take effect, by updating the "Last revised" date above or as otherwise required by applicable law. If you do not accept updates to this Notice, you should stop using the FlowJo Products.
How can you contact us?
If you have any questions about this Notice or if you want to exercise your rights as stated above in Section 4, please contact us at: FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA, flowjoprivacy@bd.com.
The Company's Data Protection Contact Person can be contacted at flowjoprivacy@bd.com or via postal letter to Data Protection, FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA.
The contact details of our representative within the EU are as follows: BD GmbH, Tullastr. 8-12, 69126 Heidelberg, Germany, GDPR@bd.com.
Supplemental US State Privacy Disclosures
If you live in California, Colorado, or certain other states that have adopted generally applicable privacy laws, you may have certain rights, subject to legal limitations, regarding your Personal Data, such as:
- Right to Know. You may have the right to request information about the categories of Personal Data we have collected about you, the categories of sources from which we collected the Personal Data, the purposes for collecting, selling, or sharing the Personal Data, and to whom we have disclosed your Personal Data and why. You may also request the specific pieces of Personal Data we have collected about you.
- Right to Delete. You may have the right to request that we delete Personal Data that we have collected from you.
- Right to Correct. You may have the right to request that we correct inaccurate Personal Data that we maintain about you.
- Right to Opt-Out of Sale/Sharing for Targeted Advertising. You may have the right to opt out of the sale or sharing of your Personal Data for targeted advertising.
- Right to Opt-Out of Profiling. You may have the right to opt out of certain automated processing activities that are used to evaluate characteristics about you.
- Right to Limit Sensitive Personal Data. We do not use or disclose Sensitive Personal Data other than to provide our service as described above. However, if we used or disclosed Sensitive Personal Data for other purposes, you would have the right to limit certain uses of Sensitive Personal Data
You may exercise any of the rights available to you by emailing us at flowjoprivacy@bd.com, or by calling us at (800) 490-2177.
In order to fully exercise the Right to Opt-Out of Sale or Sharing for Targeted Advertising, you must undertake both of the following steps:
- Submit an Opt-Out of Sale/Sharing for Targeted Advertising request on BD.com.
- Disable the use of advertising cookies and other tracking technologies in the preference center by changing your Cookie Preferences. These steps are necessary so that we can place a first-party cookie signaling that you have opted out on each browser and each device you use. Please note:
- If you block cookies, we will be unable to comply with your request to opt out of sale/sharing for targeted advertising with respect to device data that we automatically collect and disclose to third parties online using cookies, pixels, and other tracking technologies.
- If you clear cookies, you will need to disable the use of all advertising cookies and tracking technologies in the preference center again on each browser on each device where you have cleared cookies.
We will not discriminate against you for exercising your privacy rights.
Verification: In order to process rights requests, we may need to obtain information to locate you in our records or verify your identity depending on the nature of the request. In most cases, we will collect some or all of the following data elements: first and last name, email address, and telephone number. In some cases, we may request different or additional information, including a signed declaration that you are who you say you are, and we will inform you if we need such information.
Authorized Agents: Authorized agents may exercise rights on behalf of you by submitting a request via email address at flowjoprivacy@bd.com and indicating that they are submitting the request as an agent. We may require the agent to demonstrate authority to act on behalf of you by providing signed permission from you. We may also require you to verify your own identity directly with us or to directly confirm with us that you provided the authorized agent permission to submit the request.
Appeal: If we deny your rights request, you may have the right to appeal. To submit an appeal, contact us at flowjoprivacy@bd.com. We will inform you in writing our response to your appeal.
Additional Data Processing Disclosures Although we have not “sold” Personal Data for money in the past 12 months, we engage in routine practices with our digital FlowJo Products involving third parties that could be considered a “sale” or “sharing” (i.e., for targeted advertising). We do not knowingly sell or share any Personal Data of minors under the age of 16.
We only use and disclose Sensitive Personal Data for the following purposes: (i) performing services or providing goods reasonably expected by an average consumer; (ii) detecting security incidents; (iii) resisting malicious, deceptive, or illegal actions; (iv) ensuring the physical safety of individuals; (v) for short-term, transient use, including non-personalized advertising; (vi) performing or providing internal business services; (vii) verifying or maintaining the quality or safety of a service or device; or (viii) for purposes that do not infer characteristics about you.
How to Contact BD:
Additional options for California Residents Only:
Toll Free Phone Number: (800) 490-2177
E-mail: flowjoprivacy@bd.com