End User agree to the following:
A. End User – An individual, patient or a customer who receives or uses the Service(s)
B. Analysis Facility – A business, an association, an enterprise, or an organization that provides the use of the Service(s) and a facility where the Product or the Site is located
C. Facility User – An employee, a representative or a member of the Analysis Facility
D. Facility Administrator (Admin) – The employee or an associate of the Facility who is in charge of the Site’s account and has a higher level of authority than the Staff member
E. Staff Member – An employee or an associate of the Facility who uses the Site but has limited access
F. Protected Health Information – According to the Health Insurance Portability and Affordability Act of 1996, Public Law 104-191, as amended, and inclusive of the Privacy Rule, Security Rule, Breach Notification Rule and Enforcement Rule (45 CFR Parts 160 and 164) promulgated by the United States Department of Health and Human Services (“HIPAA”), Protected Health Information is information that is a subset of health information including demographic information collected from an individual that: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to an individual; (3) identifies the individual or for which there is reasonable basis to believe the information can be used to identify the individual; and (4) is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
G. Personal Information – End User’s non-public information which InBody receives through End User’s use of the Service that can be used, alone or in combination with other information in InBody’s possession, to identify a particular individual. It may include information such as name, email address, telephone number and other personal information the End User provides InBody and it may include Protected Health Information that an individual provides to the Covered Entity
H. Covered Entity – The definition of the Covered Entity remains the same as in 45 CFR § 160.103 of HIPAA
I. Aggregated or De-Identified Information – Information that does not identify End User as a specific individual
J. Custody – When Personal Information or Protected Health Information or other information regarding an End User or Facility User is transmitted to and maintain within our server
K. Control – When Personal Information or Protected Health Information or other information regarding an End User or Facility User can be viewed, added, edited, deleted, and or transferred by InBody for the purposes described in this Policy
L. In this Policy, the words “InBody”, “we”, “us” and “our” refers to Biospace Inc. DBA InBody
M. In this Policy, the words “End User” and “End User’s” refers to the non-InBody signatory to this Policy, an End User
II. Services We Provide
This Policy applies to the following:
A. InBody’s body composition analysis devices and its accessories (the “Products”);
B. InBody-provided applications that gives End User access to view, add, update, or delete data (collectively, the “App”);
C. InBody data management website(s) and/or an extension of the website(s), including, but not limited to, the API and the LookinBody App (collectively the “Site”); and
D. The data, analyses and other content collected, processed, analyzed, generated or delivered by a Product, the App, or the Site, including without limitation, text, graphs, calculations, copy, audio, video, photographs, illustrations, images, graphics and other visuals (the “InBody Content”) (all collectively, the “Service” or “Services”).
III. Information We Collect
A. Information We Collect from an End User:
1) App: When an End User registers for the App, we require the following information: End User’s name, email address, telephone number, age, height, weight, and gender.
2) Product: Our Body Composition Analysis Device collects multiple data points from End User’s body and outputs information such as BMI, PBF, Lean Body Mass, Skeletal Muscle Mass, level of Body Water etc. Accessories connected to the InBody Body Composition Analyzer may collect and output many different data points. Results from the device and the accessory are pooled together and associated with End User’s registered ID and/or telephone number. If End User wishes to be left anonymous and unidentifiable, End User may use the Product as a Guest. Height, weight, age, and gender are still required from a Guest user to process the data. The storage of End User’s data on the server allows them to track changes over multiple tests and multiple Service(s). A guest user may not be able to track their results. Also, depending on the model of the Product, additional body composition measurement information may be stored, such as visceral fat level, leg lean mass etc.
3) Wearable devices: Wearable devices track End User’s sleep, calories, activity, steps, etc. End User has the option to use different functions such as End User’s activity time, distance traveled, and calories burned. End User may also selectively choose to hide any of the functionalities (except battery, time, and body composition analysis) from the screen of the Wearable device. The Ranking system function, derived from the Wearable device, in the App is available for End User to compare End User’s steps and/or scores activity with End User’s friends and family who have this system available and turned on. This optional feature requires End User to provide access to the contacts and opt-in to share End User’s results with End User’s contacts through settings. To know more about ranking system and the different functions of the Wearable device, please refer to the “Terms of Service for End User”.
4) As it pertains to the Personal Information that End User share with InBody using InBody’s Service directly, without an Analysis Facility, End User agree that no Protected Health Information is included, and that HIPAA does not apply to such Personal Information.
B. Information We collect from an Analysis Facility:
An Analysis Facility may be asked to provide InBody with Personal Information of Facility Users who may access the Site. Such information can include their full name, telephone number, email address, and date of birth. The Staff member is a sub-tier account to the Admin account with limited access to the Site. Each Analysis Facility may have a different staff structure, and the level of access to the End User’s information, will be determined by InBody at our sole discretion by reference to the Facility User’s responsibility and role at the Analysis Facility. A Facility User’s personal information is used to create account logins for the Site during the creation of an Administrator account and/or Staff member account. The Facility User is responsible for the accuracy of the information, any changes or updates on the account, and the confidentiality of the login credentials for the Site. A Facility User may be asked to provide identifiable information to InBody if they call in for support.
C. Analysis Facility – Covered Entity
In the event that a Covered Entity purchases the LookinBody Web Subscription, InBody becomes its Business Associate and both parties must comply with Privacy and Security Rules of HIPAA. An Analysis Facility that is a Covered Entity hereby represents and warrants to InBody that such Analysis Facility has obtained the necessary Authorization Form, to ensure that such Analysis Facility has consent to disclose each End User’s Personal Information and Personal Health Information which shall comply with HIPAA and other applicable state and federal privacy laws. The Covered Entity that discloses the Personal Health Information to InBody must enter into and comply with terms of a mutually agreeable Business Associate Agreement.
D. Information Collected Automatically
We may automatically collect the following information from End User’s use of the Service(s) through cookies, web beacons, and other technologies: End User’s domain name, browser type, operating system, web pages End User view, links End User click, End User’s IP address, the length of time End User visit our Site and/or use our App, mobile device, mobile number, and the referring URL, the webpage that led End User to our Site etc. We may also have access to other data such as location, calls, mobile camera, photo gallery, and contacts, if End User allow. Note that this information that is automatically collected does not include Protected Health Information.
E. Cookies and Other Collection Tools
We may use our cookies and other collection tools to track information about End User’s use of our Site and other Services, or to track aggregate and statistical information about User activity. A cookie is a small file containing a string of characters that is sent to End User’s computer when End User visit a website; in this case the Site. When End User visit the Site again, the cookie allows that site to recognize End User’s browser. Cookies may store user preferences and other information such as a login credential and/or password. End User can reset End User’s browser to refuse all cookies or to indicate when a cookie is being sent. Other technologies are used for similar purposes as a cookie on other platforms where cookies are not available or applicable. Some cookies allow us to make it easier for End User to navigate our Site and other Services, while others are used to enable a faster login process or to allow us to track End User’s activities on our Site. All cookies are allowed, by default, but End User can adjust this setting and clear cookie for all sites or for certain pages. End User can disable or remove first-party and third-party cookie information and data. If End User remove cookies, things like saved preferences on websites might get deleted and some website features or services may not function as well. But if End User prefer, End User can edit End User’s browser options to block them in the future. The help portion of the toolbar on most browsers will tell End User how to prevent End User’s browser from accepting new cookies, how to have the browser notify End User when End User receive a new cookie, and/or how to disable cookies altogether.
IV. Use of Information
A. Use of End User’s Information: by Analysis Facility
1) To track user’s performance at that Analysis Facility such as total amount of body fat lost, total amount of lean body mass gained, etc.
2) To track total users and the Facility’s performance such as such as total tests, existing users, new users, etc. This allows Facility Administrator to track how well their Analysis Facility is doing
3) To serve End User:
a. To provide End User with End User’s Personal Information such as End User’s BMI, PBF (Percent Body Fat), Lean Body Mass, Body Water, BMR, Systolic and Diastolic Blood Pressure measurements etc.
b. To help achieve End User’s goal, End User’s Analysis Facility may assign a Facility User(s) to chat with End User. This additional feature is provided to help End User stay connected with End User’s advisor. Any changes or updates to the assigned advisor should be discussed with the Analysis Facility
4) We collect information such as phone number, ID, name, or medical history to categorize the data for the Analysis Facility and to allow End User to track End User’s progress easily when End User participate in different challenges.
B. Collection of End User’s Information: for the End User
1) End User’s Personal Information is stored on the server for End User’s convenience, so End User can access End User’s data from App
2) We may have access to some of End User’s data generated by End User’s mobile phone, with End User’s consent, to allow End User to take full advantage of the App and the Product. This may include accessing and using:
a. Location – To allow End User’s wearable device and phone to pair and report fitness level(s)
b. Camera – To allow End User to take pictures and share with the Facility User
c. Call – To make calls to a Facility User and to allow call notifications to be sent to End User’s wearable Product
d. Gallery – To allow End User to share End User’s images with the Facility User
e. Contacts – To allow End User to track and rank End User’s family and friends who use the App and the Product
3) End User’s email address is used to send End User a temporary password if and when End User forget End User’s credentials for the App; it may also be used for other services related to End User’s password to confirm End User’s identity. End User have to manually confirm the usage of End User’s email for any of these services
4) We may send End User an electronic message through email or SMS where we take End User’s consent in accordance with the applicable law
C. Use of End User’s Information: by InBody
1) To serve End User:
a. To provide support to inquiries made by End User or the Analysis Facility regarding the Service(s); In the case of an inquiry, name and/or ID will be used by us for identification purposes
2) To give access to third parties to process that Personal Information:
a. Third parties that are affiliated with us may have access to End User’s Personal Information to process information and/or to provide End User services
b. When the information is entered on the Product (when it is connected to the Internet), App or the Site, it automatically gets uploaded on the Server. Access to the Server is open to InBody and its contracted affiliates for the same purposes as InBody
a. When we share End User’s Personal Information with any such third party we make sure they have appropriate safeguards in place for the protection of End User’s Personal Information and Personal Health Information so that the subcontractors and/or business associate are in compliance with HIPAA and other applicable state and federal privacy laws.
D. Other Uses of Personal Information
Other uses and disclosures of Personal Information not covered by this Policy and permitted by the applicable laws that apply to us may be made with End User’s consent, End User’s written authorization or that of End User’s legal representative, or where permitted or required by applicable law. If we are authorized to use or disclose Personal Information about End User, End User or End User’s legal representative may revoke that authorization in writing at any time with the Analysis Facility, except to the extent that we have taken action relying on the authorization or if the authorization was obtained as a condition of obtaining End User’s account, or if we are legally required to make a particular use or disclosure of End User’s information. End User should understand that we will not be able to take back any disclosures we have already made with End User’s authorization.
V. Disclosure of Information
We may share End User’s Personal Information, with the following entities for the purpose described below provided that our sharing of End User’s Personal Information and their use of End User’s Personal Information complies with HIPAA and other applicable state and federal privacy laws.
A. Business transfers:
We may disclose Personal Information in connection with the sale, merger, sale of assets or reorganization of InBody or its affiliates. In such an event, End User’s information will transfer to the acquiring company. Notice of such a transfer will be provided by posting to the Site or via another form of communication.
B. Third Parties:
We have a relationship with third-party service providers including, but not limited to, LookinBody Company and InBody Co., Ltd. They help us –
a. provide services to End User,
b. administer our business, and
c. design, maintain, improve our Service(s), systems, procedures, protocols, and security.
1) Use of Personal Information: By LookinBody Company
LookinBody Company reserves the right to use Personal Information:
a. To administer and maintain the Server;
b. To provide the highest level of support, if needed, to understand and solve any issue that may arise from End User or the Analysis Facility;
c. Improve InBody’s content
i. The collection of Personal Information also helps create, develop, operate, deliver, and improve Services.
ii. To track and respond to safety concerns and to further develop and improve Services
d. LookinBody Company may use the aggregated data, so they can administer and improve the Site, analyze trends and gather broad demographic information
i. The LookinBody Company may also use the aggregated data for various business purposes including Service development and improvement activities
2) Use of Personal Information: By InBody Co., Ltd.
a. InBody Co., Ltd. may share or sell aggregated, de-identified, data that does not identify End User, with partners and the public in various of ways, such as by providing research or reports about health and fitness or in connection with contests, challenges or another event. When they provide this information, they perform appropriate procedures so that the data does not identify End User.
C. With Service Providers and Business Partners:
We may collaborate with other companies and individuals to perform services on our behalf. Any such subcontractor will be treated with and under the compliance of 45 CFR § 164.502(b). Examples of providers include data analysis firms, credit card processing companies, customer service and support providers, email and SMS vendors, web hosting and development companies and fulfillment companies. Companies may also include our co-promote partners for Services that we jointly develop and/or market with. These third parties may be provided with access to the Personal Information needed to perform functions for us, but the use will be subject to contracts and agreements in place that protect the confidentiality of the information. Third party integration with our Services, such as Site, may require access to the Personal Information in a non-traditional manner which will be subject to different set of Terms.
D. Law enforcement:
We may disclose and report to law enforcement agencies information related to activities that we reasonably believe to be unlawful, or that we reasonably believe may aid a law enforcement investigation into unlawful activity. In addition, we reserve the right to release End User’s information to law enforcement agencies if we determine, in our sole judgment, that the release of End User’s information may help protect the safety or property of any person or entity.
E. Required or Permitted by law:
We may disclose End User’s information to others as required or permitted by law. This may include disclosing End User’s information to governmental entities, or pursuant to court orders, subpoenas, warrant, summons or similar process.
F. Protection for Us and Others:
We may disclose the information we collect from End Users where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any individuals, violations of our Terms or this Policy, or as evidence in litigation in which we are involved.
G. Data That End User May Direct us to Share
End User can direct us to share End User’s data with other parties or users. For example, End User may authorize us to share End User’s data with other End Users through the mobile App, with End User’s employer as part of a wellness program or with other
End Users or Analysis Facilities in connection with End User’s participation in contests, challenges or other events. End User may also direct us to share End User’s Personal Information with any other third-party app or website which will be subject to different set of terms and conditions.
A. Unless we determine that we require an additional consent for specific Service(s) or any other new purpose, End User agree and consent that we may collect, use, share, or otherwise process End User’s Personal Information in accordance with this Policy.
B. End User’s consent denotes that End User has read the Policy in its entirety and understand the collection, use and disclosure of End User’s Personal Information in our organization.
C. In most cases, End Users have the ability to withdraw End User’s consent. However, because of regulatory requirements imposed upon us, or contractual obligations End User have with us, there are certain limited circumstances where End User may not withdraw End User’s consent to the collection, use or sharing of End User’s Personal Information. If End User choose not to provide us with certain Personal Information, or where End User have withdrawn End User’s consent, we may not be able to offer End User the Services or information that End User requested or that could be offered to End User. For example, if End User withdraw End User’s consent to use Personal Information such as weight, height, or gender, it will be impossible for the InBody Body Composition Analysis Device to test End User’s composition. Personal Information will not be disclosed without the consent of the individual, except to the extent permitted by applicable law in following cases:
1) Contact relating to Service inquiries or repairs
2) Requests for disclosure for legitimate legal reasons
3) When necessary to protect life, health, property or other vital interests of the End User
4) When a transfer of Personal Information is judged necessary to continue service in the event of changes to the service provider for example: a company merger
5) Other disclosures required or permitted by applicable law.
VII. Data Retention and Deletion
We and our affiliates actively retain Personal Information for ten years for our relationship for the purposes described above or as permitted or required by federal law. Aggregation of data will take place after ten years of End User’s inactivity. End User’s Personal Information is aggregated when End User are inactive on the App AND have not used the Product for ten years. When End User’s information is aggregated, End User’s Protected Health Information, name, ID, phone number, and email address, is deleted permanently. Only the de-identifiable information is kept for development, improvement, and/or marketing purposes. Inactivity is defined by two requirements:
1) When End Users are inactive (have not logged in) on the App
2) When End Users have not used the Product at the Facility
Inactivity or cancellation of the subscription by the Analysis Facility from the Product or the Service does not impact End User’s access to previous test results or the test results produced by InBody wearable products. If an End User is continuously using the Product, End User’s information will be retained until End User become inactive for ten years or deletes the information by making a request to the Facility.
Data can be deleted (i) if an Administrator of the Site deletes the data or account on the Site; or (ii) if End User manually delete the test results on the App (which does not mean that data has been deleted on the Facility’s Site).
To delete End User’s Personal Information permanently, End User must talk to End User’s Administrator or Staff Member to delete End User’s information. Analysis Facility has Custody and Control over data that was acquired at their Facility. However, if End User does not have a Facility and End User uses personal or home use device(s) independently, End User may delete End User’s test results or withdraw End User’s account to permanently delete End User’s account and information therein.
Deleting records and Personal Information is permanent; however, please note that in some cases we may be required to retain certain information where permitted or required by law, including without limitation if such information is the subject of a legal dispute. LookinBody Company may wait for a certain time before permanently deleting End User’s records or Personal Information in order to help avoid accidental or malicious removal of End User’s information.
A Backup is defined as data stored that matches the data on the Analysis Facility’s Services. The Backup will be maintained for the duration of the End User account or LookinBody Web active account until data is permanently deleted from the account. Data may be stored in the Backup even after someone deletes an End User account or information to avoid accidental or malicious deletion of End User’s information. After a reasonable time period has passed, the data will be deleted permanently or restored if requested. After the data is deleted permanently, the Backup will be deleted, subject to any legal requirements.
VIII. Data Accuracy
InBody works hard to ensure that the information within its Custody and Control is accurate. Nevertheless, the End User should be vigilant of the accuracy of their own Personal Information. The method for updating Personal Information depends on the information source. Personal Information comes from one of the following:
1) Entered by End User on the App or the Product
2) Entered by the Analysis Facility on the Site or the Product
Information End Users delete, update, or add on the App is stored only on an End User’s phone, viewable to End User, and will impact End User’s manually inputted test results, Personal Use device, and Wearable device results. It is in our Custody but Controlled by End User. If End User wishes to update End User’s Personal Information on any other device, End User should consult End User’s Analysis Facility or personally update it on the device. Any change to End User’s Personal Information will not impact End User’s previous tests.
Any factors of the Personal Information that are dynamic (changes frequently) for example Weight, Age or Phone Number, should be updated by End User or the Analysis Facility accordingly. As the Analysis Facility and End User have full authority to change or update any part of the Personal Information, InBody and its affiliates do not take responsibility for test results and/or decisions made, based on the inaccurate Personal Information.
IX. Accessing and Correcting Personal Information
End User and the Analysis Facility have full authority to add, update, or delete any part of End User’s Personal Information. Yet End User may request access or correction of End User’s Personal Information to us. To access or request correction of End User’s Personal Information, please contact us at Info@InBody.com. We may require End User to verify End User’s identity before allowing End User to access End User’s Personal Information. We may decline End User’s access because of security or legal reasons but End User can submit a written request to us and we will try to address the issues as soon as possible.
X. Children’s Privacy
We are mindful that the Services will be attractive and of benefit to potential users under the age of 18 or local age of majority and it is our policy, regardless of the country in which the Analysis Facility is located, to ensure that parents or legal guardians can monitor data collected in respect of such users. Our Service(s) is available to End Users who are below the age of 18 or local age of majority. The parent or legal guardian of any End User aged below 18 years of age is required to consent to the collection and use of his/her child’s Personal Information and Personal Health Information at the time of registering and use of our Services. When End User consent to this Policy, if applicable, End User consent to the collection, use, and disclosure of Personal Information and Personal Health Information of End User’s child. A parent or legal guardian of any child who has not attained 18 years of age or local age of majority can review his/her child’s Personal Information and Personal Health Information, ask to have it deleted, and refuse to allow any further collection or use of the child’s information from the Analysis Facility.
We work very hard to protect the data End User provide. We take reasonable and appropriate measures to protect the data End User submit, including physical, organizational, and technological security measures. Furthermore, we promise to never sell your Personal Information. Please be aware, however, that the Internet is a global communications vehicle open to threats, viruses, and intrusions from others. By accepting this Policy, the End User and Analysis Facility each acknowledge that unintentional data loss may occur despite the efforts made in good faith by InBody, its third-party affiliates, or an Analysis Facility.
The purpose of access and process by the third-party affiliates in different countries will remain consistent with this Policy. Processing and access may be possible from other countries whose data protection laws may differ from the jurisdiction in which End User live. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws in those jurisdictions. If End User are an Analysis Facility or a Facility User, End User represent and warrant to InBody that End User attained all necessary consent and provided all necessary notices as required by applicable laws for the purposes of this Policy.
A. Technical Safeguards
We use a variety of security measures, including encryption and authentication tools to help protect End User’s information. Third parties, including, but not limited to, LookinBody Company utilize extended levels of security to protect the electronic data.
B. Physical Safeguards
We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to our office. Third Parties such as LookinBody Company restrict their offices to authorized personnel only, also other forms of restriction are applied to enter the department with access to the server.
C. Administrative Safeguards
We restrict access to Personal Information and Personal Health Information to InBody employees, contractors, and agents who need to know Personal Information or Personal Health Information in order to process something for us. They are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations. Third parties are also required to limit the access to our server(s), to authorized personnel only, who use the information for the purposes indicated in this Policy.
XII. Incident Management
InBody and its third-party affiliates have developed a comprehensive incident readiness and response plan designed to identify the cause, extent and nature of an incident involving Personal Information and Personal Health Information and to allow timely reporting in accordance with our contractual terms or legal obligations.
We promise not to retaliate or discriminate against anyone exercising consumer rights under the California Consumer Protection Act or any other applicable consumer protection regulation, and we reserve the right to adjust our pricing based on services offered.
XIV. Terms and Conditions
End User’s continued use of our Services, and any disputes arising from them, is subject to this Policy as well as our Terms. Please visit our Terms, which explain other terms governing the use of our Services.
We reserve the right to change and amend any part of the Policy at any time and without prior notice. Details of these updates will be made available on the Site. We advise End User check the Site from time to time to make sure that End User agree with any changes and amendments. End User’s continued use of our Services constitutes End User’s acceptance to this Policy and any updates. This Policy is incorporated into the Terms of Service for End User (if End User are an End User) and the Terms of Service for Analysis Facility (if End User are a Facility User).
XVII. Contact Information
If End User have any questions or comments regarding this Policy, our information handling practices, or any other aspects of End User’s privacy and the security of information, please send an email to Info@InBody.com or contact us at
Attn: Legal and Business Affairs
13850 Cerritos Corporate Dr., Suite C
Cerritos, CA 90703