Information Privacy and Security

This Privacy Statement applies to Merge Healthcare Incorporated (an IBM company - referred to herein as "Merge," “we,” “us,” “our”). This Privacy Statement describes how Merge collects, uses, shares and secures Personal Information, as well as your choices regarding use, access and correction of your Personal Information. "Personal Information," as used in this Privacy Statement, means any information which may be directly or indirectly linked to an identifiable individual, and may include health information.

Overview of Merge
Merge develops software solutions that facilitate the sharing of images to create a more effective and efficient electronic healthcare experience for patients and physicians. Our solutions are designed to help solve some of the most difficult challenges in health information exchange today, such as the incorporation of medical images and diagnostic information into broader healthcare IT applications, the interoperability of proprietary software solutions, and the ability to improve the efficiency and cost effectiveness of our customers’ businesses.

Collection, use, disclosure and retention of Personal Information
Merge collects or receives Personal Information that customers and others voluntarily provide to us, for example, when using Merge services, placing a product order or requesting a white paper through our website, requesting technical support, joining our mailing list, etc.

This Personal Information may include:

  • contact information, such as name, company name, job title, job function, expertise, email address, mailing address or phone number; billing information, such as credit card number and billing address;
  • and preference information, such as product wish lists, order history or marketing preferences.


This information is only used for the purposes for which it is collected, including: providing services; facilitating sales transactions; processing payments; responding to inquiries and fulfilling requests; providing troubleshooting, technical and product support; sending information about products, services, and events (e.g., by email); personalizing your experience on the website by presenting content tailored to you; and business purposes, such as data analysis, audits, fraud monitoring & prevention and developing new products

Merge and its affiliates, and their contractors and subprocessors, may, wherever they do business, store and otherwise process Business Contact Information (BCI) of individuals, as well as clients and their personnel and authorized users. For example, such BCI may include name, business telephone, address, email and user IDs for business dealings with such persons and clients. In certain instances, Merge may rely on legitimate interest for the storage and processing of such BCI. Merge provides products and services that allow healthcare providers to more effectively manage, access, share and utilize medical images and health records. Depending on the product or service provided, we may obtain and process Personal Information about the patients of a healthcare provider on behalf of that provider. We will only use this information for the purposes of serving our customers and will only retain such information as long as necessary to meet those purposes.

Our customers are required to ensure that they have consent or other lawful authority to transfer Personal Information to Merge for processing. Any such information provided to Merge by our clients for processing is solely for the purpose of providing troubleshooting, diagnostic, or other support services on the software products provided by Merge.

Passive Collection.
As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser and device type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, and/or clickstream data to analyze trends in the aggregate and administer the site. . This information is not directly identifiable and will only be used to improve the performance and responsiveness of our website. Any other information collected, such as originating domain, time of visit, connection speed, and pages accessed is maintained in aggregate form.

Information sharing
Merge will not share your Personal Information with third parties except: with your consent; where necessary to fulfill a purpose for which the Personal Information was collected (e.g., we may provide your Personal Information to a service provider in order to process a payment or to send you marketing emails you have requested); to respond to a subpoena, warrant or court order; to comply with court rules regarding the production of records and information; in urgent circumstances to protect the life, health or security of any person; or where otherwise required by law.

When Merge shares your information with third parties who provide services on our behalf to help with our business activities, these companies are authorized to use your Personal Information only as necessary to provide these services to us.

Merge may retain your Personal Information while your account is in existence or as needed to provide you Service, to comply with our legal obligations, to resolve disputes and to enforce our agreements.

If Merge is involved in a merger, acquisition, dissolution, or sale of all or a portion of its assets, Merge reserves the right to transfer your Personal Information. You will be notified via email and/or a prominent notice on our website of any change in ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

Storage outside of your country
Personal Information collected by Merge may be transferred between and stored outside of the country in which you reside. As such, Merge may be legally required to provide Personal Information to government institutions, law enforcement agencies or courts in either in those countries in order to respond to a subpoena, warrant, or other lawful order.

EU-U.S. Privacy Shield Framework
Merge participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Merge is committed to subjecting all Personal Information received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List here.

Merge is responsible for the processing of Personal Information it receives, and any subsequent transfers to a third party acting as an agent on its behalf. Merge complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Merge is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Merge may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at:

Under certain conditions, more fully described on the Privacy Shield “How to Submit a Complaint” webpage, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

The security of your Personal Information is important to us. Merge endeavors to keep Personal Information as secure as possible and employs generally accepted industry standards to do so. The following is a summary of the measures taken by Merge to protect your information.

Secure Protocols
Merge uses Secure HTTP (HTTPS) encryption when transmitting certain kinds of information, such as Personal Information or payment information, so that no one else can read it while it is being transmitted over the Internet.

Secure Storage
Merge maintains reasonable physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.

Vendors and Partners
Merge requires its vendors and partners to fulfill their contractual obligation on implementing technical and organizational security measures in the processing of all personal Information.

Access to Information by Members of the Merge Workforce
Merge limits access to Personal Information to those members of its workforce who reasonably require such access in order to provide products or services to you or in order to do their jobs.

Education and Training for Workforce Members
Merge has implemented a company-wide education and training program about security that is required to be completed by every member of the Merge workforce.

Security Steps You Can Take
If you are a user of a Merge service that requires you to create an account with a password, do not share that password with anyone. Please contact us if you believe your Merge account has been compromised or if you have been contacted by someone about your Merge account asking for a password or other Personal Information. In the event that you believe that your personal safety is at risk or if you believe that you may be the victim of identity theft or other illegal conduct, please contact the appropriate federal, state or local law enforcement agencies directly.

Access to your Personal Information
Upon request, Merge will provide you with information about whether we hold any of your Personal Information, where Merge directly collected this information from you. You may access, correct, or request deletion of such Personal Information by contacting us as described in the “Contacting Merge” section below. We will respond to your request within a reasonable timeframe, and we will abide by your requests unless otherwise required by law.

Merge acknowledges that you have the right to access your Personal Information. However, Merge has no direct relationship with the individuals whose Personal Information we process on behalf of our customers. If you wish to access, correct, amend, or delete information about you that was provided to Merge by a Merge customer, you should contact the Merge customer with whom you have a direct relationship (i.e. the data controller). If requested to remove data we will respond within a reasonable timeframe.

Merge relies upon assurances from its customers that the Personal Information that Merge receives or is given access to by its customers is relevant for the purposes for which it is to be used and that its customers have obtained the requisite consents to enable the lawful processing of Personal Information by Merge. Merge uses the data only in accordance with its customers’ instructions.

Merge will take reasonable steps to ensure that Personal Information entered into its systems retains its original relevance, accuracy, completeness and currency.

Can I be denied access to my Personal Information?
There are times when Merge may deny access to your Personal Information such as: denial of access is required or authorized by law; information relates to existing or anticipated legal proceedings against you; when granting you access would have an unreasonable impact on other people’s privacy, security or proprietary information; to protect Merge’s rights and/or property; when we are unable to positively validate the identity of the requestor; or where the request is frivolous or vexatious or generates costs which are prohibitively expensive.

If we deny your request for access to, or refuse a request to correct information, we will do so in writing and explain why.

Also, Merge cannot provide patients with access to their Personal Information if that information was provided to Merge by a healthcare provider. Patients of Merge's healthcare provider customers should contact their healthcare providers to obtain access to their Personal Information.

Links to other websites
The Merge website provides links to other websites whose privacy practices may differ from those of Merge. Once a visitor or member leaves the Merge website, they are subject to the policy of that new site and should consult the privacy policy of that site to learn about its information handling practices.

Our website offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. To request removal of your Personal Information from our blog or community forum, contact us at In some cases, we may not be able to remove your Personal Information, in which case we will let you know if we are unable to do so and why.

Use of cookies
Merge and its partners may use cookies or similar technologies to help customize your use of the Merge website and on-line services, as well as to analyze trends, administer the website and track users’ movements around the website.

A "cookie" is a small text file sent by a web server to a web browser to transmit information back to that browser. Cookies are a way to have the browser remember specific bits of information to improve the user experience by simplifying the delivery of relevant content, making site navigation easier, etc. We do not record directly identifiable or sensitive information in our cookies.

Most web browsers are configured to accept cookies automatically. If you prefer not to accept cookies, you may adjust your browser settings to notify you when a cookie is about to be sent, or you may configure your browser to refuse cookies automatically. If you choose not to accept cookies, you may continue to use the Merge site; however, it may limit your use of certain features or functions on our website or service. For more information on managing Flash Cookies, visit the Flash Player Help website.

Use of web beacons
We may use web beacons to track browsing activities in order to measure how users interact with the Merge website and the effectiveness of advertisements or promotional campaigns. A “web beacon” is an electronic image that can be used to recognize a cookie on your computer when you view a web page. Web beacons are used for analytics, to inform customization of product and services offerings, and to optimize the browsing experience. Web beacons are not used to collect personal or sensitive information.

Advertising and IBA Opt-Outs
We partner with a third party to display advertising on our website or to manage our advertising on other sites. Our third party partner may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you are located in the European Union and wish to opt out of interest-based advertising (“IBA”) you may do so via the “Your Online Choices” website. If you are located outside of the EU, use the “Your Advertising Choices” website. Please note you will continue to receive generic ads.

Do Not Track
Currently, various browsers offer a “do not track” or “DNT” option which sends a signal to websites visited by the user about the user’s browser DNT preference setting. Merge does not currently commit to responding to browsers’ DNT signals with respect to Merge’s websites, in part, because no common industry standard for DNT has been adopted, including no consistent standard of interpreting user intent.

We may display personal testimonials of satisfied customers on our website in addition to other endorsements. With your consent, we may post your testimonial with your name. If you wish to update or delete your testimonial, you may contact us as described below.

Requesting to be removed from email lists
You may sign-up to receive email or newsletters from Merge. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you, or by contacting us as described below. If you have subscribed to receive email updates from Merge, and/or no longer wish to receive email from us in the future, you can also let us know by updating your communication preferences:

Changes to this privacy statement

Merge reserves the right, at its discretion, to change, modify, add, or remove portions of this Privacy Statement at any time. If we make any material changes we will notify you by email (sent to the email address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to check this page periodically for changes. Your continued use of Merge services following the posting of changes to this Privacy Statement will mean that you accept those changes.

Contacting Merge
If you have any questions or concerns about this Privacy Statement or Merge's privacy practices, please contact our Privacy Officer at When contacting us, please be sure to provide us with your exact e-mail address, name, address, and/or telephone number(s) in order to be sure we handle your inquiry correctly. You may also contact us at:

Merge Healthcare
900 Walnut Ridge Drive
Hartland, WI 53029
ATTN: Privacy Officer

Or alternatively at the IBM UK Head Office:

IBM United Kingdom Limited
PO Box 41, North Harbour
Hampshire, PO6 3AU

In addition, you have the right to lodge a complaint with a supervisory authority.

This Privacy Statement was last updated on May 9, 2018.

Number: IS-243 | Revision: 4.0