Effective date of this Privacy Notice – January 01, 2022.
Summary of Changes:
This revision contains material changes to the data retention policy and minor changes to improve clarity, readability, and more accurate description.
This Privacy Notice (the “Notice”) describes how ImPACT Applications, Inc. (the “Company”, “we”, “us”) collects,stores, transmits, and protects any information that you give when you use any of the Company’s products andservices (each a “Service” and collectively, the “Services”). This Notice applies to all of your uses of the Services and describes how your Personal Information* will be treated as you use the Services.
*”Personal Information” is information that can be used on its own or with other information to
identify, contact, or locate a single person, or to identify an individual.
*”Medical device data” is information collected by the company’s Cognitive Testing Applications.
The Company is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using the Services, the information will only be used in accordance with this Notice.
This Notice applies to the information collected and processed by the Company and/or on behalf of Health Care Providers or Institutions (e.g., physician, school, sports club, etc.) through the following products and services directly related to cognitive testing products:
- Cognitive Testing Applications: ImPACT, Cognitive Impairment Screener, and ImPACT Pediatric and ImPACT Quick Test (both available through ImPACT Toolkit);
- Mobile Applications including ImPACT Toolkit that permit users to perform cognitive tests on mobile devices, and ImPACT Passport App that allows the test takers to store their unique ID (ImPACT Passport ID) and record symptoms; and
- ImPACT Customer Center web portal for professional users that enables the test results and information collected through Cognitive Test Applications and Mobile Applications to be centrally accessed and managed by healthcare providers or account administrators.
This Notice also describes how we collect and use information that customers provide to us in connection with:
- Creation or administration of ImPACT Applications accounts, which we refer to as “Account Information”. For example, Account Information includes names,usernames, phone numbers, email addresses, and billing information associated with a customer’s account;
- Training and Education products and services; and
- Information and promotional materials about our Products and Services provided via periodic notifications or requested by visiting the Company sites.
What Information We Collect?
We collect only the minimum necessary information to provide the Services. Depending on the Service or your role in receiving such Service (for example, we collect different information from an account administrator than from a test taker), we may collect one or more the following types of information:
- Contact information, such as name, email, and phone number.
- Payment and billing information, such as address, credit card, or bank account details (this information will be encrypted and processed by accredited third party providers and will not be retained by the Company upon successful completion of the transaction).
- Demographic information, such as age, gender, language preference, schools or sports clubs, and education.
- Health related information, such as symptoms, concussion history, and medical history related to concussions, and cognitive test results.
- Training and education related data, such as session results, and times/dates of sessions.
- Company website related data, such as browser type and IP address.
How do we use your personal information?
We use your personal information to help us deliver products and services optimized for your needs, or to fulfill contractual obligations, depending on the purpose for which we collected your personal information. This includes:
- Providing updates regarding your account, such as details of reoccurring payments.
- Providing educational information to guide your use of the Services.
- Internal record keeping.
- To improve our Services.
- We may periodically send promotional emails to account administrators about new products, special offers or other information, which we think you may find interesting using the email address which you have provided. Note: when test takers provide their contact info during the test, this information is not used for marketing and promotional communication.
- When you sign up, we may send you our promotional materials or offers via email. These will always include an option to opt out of future such emails.
Disclosure and Sharing of Personal Information.
The Company will not disclose, move, access, or use Personal Information except as provided in the customer’s agreement with the Company, or without your explicit consent, or when the Company believes it is required to do so by law. However, we may collect and use aggregate, de-identified (anonymized), or other information that does not identify you (“De-identified Information”) for research or scientific purposes. For the purposes of research, we may include some of your data in scientific studies. For example, to show how test scores generally relate to demographic information, such as age, gender, or sport. If so, this data will be used anonymously, and not directly associated with you in any way.
We do not use or share personal information for any marketing purposes unrelated to the Services.
Choices You Have About Collection, Use, Correction, and Erasure of Your Personal Information
You have a right to be told what Personal Information we hold about you and any third parties we have disclosed it with (with certain exceptions). You also have a right to provide us with corrections if you believe any of your personal information is inaccurate. However, if personal information was collected through an organization such as school, sports team, a medical provider, etc., requests for access, amendments, or deletion should be directed to the organization through which the data was originally collected.
Because the data generated by the Cognitive Testing Applications can only be used by licensed healthcare professional, the test takers will not be granted access to this data by the Company. Requests to view these data should be directed to the healthcare professional.
The Company will retain test taker Personal Information collected and processed through cognitive testing applications for 7 years unless you have a contract (e.g., Business Associate Agreement, Data Privacy Agreement) specifying a different retention schedule. If there is any federal or state requirements that conflict with and preempt either the Company’s default retention period or a retention period specified in a contract, we will follow the statutory and/or regulatory requirements. If you request the deletion of your data entirely or in part by submitting a written request to the Company’s Data Protection Officer (see contact information at the end of this Notice), we will honor that request as long as we are allowed to do so under applicable law and regulations. When Personal Information collected by cognitive testing applications reaches 7 years since the date of creation, it will be deidentified, archived, and permanently removed from the company production database following a review by legal and regulatory compliance departments to ensure archiving process follows applicable legal and contractual requirements.
The Company will retain Personal Information required to establish and maintain a customer account with the Company for as long as you desire to maintain an active account. When account becomes inactive, we’ll delete the information two years after the account termination or five years since last activity (e.g., renewal).
Use of the Site by Children
Our Services are not directed to children under the age of 18. In accordance with local regulations (such as COPPA, FERPA, and other state privacy and educational laws), the Company will not knowingly collect or accept personally identifiable information from a child under the age of 18 without a parent’s or guardian’s prior consent. The information collected from children under 18 through the cognitive testing and supporting applications are intended only with the consent and under the supervision of a parent or guardian, or, in the case of use through an institutional user, with the consent and supervision of such institutional user acting with authority and consent from the parent or guardian. This information is not used for or shared with third parties for marketing or commercial purposes.
Compliance with Law Enforcement
The Company will make any legally required disclosures of any breach of the security, confidentiality, or integrity of your electronically stored personal data. The Company cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of the Company or a third party, the safety of the public or any person, to prevent or stop any illegal,unethical, or legally actionable activity, or to comply with the law.
Cross-Border Processing and Transfer of Information
All Personal Information and health related data collected through cognitive testing and supporting applications are stored in secure location in compliance with local regulations governing cross-border data transfer. Data collected from US users is stored in a datacenter located within the US, while data collected from our international users is stored in a datacenter located in Canada.
Information collected through all other services or provided during customer support interactions will be stored in the United States. When you provide personal information, you fully understand and unambiguously consent to the transfer of your personal information to, and the collection and processing of such personal information in the United States. For Services users who are residents of the United Kingdom, European Union, and other European Economic Area nations, please be advised that while there is some uncertainty as to the scope of the EU General Data Protection Regulation (GDPR) as applied to US-hosted Services such as ours, our practices in handling personal information collected through the Services relating to residents of your jurisdictions are designed to conform to the GDPR.
We are committed to ensuring that our customers are accessing applications securely. In order to prevent unauthorized access or disclosure, we have put in place technical and organizational measures appropriate to the risks to the information we collect. The following technical controls have been put in place to help protect customers and meet compliance requirements.
- Data Protection
- Connection to the company applications and environment is via TLS cryptographic protocols ensuring that users have a secure encrypted connection.
- All data is further encrypted while in transit and also when persisted “at rest”.
- Data is transmitted across a secure connection.
- Perimeter firewalls and edge routers block unused protocols.
- Internal firewalls segregate traffic between the application and database tiers.
- Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.
- Periodic network scans to identify potential threats and alert to changes in baseline configuration.
- Managed web application firewall service that monitors all network traffic destined for our applications, sending alerts to the Company’s security team while blocking suspicious the traffic
- The system replicates customer data to a second datacenter on an hourly basis.
- Data Recovery Time Objective: 24/48 hours (standard / extended).
- All Company Services are validated prior to public launch using documented software validation procedures to comply with medical device regulations and standards for software quality. Validation is built into the software development processes.
- The Company tests its applications for security vulnerabilities, and regularly scans the Company’s network and systems for vulnerabilities. Third-party tools and services are used to assess software and infrastructure vulnerabilities regularly, including, application vulnerability assessments, network vulnerability assessments, penetration testing and source code vulnerability review, and security control framework
- Secure Transmission and Storage of Data
- Network Protection
- Disaster Recovery
- Internal and Third-party Testing and Assessments
- Security Monitoring
The Company’s Information Security team monitors notifications from various sources and alerts from
internal systems to identify and manage threats.
- Company Personnel
- All Company employees must abide by this Notice and internal privacy policies and those who violate them
are subject to disciplinary action, up to and including termination. All employees are required to sign
non-disclosure agreements and are required to complete ongoing security training throughout the year.
- Physical Security
- The Company’s system is hosted with trusted data center partners who maintain ISO 27001 and/or SOC 2 Type II
compliance. Physical access is strictly controlled both at the perimeter and at building access points by
professional security staff utilizing video surveillance, intrusion detection systems, and other electronic
systems. Authorized staff must pass two-factor authentication a minimum of two times to access data center
floors. All visitors and contractors are required to esent identification and are signed in and continually
escorted by authorized staff.
Additionally, these data center facilities provide: automatic fire detection and suppression equipment, redundant data center electrical power systems, climate control to maintain a constant operating temperature for servers and other hardware; continuous monitoring of electrical, mechanical, and life support systems and equipment, and secure storage device decommissioning.
The Company uses traffic log cookies to identify which pages are being used. This helps the Company analyze data about web page traffic and improve the Company Websites in order to tailor it to customer needs. The Company only uses this information for statistical analysis purposes. Overall, cookies help the Company provide you with a better website, by enabling the Company to monitor which pages you find useful and which you do not. A cookie in no way gives the Company access to your computer or any information about you.
California Residents – Your California Privacy Rights
The Company does not permit third parties to collect personal information about an individual’s online activities over time and across different Websites when an individual uses Company Services or visits Company Websites; and therefore, does not respond to Do Not Track (“DNT”) signals.
If you are a California resident and would like to make a request, the identity of any third parties to whom the Company has disclosed personal information for the third parties’ direct marketing purposes, within the previous calendar year, along with the type of personal information disclosed please submit your request in writing to firstname.lastname@example.org.
When you use the Services, we will inform you what personal information are necessary to receive the Services. You may withdraw consent for future processing or communications at any time, and you may lodge a complaint with the data protection supervisory authority in your country of residence if you believe that our processing has violated the law. You may contact our Data Protection Officer at the address listed in Contact below, or our European Representative. We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to email@example.com. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921.
UK Representative under Article 27 of GDPR
We have appointed UK Rep Ltd as our Representative under Article 27 of the UK General Data Protection Regulation as set out in (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020, and any amendment or restatement thereof (“UK GDPR”).
All UK GDPR queries from UK Data Subjects or Data Protection authorities should be addressed to firstname.lastname@example.org. UK Rep Ltd is a company registered in the United Kingdom of Great Britain and Northern Ireland (hereinafter “the UK”) with registered number NI677214, whose registered address is at 80/81, Ebrington Square, Derry, Derry, BT47 6FA, NORTHERN IRELAND.
Privacy Notice Updates
We may occasionally update this Notice. When we do, we will also revise the “Effective Date” at the top of this page. For material changes to this Notice, we will notify you either by placing a prominent notice on the Company Websites or the Customer Center, or by sending you a notification directly. Your continued use of the Services constitutes your agreement to this Notice and any updates.
If you have any questions about this Notice, your rights or any other aspects of your privacy and how we are collecting, using, protecting, and/or disclosing the personal information we collect, or need assistance submitting a complaint to a data protection supervisory authority (regional government agency) please contact us at:Attn: Data Protection Officer
ImPACT Applications, Inc.
2140 Norcor Avenue, Suite 115
Coralville, IA 52241