1. Information We Collect
When you use our Services, we collect the following types of information.
Account Information We Collect from You
Some personal information is required to create and use an account on our Services, such as your name, email address, phone number, and other information as we might request from you, or information we collect automatically while you use the Services (collectively “Account Information”). Account Information we collect may include:
● Biometric information, including facial images captured during recorded assessment sessions.
● Cognitive Assessment Scores, gathered from cognitive exams that you have signed up for as part of a cognitive health program, or administered with your knowledge as part of an adjudication process requested by your health plan, treatment providers, or others.
● Internet or other electronic network activity information, such as the usage data we receive when you access or use our Services, including use of our websites and mobile apps. This includes information about your interactions with the Services and includes details such as your device's unique device identifier, IP address, operating system, browser type, mobile network information, and other configuration information. We may also use technology such as “cookies” and “web beacons” to track and better understand how you use our Services and whether you have opened our messages to you.
● Geolocation data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs, if you have granted us access to that information through your device settings.
● Electronic, visual, or similar information you provide or upload, such as your profile photo or other images or information.
● Health information that you choose to provide to us, such as health-related details about you, or your messages to specialists, healthcare providers, and insurance companies related to the Services.
● Coaching Information that you choose to share with our coaching staff, if you sign up and use our optional coaching services, including information in the forms you complete and information you share with a coach during one-on-one sessions.
● Inferences drawn from any of the above, including the number of cognitive skills you assessed, trained, sleep insights, personalized exercise and activity goals, and insights noted from optional coaching services.
Information We Collect from “Covered Entities” for Assessments
If we are asked on behalf of your health plan, treatment providers, insurer, or other regulated entities (“Covered Entities”) to conduct a specific assessment as part of their services to or for you, we may request or receive information related to your past, present or future physical or mental health or condition, and the provision of health care to you, which is information considered “protected health information” under certain state laws and federal laws such as HIPAA and HITECH (collectively, “Protected Health Information” or “PHI”).
Information that identifies you, or that can reasonably be used to identify you, and that includes information from a Covered Entity about you, is protected as PHI and will be used and disclosed only as described in this policy and as permitted by law. We will also treat health-related information that you provide to us as PHI when we collect it from you on behalf of a Covered Entity.
Information We Collect from Third Parties for Our Other Services
We may also work with third parties, such as pharmaceutical companies, employers, insurance companies, educational institutions, research facilities, health and wellness companies, that offer certain Neurotrack Service to patients, customers, employees, clients, students, study participants, and consumers. In such cases, these organizations may provide us with your name, email address, or similar information (like a telephone number or subscriber ID), and may include PHI, so that we can invite you to participate in collaborations with these third parties.
For some Services to fully function, it may be necessary for you to authorize one or more of these third parties to provide us with the dates and results of medical tests including but not limited to medical records or other information that will constitute PHI. This will only be done with your express permission, which will be collected upon the creation of your account with the third-party service providers to whom you have given your permission to share the PHI with us.
2. How We Use Information
We use the information we collect for the following purposes:
Registration and Service Delivery
We use Account Information to register you and identify which Services have been requested by you or a Covered Entity with your approval. We use Account Information, as well as any PHI that has been provided, to provide our Services and to manage your relationship with us, including to send you technical notices, updates, alerts, and support, billing, and administrative messages (you may set your preferences for receiving messages in your account profile). If you have agreed to an assessment or
other Service being conducted on behalf of a Covered Entity, we will use your Account Information as well as PHI we may collect to report the results of the assessment or other Service to the Covered Entity.
Improve, Personalize, and Develop the Services
We use the information we collect to improve and personalize the Services and to develop new ones. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research; and develop new features and Services. If your information is shared with a third party for these purposes, it will not include personally identifiable information about you or your PHI without your prior consent.
We collect information to score cognitive assessments of you, either because you signed up on your own and asked for an assessment, or the assessment is being performed for third-party Covered Entities such as health care providers and insurance companies who you have authorized to provide us with such information. If the assessment is performed for a third-party Covered Entity, then by accepting the invitation and participating in such assessments requested by a Covered Entity, you are authorizing us to share your Account Information, PHI, and results of the assessments with that Covered Entity directly or through their approved representatives (“Business Associates”).
Promote Safety and Security
We use the information we collect to promote the safety and security of the Services, our users, and other parties. For example, we may use the information to authenticate users, facilitate secure payments, protect against fraud and abuse, respond to a legal claim, conduct compliance audits, and enforce our terms and policies. We may also disclose information if we reasonably believe it is necessary to prevent harm to our users or to others, although we undertake no duty to monitor our records for such purposes.
We may use your information to enforce or defend any legal obligation or rights or to comply with applicable law.
3. How Information Is Shared
Subject to the requirements of applicable law, including HIPAA and HITECH, we may share your Account Information including PHI with third parties as described below.
With Our Trusted Service Providers
We use trusted third parties under strict contractual protections to help us provide Services, such as secure hosting providers to store and process data, electronic communications providers for messaging services, data analytics providers, and video conferencing services for recording assessments. These parties who work under contract with us, sometimes referred to as data “subprocessors,” are not permitted to make any use of the information except to provide the services on our behalf, nor may they retain the information after completion of the services unless required by law. We make available the current list of our subprocessors which you may request by contacting us as described in the “How to Contact Us” section below.
We may also share information, including PHI, with Covered Entities and their Business Associates based on consents you have provided to us or the Covered Entities, in order to provide our Services.
Account Information and PHI collected from you may be stored and processed in the United States or any other country in which we and our affiliates, subsidiaries, agents or contractors maintain facilities. If you reside in the European Union or other regions with laws governing data collection and use, please note that by using our Services you are agreeing to the transfer of your data to the United States and processing in our other locations. If we transfer your Personal Information outside the United States, we take steps to protect your information as required under applicable law. We will retain your Account Information and PHI for no longer than is necessary for the performance of our obligations, to achieve the purposes for which the information was collected, or as may be permitted under applicable law.
Law and the Public Interest
We may preserve or disclose information about you to comply with any applicable law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the safety of any person.
We may share information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such anonymous information publicly and to third parties, for example in public reports, to partners under agreement with us, as part of the community benchmarking information we provide to users of our Services, or for any business or research purpose without restriction.
We may share your personal information during a corporate transaction like a merger, or sale of our assets, or as part of the due diligence for such contemplated transactions. If a corporate transaction occurs, we will provide notification of any changes to control of your personal information, as well as choices you may have at that time.
Links to Third Parties
4. Your Rights to Access and Control Your Information
You have the right to understand how we collect, use, and disclose your PHI, to access your information, to request that we delete certain information, and to not be discriminated against for exercising your privacy rights.
We give you account settings and tools as part of the Services to help you understand, access, and control your information that is in our possession.
Accessing and Exporting Data
By logging into your account, you can access and manage your personal information, including your account settings. You are also free at any time to contact us for assistance in accessing, managing, and exercising your rights with respect to your Account Information, including PHI, that we process for you. See the “How to Contact Us” section below for information on how to make such requests.
Editing and Deleting Data
By logging into your account and using your account settings, you can change and delete your personal information.
If you choose to delete your account, please note that all data, scores, and information will be permanently deleted, except as noted below.
We may retain your PHI even after you have closed your account if reasonably necessary to comply with our legal obligations (including law enforcement requests or contractual obligations to Covered Entities), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, enforce our User Agreement, or fulfill your request to “unsubscribe” from further messages from us.
Note that while most of your information will be deleted within 30 days, it may take up to 90 days to delete all of your information, such as data stored in our backup systems.
Objecting to Data Use
We give you account settings and tools to control our data use. For example, through your privacy settings, you can limit how your information is visible when using the Services; using your notification settings, you can limit the notifications you receive from us; and under your account settings, you can revoke the access of third-party applications that you previously connected to your Neurotrack account.
Opting Out of Optional Communications
In the event that you no longer wish to receive any marketing or other optional communications from us, please use the unsubscribe option (which is in all of our marketing emails to you), or contact us using our contact information below. Please note this will not affect administrative messages we may need to send to you regarding your account and the Services.
For California Residents
California law requires that we indicate whether we honor “Do Not Track” or “DNT” settings in your browser concerning targeted advertising. Our Services do not currently respond to web browser “Do Not Track” signals or other mechanisms that provide a method to opt out of the collection of information on the App. For more information about DNT signals, please visit http://allaboutdnt.com.
5. Data Retention
We keep your Account Information for as long as your account is in existence because we need it to operate your account and provide Services you have requested or approved. In some cases, when you give us information for a feature of the Services, we delete the data after it is no longer needed for the feature. We keep other information, like your exercise or activity data, until you use your account settings or tools to delete the data or your account because we use this data to provide you with your personal statistics and other aspects of the Services. We also keep information about you and your use of the Services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the sections above.
6. Our Policies for Children
The Services are not directed to children under 18 years of age. Unless otherwise disclosed during collection and with parent or guardian consent, Neurotrack does not knowingly collect PHI from children under 18 years of age. Should it come to our knowledge that we have collected PHI of a person under 18 years of age without verified consent from a parent or guardian, we will take action to remove the information from our systems.
7. Information Security
We have implemented technical, physical, administrative and organizational measures designed to secure your PHI and other personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.
We limit access to your information to those employees, agents, contractors and other service providers who have a business need to know and who are contractually obliged to keep this information confidential.
We also endeavor to take reasonable steps to protect you from external threats, for example hacking, theft, or malicious software, by using secure hosting facilities with firewalls and advanced threat detection using encrypted network communications. Please be aware that there are always risks in sending PHI over public networks, and that we cannot guarantee the security of data sent to us using unsecured networks. Also, you are responsible for maintaining the secrecy of your account password and not sharing it with any other person. We will never ask you for your password by email, phone, or other communication, so beware of attempts by others to gain illegal access to your information.
We have procedures to deal with any suspected PHI breach and will notify you and any applicable regulator when it is appropriate for us to do so.
If you have a security-related concern, please contact customer support at email@example.com.
8. Changes to This Policy
9. How to Contact Us
If you have questions about this policy or need help exercising your privacy rights, please contact us at firstname.lastname@example.org.
You may also contact us by mail at:
Neurotrack Technologies, 399 Bradford St., Ste. 101 Redwood City, CA 94063
We endeavor to respond to a verifiable consumer request within fifteen (15) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.