Effective date: May 25th, 2018
Last updated: June 18th, 2018
Who we are and the scope of this policy
We own and operate all websites under the domain of shadowhealth.com, referred to as "Sites" in this policy. We also own and operate a web platform we use to deliver our simulation products to our users, including https://app.shadowhealth.com, referred to as the "Service." If you intend to use the Service, please additionally review the Terms of Service.
What data we collect from you and how we use it
We take the protection of your data very seriously and have made every effort to be compliant with the European Union's General Data Protection Regulation ("GDPR"). Under the terms of the GDPR, we are the "controller" of the data we collect from you.
Personal Data. We collect "Personal Data", data that identifies, or could reasonably be used to identify, an individual. Personal Data we may collect includes contact information, such as name, email address, and phone number. We do not collect special categories of Personal Data as defined by the GDPR as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation."
Usage Data. We collect "Usage Data" that is created through your use of our Sites or Service. This may include non-personally identifiable information about the browser and computer you use to access the Sites or Service, as well as log data and data input by registered users of the Service in the course of their use of the Service.
Data collected as a visitor to our Sites
When you visit our Sites or visit our Service as an unauthenticated user (you have not created an account or logged in), we collect Usage Data to improve our Sites and Service. We do not collect Personal Data unless you provide us this data for a specific purpose.
Our Sites include various contact and request forms which visitors may complete in order to be contacted about specific products or services offered. When you provide your Personal Data by completing one of these forms, we will always disclose for what purpose the data will be used, for example to schedule a product demonstration, and ask for your consent to collect and process this data.
We also collect non-personally identifiable data, including page load times, URL that referred you to the service, browser and operating system vendor and version, screen resolution, and approximate IP address as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Sites.
Data collected as a registered user of the Service
When you create an account with Shadow Health at https://app.shadowhealth.com and accept the Terms of Service you enter into a contract with Shadow Health. In order to enter into this contract we require that you provide us with certain Personal Data.
Your institution may offer the ability to create an account with Shadow Health directly through your institution's learning management system or other website. If you use this mechanism to create an account with Shadow Health, your institution will provide us with the Personal Data required enter into the contract. You will additionally be required to accept the Terms of Service upon creating an account.
Whether you create your Shadow Health account yourself or through your institution, for the performance of our contract with you, we will collect Usage Data when you access the Service as a registered user.
When you create an account we require that you, or your institution, provide us with your first and last name and email address, to secure and maintain your account and provide you with a mechanism for authenticating with the Service. We also use this data, along with your phone number if you choose to provide it, to provide you with customer support when you request it.
When you purchase or redeem a "bookstore code" for a product license, we require that you provide us with a "course PIN" to identify the course in which you will use the product. This links your account to the product license and to your institution's course within our Service.
If you purchase a product license from a re-seller, such as your institution's bookstore, the bookstore may provide us with your name and email address so that we can prevent redemption of fradulent bookstore codes.
If you choose to contact our customer support at email@example.com or https://support.shadowhealth.com, you will be asked to provide your name and phone number or email address in order to confirm your identify and allow our support agents to view your account data as necessary to provide support.
As part of your use of the Service, we may ask you to complete surveys to measure the effectiveness of our products and assist you with continued use of the products in your course(s). The surveys will not ask for additional Personal Data, but your survey responses will be linked with your account.
When you login to your account we record the IP address from which you accessed the Service. When you perform actions within the Service, such as viewing your course or assignments, we capture log data, including the URL accessed and the IP address it was accessed from. We use this data to audit and maintain the security of your data and account.
When you use our simulation products, for example by attempting an assignment, we collect data input by you during the simulation, such as questions you ask our virtual patients and documentation you enter in the virtual patient's chart. This data is used to provide you and your course faculty with a record of your performance in the simulations.
We also collect non-personally identifiable data, including page load times, URL that referred you to the service, browser and operating system vendor and version, processor vendor and version, video card vendor and version, available memory, screen resolution, and device identifiers as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Service.
Data collected as a re-seller of our products
We provide a Site for those who re-sell licenses for our products, such as university bookstores, to manage their stock of Shadow Health product licenses. This Site is only intended to be accessed by re-sellers who have contracted with us. To do so, contact firstname.lastname@example.org.
From registered users of our bookstore Site we collect first and last name, email address, and affiliated institution. We may also collect the same information for the bookstore billing contact, if this is not the same person as the registered user. We collect this data for the performance of our contract with your organization, to secure and maintain an account and provide the user a mechanism for authenticating with our bookstore Site.
From visitors to our bookstore Site we collect non-personally identifiable data, including page load times, browser and operating system vendor and version, and approximate IP address as part of our legitimate interest to ensure the security of and improve the performance of the bookstore Site.
Data collected as a prospective customer
We may contact prospective customers to determine their interest in our products and services. When we do this the individual will be told what Personal Data we have collected, why we are contacting them, and how they can opt-in or opt-out of further contacts. We will always ask for and receive consent from you, as a prospective customer, when we collect your data in order to contact you about products or services in which you have expressed interest.
If you have provided your contact information (name, email address, phone number, institutional affiliation) in a request for a product demonstration, instructional design consult, product training, or other reason for contact, we will store this data and process it only to fulfill that request. If you feel that you have been contacted in error, please use the "unsubscribe" link in email contact or email us at email@example.com.
Other cases in which we collect or process data
We may also be required to collect or process data due to legal obligations, including responding to an individual's data-rights request or complying with a legal order.
How long we keep your data
When we collect your Personal Data, we will maintain and store it for as long as we determine reasonably necessary to provide the Sites and Service to you, unless you exercise your right to erasure described below, or to comply with applicable legal requirements.
Your rights to access and control your information
Shadow Health does not use automated decision making technologies.
There is no charge for any of the requests referenced in this section. For any such request please contact us by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request, by email to firstname.lastname@example.org or by mail to:
Shadow Health, Inc Attn: Data Protection Officer 201 SE 2nd Ave, Ste. 201 Gainesville, FL 32601, USA
We will endeavor to respond to such requests in a timely manner, but in no event longer than one month from receipt of your request.
Right to access and obtain a copy of Personal Data
You have a right to access and obtain a copy of the Personal Data we hold about you. If you are a registered user of our Service, this data is available to you via logging in to the secure portal provided by the Service, e.g. https://app.shadowhealth.com.
Right to accurate information
Registered users of our Service have access to a profile page, on which they are able to edit personal information so that it is accurate. In order to prevent transfer of accounts, in violation of our Terms of Services, we require contacting our Customer Support in order to edit some pieces of information. You can do so by emailing email@example.com or calling (800) 860-3241.
Right to object
If we have collected your Personal Data by asking your consent or in our legitimate interests, you have the right to object to the processing of the data. For example, if you are faculty at an institution which uses one of our products, and we have contacted you to determine your interest in using another of our products, you may object to further contact. We may provide an opt-out or unsubscribe link in email contacts for this purpose. You may also object or withdraw consent by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.
Right to erasure
If we have collected your Personal Data by asking for your consent, you have the right to withdraw that consent and request erasure of that data. If we have collected your Personal Data in order to enter into or for the performance of a contract, you may request erasure of your data. In this case erasure of your data will constitute termination of your contract and all accounts and licenses with us. You may request erasure by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.
Right to data portability
If we have collected your Personal Data by asking your consent or for the performance of a contract, you have the right to request a copy of your data in a machine readable format. This data only includes the data which you provided to us; it does not include any data which we own which we may have combined with your data. For example if you are a registered user of the Service, your data includes the questions you have asked virtual patients in our simulation products; your data does not include the responses the virtual patients provided. You can request a copy of your data by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.
Right to restrict processing
If you have contested the accuracy of Personal Data which we have collected from you, or if you have objected to processing of your Personal Data, you also have the right to restrict further processing of your data, including erasure. You can request restriction of processing by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.
Right to file a complaint
If you are a resident of the European Union or located in the European Economic Area ("EEA") at time of data collection and you believe our processing of your Personal Data to be in violation of GDPR, you have the right to lodge a complaint with the Supervisory Authority of your Member State.
How we secure your data
We comply with applicable laws to provide an adequate level of data protection for the transfer of Personal Data, including encryption of data in-transit using TLS and encryption of Personal Data at-rest. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. Although we apply commercially reasonable security practices to protect your Personal Data, we cannot guarantee the security of data you transmit to us, and you use our Sites or Service and provide us with your data at your own risk. If you believe that the security of your account with Shadow Health has been compromised, please contact firstname.lastname@example.org immediately.
Where we store and transfer your personal data
Shadow Health's business operations are based in the United States. Data we collect, including Personal Data, may be stored and processed in any country in which we have operations or in which we engage third-party processors. Data that is collected within the EEA may be transferred to, and stored at, a destination outside the EEA, including the United States.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
In compliance with the Privacy Shield Principles, Shadow Health, Inc. commits to resolve complaints about our collection or use of your personal information. European Union and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Shadow Health, Inc. at email@example.com or by mail to:
Shadow Health, Inc Attn: Data Protection Officer 201 SE 2nd Ave, Ste. 201 Gainesville, FL 32601, USA
Shadow Health, Inc. has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact JAMS or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. If your concern continues to be unresolved, you may pursue binding arbitration through the Privacy Shield Arbitration Panel. To learn more about the Privacy Shield Panel, click here.
The Federal Trade Commission has jurisdiction over Shadow Health, Inc.'s compliance with the Privacy Shield.
As explained here we sometimes share Personal Data with third parties to process the data on our behalf. If we transfer Personal Data received under the Privacy Shield to a third party, the third party's access, use, and disclosure of the personal data must also be in compliance with our Privacy Shield obligations, and we will remain liable under the Privacy Shield for any failure to do so by the third party unless we prove we are not responsible for the event giving rise to the damage.
How we share your personal data and why
Shadow Health does not sell or rent Personal Data to marketers or unaffiliated third parties.
We share your Personal Data with trusted third parties including our contracted data processors.
If you are a registered student user of the Service, your Personal Data and certain Usage Data, such as your scores on assignments taken within the Service, are shared with authorized course faculty at your institution so that they may evaluate and incorporate your use of the Service into your course credit or grade. We also share your Personal Data and Usage Data with authorized course faculty at your institution when you violate our Terms of Service or to resolve academic honesty disputes.
To the fullest extent permitted by applicable law, we may also disclose your data if we believe in good faith that doing so is necessary or appropriate to protect or defend the rights, safety, or property of Shadow Health, or to comply with legal and regulatory obligations, such as law enforcement inquiries, subpoenas, and court orders. To the fullest extent permitted by applicable law, we have sole discretion in electing to make or not make such disclosures.
Who we contract with to process your data and why
We contract with third-party processors to process the data we collect. We contract only with processors whose privacy and security policies meet a high standard and who provide an EU General Data Processing Regulation-compliant mechanism for international data transfer, such as a Data Processing Agreement with the EU Model Clauses and/or EU-U.S and Swiss-U.S. Privacy Shield certification.
The following is an up-to-date list (as of the date of this policy) of the names and locations of our processors and our purpose for contracting with them to process data.
|Processor||Countries in which Processing is Peformed||Purpose for Contracting|
|Acuity Scheduling, Inc.||United States||Shadow Health uses Acuity for scheduling faculty consults and beta testers|
|Amazon Web Services, Inc.||United States||Amazon Web Services provides computing and storage infrastructure for Shadow Health's Services|
|Google LLC||United States, Ireland||Shadow Health uses Google Analytics 360 to analyze traffic to our Sites and Service so we may enhance, modify, and improve our Sites and Service. Shadow Health uses G-Suite for email and document storage.|
|Mouseflow, Inc.||United States, Denmark||Shadow Health uses Mouseflow to analyze usage data of our Sites and Service to determine the effectiveness of and to further develop our Sites and Service|
|New Relic, Inc.||United States||Shadow Health uses New Relic to monitor the security and performance of our Service|
|Rapid7||United States, Ireland||Shadow Health uses Rapid7 for logging usage data of the Service|
|salesforce.com, Inc. (SFDC)||United States||Shadow Health uses SFDC to market our Service to prospective institutional customers and to manage relationships with current institutional customers|
|SendGrid, Inc.||United States||Shadow Health uses SendGrid to send transactional emails to users of our Service, e.g. to reset their password, and to contact potential and existing customers to provide them updates on our product offerings|
|Sendible Limited||United States, UK||Shadow Health uses Sendible to contact visitors to our Sites who have requested to be contacted, e.g. to schedule a product demonstration|
|Stripe, Inc.||United States, Ireland||Shadow Health contracts with Stripe to provide PCI compliant processing of payment data for customers purchasing our products|
|SurveyGizmo / Widgix, LLC||United States, Canada, Germany||Shadow Health uses SurveyGizmo to provide asynchronous support and training to customers and to survey users of our Service in order to measure the effectiveness of the Service|
|SurveyMonkey, Inc.||United States||Shadow Health uses SurveyMonkey to survey customers and potential customers on an opt-in basis to determine the effectiveness of and to further develop our products|
|Unity Technologies ApS||United States||The simulations that Shadow Health delivers via our Service include Unity Analytics for analyzing technical and performance characteristics of our simulations|
|Zendesk, Inc.||United States||Shadow Health uses Zendesk to provide technical support to customers|
Your California Privacy Rights
In accordance with California's "Shine the Light" law, California Civil Code 1798.83, we will not share personal data of our users with third parties for the third parties' direct marketing purposes.
Children's Personal Information
Our Sites and Service are not intended for individuals under the age of sixteen (16). If you are under 16 years of age, you are not permitted to use our Sites and Service and should not provide Personal Data through the Sites or Service. If we become aware that an individual under 16 years of age has provided us with Personal Data, we will dispose of that data in accordance with the Children's Online Privacy Protection Act and other applicable laws and regulations. If you become aware that an individual under 16 years of age has provided us with Personal Data, please contact us at firstname.lastname@example.org and we will take reasonable steps to ensure that data is deleted.
Shadow Health, Inc Attn: Data Protection Officer 201 SE 2nd Ave, Ste. 201 Gainesville, FL 32601, USA