Privacy Policy

Privacy Policy

Effective date: May 25th, 2018

Last updated: June 18th, 2018

Who we are and the scope of this policy

We are Shadow Health, Inc., a company incorporated in Florida, United States. In this Privacy Policy we may be referred to as "Shadow Health", "we", "our", or "us". We are a developer of educational simulation products.

We own and operate all websites under the domain of shadowhealth.com, referred to as "Sites" in this policy. We also own and operate a web platform we use to deliver our simulation products to our users, including https://app.shadowhealth.com, referred to as the "Service." If you intend to use the Service, please additionally review the Terms of Service.

In this Privacy Policy we sometimes refer to "you" or "You". You may be a visitor of one of our Sites, a user of the Service, or a customer or potential customer who is contacted by us. This policy does not apply to third-party websites, products, or services, even if they link to our Sites or Service.

What data we collect from you and how we use it

We take the protection of your data very seriously and have made every effort to be compliant with the European Union's General Data Protection Regulation ("GDPR"). Under the terms of the GDPR, we are the "controller" of the data we collect from you.

Personal Data. We collect "Personal Data", data that identifies, or could reasonably be used to identify, an individual. Personal Data we may collect includes contact information, such as name, email address, and phone number. We do not collect special categories of Personal Data as defined by the GDPR as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation."

Usage Data. We collect "Usage Data" that is created through your use of our Sites or Service. This may include non-personally identifiable information about the browser and computer you use to access the Sites or Service, as well as log data and data input by registered users of the Service in the course of their use of the Service.

The data that we collect from you depends on your relationship with us. Sometimes we ask you for data directly, such as when you create an account on the Service. Other times we collect data by recording interactions with our Sites and Service by, for example using technologies such as cookies and JavaScript. The collection and processing of data from these sources is essential to our ability to provide our Sites and Service and to keep the Sites and Service secure.

To learn more about cookies that may be used on our Sites and Service, and to learn how you can control our use of cookies, please see our Cookies Policy. As there is presently no industry standard for recognizing Do Not Track browser signals, we do not take any action with regards to potential Do Not Track signals.

Data collected as a visitor to our Sites

When you visit our Sites or visit our Service as an unauthenticated user (you have not created an account or logged in), we collect Usage Data to improve our Sites and Service. We do not collect Personal Data unless you provide us this data for a specific purpose.

Personal Data

Our Sites include various contact and request forms which visitors may complete in order to be contacted about specific products or services offered. When you provide your Personal Data by completing one of these forms, we will always disclose for what purpose the data will be used, for example to schedule a product demonstration, and ask for your consent to collect and process this data.

Usage Data

We also collect non-personally identifiable data, including page load times, URL that referred you to the service, browser and operating system vendor and version, screen resolution, and approximate IP address as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Sites.

Data collected as a registered user of the Service

When you create an account with Shadow Health at https://app.shadowhealth.com and accept the Terms of Service you enter into a contract with Shadow Health. In order to enter into this contract we require that you provide us with certain Personal Data.

Your institution may offer the ability to create an account with Shadow Health directly through your institution's learning management system or other website. If you use this mechanism to create an account with Shadow Health, your institution will provide us with the Personal Data required enter into the contract. You will additionally be required to accept the Terms of Service upon creating an account.

Whether you create your Shadow Health account yourself or through your institution, for the performance of our contract with you, we will collect Usage Data when you access the Service as a registered user.

Personal Data

When you create an account we require that you, or your institution, provide us with your first and last name and email address, to secure and maintain your account and provide you with a mechanism for authenticating with the Service. We also use this data, along with your phone number if you choose to provide it, to provide you with customer support when you request it.

When you purchase or redeem a "bookstore code" for a product license, we require that you provide us with a "course PIN" to identify the course in which you will use the product. This links your account to the product license and to your institution's course within our Service.

If you purchase a product license from a re-seller, such as your institution's bookstore, the bookstore may provide us with your name and email address so that we can prevent redemption of fradulent bookstore codes.

If you are purchasing the product license with a credit card, we require that you provide your payment information. When you provide the payment information it is provided directly to our third-party payment processor, and you are subject to that payment processor's privacy policy and terms of use. Shadow Health receives only a non-personally identifiable token to indicate the success of the payment transaction.

If you choose to contact our customer support at support@shadowhealth.com or https://support.shadowhealth.com, you will be asked to provide your name and phone number or email address in order to confirm your identify and allow our support agents to view your account data as necessary to provide support.

As part of your use of the Service, we may ask you to complete surveys to measure the effectiveness of our products and assist you with continued use of the products in your course(s). The surveys will not ask for additional Personal Data, but your survey responses will be linked with your account.

Usage Data

When you login to your account we record the IP address from which you accessed the Service. When you perform actions within the Service, such as viewing your course or assignments, we capture log data, including the URL accessed and the IP address it was accessed from. We use this data to audit and maintain the security of your data and account.

When you use our simulation products, for example by attempting an assignment, we collect data input by you during the simulation, such as questions you ask our virtual patients and documentation you enter in the virtual patient's chart. This data is used to provide you and your course faculty with a record of your performance in the simulations.

We also collect non-personally identifiable data, including page load times, URL that referred you to the service, browser and operating system vendor and version, processor vendor and version, video card vendor and version, available memory, screen resolution, and device identifiers as part of our legitimate interest to ensure the security of our systems, identify usage trends, and improve the Service.

Data collected as a re-seller of our products

We provide a Site for those who re-sell licenses for our products, such as university bookstores, to manage their stock of Shadow Health product licenses. This Site is only intended to be accessed by re-sellers who have contracted with us. To do so, contact bookstore@shadowhealth.com.

Personal Data

From registered users of our bookstore Site we collect first and last name, email address, and affiliated institution. We may also collect the same information for the bookstore billing contact, if this is not the same person as the registered user. We collect this data for the performance of our contract with your organization, to secure and maintain an account and provide the user a mechanism for authenticating with our bookstore Site.

Usage Data

From visitors to our bookstore Site we collect non-personally identifiable data, including page load times, browser and operating system vendor and version, and approximate IP address as part of our legitimate interest to ensure the security of and improve the performance of the bookstore Site.

Data collected as a prospective customer

We may contact prospective customers to determine their interest in our products and services. When we do this the individual will be told what Personal Data we have collected, why we are contacting them, and how they can opt-in or opt-out of further contacts. We will always ask for and receive consent from you, as a prospective customer, when we collect your data in order to contact you about products or services in which you have expressed interest.

Personal Data

If you have provided your contact information (name, email address, phone number, institutional affiliation) in a request for a product demonstration, instructional design consult, product training, or other reason for contact, we will store this data and process it only to fulfill that request. If you feel that you have been contacted in error, please use the "unsubscribe" link in email contact or email us at support@shadowhealth.com.

Other cases in which we collect or process data

We may also be required to collect or process data due to legal obligations, including responding to an individual's data-rights request or complying with a legal order.

How long we keep your data

When we collect your Personal Data, we will maintain and store it for as long as we determine reasonably necessary to provide the Sites and Service to you, unless you exercise your right to erasure described below, or to comply with applicable legal requirements.

Your rights to access and control your information

Shadow Health does not use automated decision making technologies.

There is no charge for any of the requests referenced in this section. For any such request please contact us by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request, by email to privacy@shadowhealth.com or by mail to:

    Shadow Health, Inc
    Attn: Data Protection Officer
    201 SE 2nd Ave, Ste. 201
    Gainesville, FL 32601, USA

We will endeavor to respond to such requests in a timely manner, but in no event longer than one month from receipt of your request.

Right to access and obtain a copy of Personal Data

You have a right to access and obtain a copy of the Personal Data we hold about you. If you are a registered user of our Service, this data is available to you via logging in to the secure portal provided by the Service, e.g. https://app.shadowhealth.com.

Right to accurate information

Registered users of our Service have access to a profile page, on which they are able to edit personal information so that it is accurate. In order to prevent transfer of accounts, in violation of our Terms of Services, we require contacting our Customer Support in order to edit some pieces of information. You can do so by emailing support@shadowhealth.com or calling (800) 860-3241.

Right to object

If we have collected your Personal Data by asking your consent or in our legitimate interests, you have the right to object to the processing of the data. For example, if you are faculty at an institution which uses one of our products, and we have contacted you to determine your interest in using another of our products, you may object to further contact. We may provide an opt-out or unsubscribe link in email contacts for this purpose. You may also object or withdraw consent by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.

Right to erasure

If we have collected your Personal Data by asking for your consent, you have the right to withdraw that consent and request erasure of that data. If we have collected your Personal Data in order to enter into or for the performance of a contract, you may request erasure of your data. In this case erasure of your data will constitute termination of your contract and all accounts and licenses with us. You may request erasure by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.

Right to data portability

If we have collected your Personal Data by asking your consent or for the performance of a contract, you have the right to request a copy of your data in a machine readable format. This data only includes the data which you provided to us; it does not include any data which we own which we may have combined with your data. For example if you are a registered user of the Service, your data includes the questions you have asked virtual patients in our simulation products; your data does not include the responses the virtual patients provided. You can request a copy of your data by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.

Right to restrict processing

If you have contested the accuracy of Personal Data which we have collected from you, or if you have objected to processing of your Personal Data, you also have the right to restrict further processing of your data, including erasure. You can request restriction of processing by completing this form: https://www.surveygizmo.com/s3/4371871/Shadow-Health-Data-Rights-Request.

Right to file a complaint

If you are a resident of the European Union or located in the European Economic Area ("EEA") at time of data collection and you believe our processing of your Personal Data to be in violation of GDPR, you have the right to lodge a complaint with the Supervisory Authority of your Member State.

How we secure your data

We comply with applicable laws to provide an adequate level of data protection for the transfer of Personal Data, including encryption of data in-transit using TLS and encryption of Personal Data at-rest. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. Although we apply commercially reasonable security practices to protect your Personal Data, we cannot guarantee the security of data you transmit to us, and you use our Sites or Service and provide us with your data at your own risk. If you believe that the security of your account with Shadow Health has been compromised, please contact support@shadowhealth.com immediately.

Where we store and transfer your personal data

Shadow Health's business operations are based in the United States. Data we collect, including Personal Data, may be stored and processed in any country in which we have operations or in which we engage third-party processors. Data that is collected within the EEA may be transferred to, and stored at, a destination outside the EEA, including the United States.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

Shadow Health, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Shadow Health, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Shadow Health, Inc. commits to resolve complaints about our collection or use of your personal information. European Union and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Shadow Health, Inc. at privacy@shadowhealth.com or by mail to:

    Shadow Health, Inc
    Attn: Data Protection Officer
    201 SE 2nd Ave, Ste. 201
    Gainesville, FL 32601, USA

Shadow Health, Inc. has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact JAMS or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. If your concern continues to be unresolved, you may pursue binding arbitration through the Privacy Shield Arbitration Panel. To learn more about the Privacy Shield Panel, click here.

The Federal Trade Commission has jurisdiction over Shadow Health, Inc.'s compliance with the Privacy Shield.

As explained here we sometimes share Personal Data with third parties to process the data on our behalf. If we transfer Personal Data received under the Privacy Shield to a third party, the third party's access, use, and disclosure of the personal data must also be in compliance with our Privacy Shield obligations, and we will remain liable under the Privacy Shield for any failure to do so by the third party unless we prove we are not responsible for the event giving rise to the damage.

How we share your personal data and why

Shadow Health does not sell or rent Personal Data to marketers or unaffiliated third parties.

We share your Personal Data with trusted third parties including our contracted data processors.

If you are a registered student user of the Service, your Personal Data and certain Usage Data, such as your scores on assignments taken within the Service, are shared with authorized course faculty at your institution so that they may evaluate and incorporate your use of the Service into your course credit or grade. We also share your Personal Data and Usage Data with authorized course faculty at your institution when you violate our Terms of Service or to resolve academic honesty disputes.

To the fullest extent permitted by applicable law, we may also disclose your data if we believe in good faith that doing so is necessary or appropriate to protect or defend the rights, safety, or property of Shadow Health, or to comply with legal and regulatory obligations, such as law enforcement inquiries, subpoenas, and court orders. To the fullest extent permitted by applicable law, we have sole discretion in electing to make or not make such disclosures.

Who we contract with to process your data and why

We contract with third-party processors to process the data we collect. We contract only with processors whose privacy and security policies meet a high standard and who provide an EU General Data Processing Regulation-compliant mechanism for international data transfer, such as a Data Processing Agreement with the EU Model Clauses and/or EU-U.S and Swiss-U.S. Privacy Shield certification.

The following is an up-to-date list (as of the date of this policy) of the names and locations of our processors and our purpose for contracting with them to process data.

Processor Countries in which Processing is Peformed Purpose for Contracting
Acuity Scheduling, Inc. United States Shadow Health uses Acuity for scheduling faculty consults and beta testers
Amazon Web Services, Inc. United States Amazon Web Services provides computing and storage infrastructure for Shadow Health's Services
Google LLC United States, Ireland Shadow Health uses Google Analytics 360 to analyze traffic to our Sites and Service so we may enhance, modify, and improve our Sites and Service. Shadow Health uses G-Suite for email and document storage.
Mouseflow, Inc. United States, Denmark Shadow Health uses Mouseflow to analyze usage data of our Sites and Service to determine the effectiveness of and to further develop our Sites and Service
New Relic, Inc. United States Shadow Health uses New Relic to monitor the security and performance of our Service
Rapid7 United States, Ireland Shadow Health uses Rapid7 for logging usage data of the Service
salesforce.com, Inc. (SFDC) United States Shadow Health uses SFDC to market our Service to prospective institutional customers and to manage relationships with current institutional customers
SendGrid, Inc. United States Shadow Health uses SendGrid to send transactional emails to users of our Service, e.g. to reset their password, and to contact potential and existing customers to provide them updates on our product offerings
Sendible Limited United States, UK Shadow Health uses Sendible to contact visitors to our Sites who have requested to be contacted, e.g. to schedule a product demonstration
Stripe, Inc. United States, Ireland Shadow Health contracts with Stripe to provide PCI compliant processing of payment data for customers purchasing our products
SurveyGizmo / Widgix, LLC United States, Canada, Germany Shadow Health uses SurveyGizmo to provide asynchronous support and training to customers and to survey users of our Service in order to measure the effectiveness of the Service
SurveyMonkey, Inc. United States Shadow Health uses SurveyMonkey to survey customers and potential customers on an opt-in basis to determine the effectiveness of and to further develop our products
Unity Technologies ApS United States The simulations that Shadow Health delivers via our Service include Unity Analytics for analyzing technical and performance characteristics of our simulations
Zendesk, Inc. United States Shadow Health uses Zendesk to provide technical support to customers

Your California Privacy Rights

In accordance with California's "Shine the Light" law, California Civil Code 1798.83, we will not share personal data of our users with third parties for the third parties' direct marketing purposes.

Children's Personal Information

Our Sites and Service are not intended for individuals under the age of sixteen (16). If you are under 16 years of age, you are not permitted to use our Sites and Service and should not provide Personal Data through the Sites or Service. If we become aware that an individual under 16 years of age has provided us with Personal Data, we will dispose of that data in accordance with the Children's Online Privacy Protection Act and other applicable laws and regulations. If you become aware that an individual under 16 years of age has provided us with Personal Data, please contact us at support@shadowhealth.com and we will take reasonable steps to ensure that data is deleted.

Business Transfer

In the event of a sale, merger, or similar transaction, your Personal Data may be transferred as part of that transaction. This Privacy Policy will apply to your Personal Data as transferred to the new entity.

Updates to this Privacy Policy

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our processing of your Personal Data and will always be available at https://shadowhealth.com/privacy.html.

When we revise the Privacy Policy, any changes will be effective immediately upon the posting of the revised Privacy Policy. Registered users of the Service will be prompted to consent to the updated version when accessing their Shadow Health account for the first time after a policy change. By continuing to access or use our Sites or Service after those changes become effective, you agree to be bound by the revised Privacy Policy.

Contact Us

Questions, comments, and requests regarding this privacy policy are welcomed and should be addressed to our Data Protection Officer at privacy@shadowhealth.com or by mail at:

    Shadow Health, Inc
    Attn: Data Protection Officer
    201 SE 2nd Ave, Ste. 201
    Gainesville, FL 32601, USA