1. Home
  2. Privacy Notice

Privacy Notice

Effective date of this Privacy Notice – January 01, 2022.

Summary of Changes:

This revision contains material changes to the data retention policy and minor changes to improve clarity,
readability, and more accurate description.

This Privacy Notice (the “Notice”) describes how ImPACT Applications, Inc. (the “Company”, “we”, “us”)
collects,stores, transmits, and protects any information that you give when you use any of the Company’s
products andservices (each a “Service” and collectively, the “Services”). This Notice applies to all of your
uses of the Services and describes how your Personal Information* will be treated as you use the
Services.

*”Personal Information” is information that can be used on its own or with other information to
identify, contact, or locate a single person, or to identify an individual.

*”Medical device data” is information collected by the company’s Cognitive Testing
Applications
.

The Company is committed to ensuring that your privacy is protected. Should we ask you to provide certain
information by which you can be identified when using the Services, the information will only be used in
accordance with this Notice.

This Notice applies to the information collected and processed by the Company and/or on behalf of Health Care
Providers or Institutions (e.g., physician, school, sports club, etc.) through the following products and
services directly related to cognitive testing products:

  • Cognitive Testing Applications: ImPACT, Cognitive Impairment Screener, and ImPACT Pediatric and ImPACT
    Quick Test (both available through ImPACT Toolkit);
  • Mobile Applications including ImPACT Toolkit that permit users to perform cognitive tests on mobile
    devices, and ImPACT Passport App that allows the test takers to store their unique ID (ImPACT Passport
    ID) and record symptoms; and
  • ImPACT Customer Center web portal for professional users that enables the test results and information
    collected through Cognitive Test Applications and Mobile Applications to be centrally accessed and
    managed by healthcare providers or account
    administrators.

This Notice also describes how we collect and use information that customers provide to us in connection with:

  • Creation or administration of ImPACT Applications accounts, which we refer to as “Account Information”.
    For example, Account Information includes names,usernames, phone numbers, email addresses, and billing
    information associated with a customer’s account;
  • Training and Education products and services; and
  • Information and promotional materials about our Products and Services provided via periodic
    notifications or requested by visiting the Company sites.

What Information We Collect?

We collect only the minimum necessary information to provide the Services. Depending on the Service or your role
in receiving such Service (for example, we collect different information from an account administrator than from
a test taker), we may collect one or more the following types of information:

  • Contact information, such as name, email, and phone number.
  • Payment and billing information, such as address, credit card, or bank account details (this information
    will be encrypted and processed by accredited third party providers and will not be retained by the
    Company upon successful completion of the transaction).
  • Demographic information, such as age, gender, language preference, schools or sports clubs, and
    education.
  • Health related information, such as symptoms, concussion history, and medical history related to
    concussions, and cognitive test results.
  • Training and education related data, such as session results, and times/dates of sessions.
  • Company website related data, such as browser type and IP address.

How do we use your personal information?

We use your personal information to help us deliver products and services optimized for your needs, or to fulfill
contractual obligations, depending on the purpose for which we collected your personal information. This
includes:

  • Providing updates regarding your account, such as details of reoccurring payments.
  • Providing educational information to guide your use of the Services.
  • Internal record keeping.
  • To improve our Services.
  • We may periodically send promotional emails to account administrators about new products, special offers
    or other information, which we think you may find interesting using the email address which you have
    provided. Note: when test takers provide their contact info during the test, this information is not
    used for marketing and promotional communication.
  • When you sign up, we may send you our promotional materials or offers via email. These will always
    include an option to opt out of future such emails.

Disclosure and Sharing of Personal Information.

The Company will not disclose, move, access, or use Personal Information except as provided in the customer’s
agreement with the Company, or without your explicit
consent, or when the Company believes it is required to do so by law. However, we may collect and use aggregate,
de-identified (anonymized), or other information that does not identify you (“De-identified Information”) for
research or scientific purposes. For the purposes of research, we may include some of your data in scientific
studies. For example, to show how test scores generally relate to demographic information, such as age, gender,
or sport. If so, this data will be used anonymously, and not directly associated with you in any way.

We do not use or share personal information for any marketing purposes unrelated to the Services.

Choices You Have About Collection, Use, Correction, and Erasure of Your Personal Information

You have a right to be told what Personal Information we hold about you and any third parties we have disclosed
it with (with certain exceptions). You also have a right to provide us with corrections if you believe any of
your personal information is inaccurate. However, if personal information was collected through an organization
such as school, sports team, a medical provider, etc., requests for access, amendments, or deletion should be
directed to the organization through which the data was originally collected.

Because the data generated by the Cognitive Testing Applications can only be used by licensed healthcare
professional, the test takers will not be granted access to this data by the Company. Requests to view these
data should be directed to the healthcare professional.

All institutions and organizations using the Services to administer cognitive tests or collect related data
from test takers, are required, as a condition of use or purchase Service, to agree in writing to adhere to the
Terms of Use, including this Notice, and to obtain appropriate
consent.

Retention

The Company will retain test taker Personal Information collected and processed through cognitive testing
applications for 7 years unless you have a contract (e.g., Business Associate Agreement, Data Privacy Agreement)
specifying a different retention schedule. If there is any federal or state requirements that conflict with and
preempt either the Company’s default retention period or a retention period specified in a contract, we will
follow the statutory and/or regulatory requirements. If you request the deletion of your data entirely or in
part by submitting a written request to the Company’s Data Protection Officer (see contact information at the
end of this Notice), we will honor that request as long as we are allowed to do so under applicable law and
regulations. When Personal Information collected by cognitive
testing applications reaches 7 years since the date of creation, it will be deidentified, archived, and
permanently removed from the company production database following a review by legal and regulatory compliance
departments to ensure archiving process follows applicable legal and contractual requirements.

The Company will retain Personal Information required to establish and maintain a customer account with the
Company for as long as you desire to maintain an active account. When account becomes inactive, we’ll delete the
information two years after the account termination or five years since last activity (e.g., renewal).

Use of the Site by Children

Our Services are not directed to children under the age of 18. In accordance with local regulations (such as
COPPA, FERPA, and other state privacy and educational laws), the Company will not knowingly collect or accept
personally identifiable information from a child under the age of 18 without a parent’s or guardian’s prior
consent. The information collected from children under 18 through the cognitive testing and supporting
applications are intended only with the consent and under the supervision of a parent or guardian, or, in the
case of use through an institutional user, with the consent and supervision of such institutional user acting
with authority and consent from the parent or guardian. This information is not used for or shared with third
parties for marketing or commercial purposes.

Compliance with Law Enforcement

The Company will make any legally required disclosures of any breach of the security, confidentiality, or
integrity of your electronically stored personal data. The Company cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of the Company or a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.

Cross-Border Processing and Transfer of Information

All Personal Information and health related data collected through cognitive testing and supporting applications
are stored in secure location in compliance with local regulations governing cross-border data transfer. Data
collected from US users is stored in a datacenter located within the US, while data collected from our
international users is stored in a datacenter located in Canada.

Information collected through all other services or provided during customer support interactions will be
stored in the United States. When you provide personal information, you fully understand and unambiguously
consent to the transfer of your personal information to, and the collection and processing of such personal
information in the United States. For Services users who are residents of the United Kingdom, European Union,
and other European Economic Area nations, please be advised that while there is some uncertainty as to the scope
of the EU General Data Protection Regulation (GDPR) as applied to US-hosted Services such as ours, our
practices in handling personal information collected through the Services relating to residents of your
jurisdictions are designed to conform to the GDPR.

Data Security

We are committed to ensuring that our customers are accessing applications securely. In order to prevent
unauthorized access or disclosure, we have put in place technical and organizational measures appropriate to the
risks to the information we collect. The following technical controls have been put in place to help protect
customers and meet compliance requirements.

    Data Protection

      Secure Transmission and Storage of Data

      • Connection to the company applications and environment is via TLS cryptographic protocols ensuring
        that users have a secure encrypted connection.
      • All data is further encrypted while in transit and also when persisted “at rest”.
      Network Protection

      • Data is transmitted across a secure connection.
      • Perimeter firewalls and edge routers block unused protocols.
      • Internal firewalls segregate traffic between the application and database tiers.
      • Intrusion detection sensors throughout the internal network report events to a security event
        management system for logging, alerts, and reports.
      • Periodic network scans to identify potential threats and alert to changes in baseline configuration.
      • Managed web application firewall service that monitors all network traffic destined for our
        applications, sending alerts to the Company’s security team while blocking suspicious the traffic
      Disaster Recovery

      • The system replicates customer data to a second datacenter on an hourly basis.
      • Data Recovery Time Objective: 24/48 hours (standard / extended).
      Internal and Third-party Testing and Assessments

      • All Company Services are validated prior to public launch using documented software validation
        procedures to comply with medical device regulations and standards for software quality. Validation
        is built into the software development processes.
      • The Company tests its applications for security vulnerabilities, and regularly scans the Company’s
        network and systems for vulnerabilities. Third-party tools and services are used to assess software
        and infrastructure vulnerabilities regularly, including, application vulnerability assessments,
        network vulnerability assessments, penetration testing and source code vulnerability review, and
        security control framework
      Security Monitoring

        The Company’s Information Security team monitors notifications from various sources and alerts from
        internal systems to identify and manage threats.
    Company Personnel

      All Company employees must abide by this Notice and internal privacy policies and those who violate them
      are subject to disciplinary action, up to and including termination. All employees are required to sign
      non-disclosure agreements and are required to complete ongoing security training throughout the year.
    Physical Security

      The Company’s system is hosted with trusted data center partners who maintain ISO 27001 and/or SOC 2 Type II
      compliance. Physical access is strictly controlled both at the perimeter and at building access points by
      professional security staff utilizing video surveillance, intrusion detection systems, and other electronic
      systems. Authorized staff must pass two-factor authentication a minimum of two times to access data center
      floors. All visitors and contractors are required to esent identification and are signed in and continually
      escorted by authorized staff.

      Additionally, these data center facilities provide: automatic fire detection and suppression equipment,
      redundant data center electrical power systems, climate control to maintain a constant operating
      temperature for servers and other hardware; continuous monitoring of electrical, mechanical, and life support
      systems and equipment, and secure storage device decommissioning.

Use of Cookies and Tracking Technology.

The Company uses cookies to track your activity on the Company Websites.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. The file is added,
and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web
applications to respond to you as an individual. The web application can tailor its operations to your needs,
likes and dislikes by gathering and remembering information about your preferences.

The Company uses traffic log cookies to identify which pages are being used. This helps the Company analyze data
about web page traffic and improve the Company Websites in order to tailor it to customer needs. The Company
only uses this information for statistical analysis purposes. Overall, cookies help the Company provide
you with a better website, by enabling the Company to monitor which pages you find useful and which you do not.
A cookie in no way gives the Company access to your computer or any information about you.

By visiting Company Websites, you are giving your consent to the use of cookies, but you can modify your browser
settings to decline cookies if you prefer. You can learn more about cookies, and how to control or delete cookies at http://www.aboutcookies.org.

Social Media

When you participate in various social media forums like Facebook and Twitter, you should be familiar with and
understand the tools provided by those sites that allow you to make choices about how you share the personal data in your social media profile(s). The Company bound by the privacy policies of these third parties, so we encourage you to read the applicable privacy notices, terms of use and related information about how your personal data is used in these social media platforms.

Additionally, depending on the choices you have made regarding your settings on these social media sites, certain personal data may be shared with the Company about your online activities and social media profiles, which the Company may use to contact you or advertise Company’s Services.

California Residents – Your California Privacy Rights

The Company does not permit third parties to collect personal information about an individual’s online activities
over time and across different Websites when an individual uses Company Services or visits Company Websites; and therefore, does not respond to Do Not Track (“DNT”) signals.

If you are a California resident and would like to make a request, the identity of any third parties to whom the
Company has disclosed personal information for the third parties’ direct marketing purposes, within the previous calendar year, along with the type of personal information disclosed please submit your request in writing to privacy@impacttest.com.

European Residents

When you use the Services, we will inform you what personal information are necessary to receive the Services.
You may withdraw consent for future processing or communications at any time, and you may lodge a complaint with the data protection supervisory authority in your country of residence if you believe that our processing has violated the law. You may contact our Data Protection Officer at the address listed in Contact below, or our European Representative. We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to eurep@bizlegal.eu. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921.

UK Representative under Article 27 of GDPR

We have appointed UK Rep Ltd as our Representative under Article 27 of the UK General Data Protection Regulation
as set out in (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations
2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments
etc) (EU Exit) Regulations 2020, and any amendment or restatement thereof (“UK GDPR”).

All UK GDPR queries from UK Data Subjects or Data Protection authorities should be addressed to
privacy@ukrepltd.co.uk. UK Rep Ltd is a company
registered in the United Kingdom of Great Britain and Northern Ireland (hereinafter “the UK”) with registered
number NI677214, whose registered address is at 80/81, Ebrington Square, Derry, Derry, BT47 6FA, NORTHERN IRELAND.

Privacy Notice Updates

We may occasionally update this Notice. When we do, we will also revise the “Effective Date” at the top of this
page. For material changes to this Notice, we will notify you either by placing a prominent notice on the Company Websites or the Customer Center, or by sending you a notification directly. Your continued use of the Services constitutes your agreement to this Notice and any updates.

Contact

If you have any questions about this Notice, your rights or any other aspects of your privacy and how we are collecting, using, protecting, and/or disclosing the personal information we collect, or need assistance submitting a complaint to a data protection supervisory authority (regional government agency) please contact us at:

Attn: Data Protection Officer

ImPACT Applications, Inc.

2140 Norcor Avenue, Suite 115

Coralville, IA 52241

privacy@impacttest.com