Effective date of this Privacy Notice – January 01, 2022.
Summary of Changes:
This revision contains material changes to the data retention policy and minor changes to improve clarity,
readability, and more accurate description.
This Privacy Notice (the “Notice”) describes how ImPACT Applications, Inc. (the “Company”, “we”, “us”)
collects,stores, transmits, and protects any information that you give when you use any of the Company’s
products andservices (each a “Service” and collectively, the “Services”). This Notice applies to all of your
uses of the Services and describes how your Personal Information* will be treated as you use the
*”Personal Information” is information that can be used on its own or with other information to
identify, contact, or locate a single person, or to identify an individual.
*”Medical device data” is information collected by the company’s Cognitive Testing
The Company is committed to ensuring that your privacy is protected. Should we ask you to provide certain
information by which you can be identified when using the Services, the information will only be used in
accordance with this Notice.
This Notice applies to the information collected and processed by the Company and/or on behalf of Health Care
Providers or Institutions (e.g., physician, school, sports club, etc.) through the following products and
services directly related to cognitive testing products:
- Cognitive Testing Applications: ImPACT, Cognitive Impairment Screener, and ImPACT Pediatric and ImPACT
Quick Test (both available through ImPACT Toolkit);
- Mobile Applications including ImPACT Toolkit that permit users to perform cognitive tests on mobile
devices, and ImPACT Passport App that allows the test takers to store their unique ID (ImPACT Passport
ID) and record symptoms; and
- ImPACT Customer Center web portal for professional users that enables the test results and information
collected through Cognitive Test Applications and Mobile Applications to be centrally accessed and
managed by healthcare providers or account
This Notice also describes how we collect and use information that customers provide to us in connection with:
- Creation or administration of ImPACT Applications accounts, which we refer to as “Account Information”.
For example, Account Information includes names,usernames, phone numbers, email addresses, and billing
information associated with a customer’s account;
- Training and Education products and services; and
- Information and promotional materials about our Products and Services provided via periodic
notifications or requested by visiting the Company sites.
What Information We Collect?
We collect only the minimum necessary information to provide the Services. Depending on the Service or your role
in receiving such Service (for example, we collect different information from an account administrator than from
a test taker), we may collect one or more the following types of information:
- Contact information, such as name, email, and phone number.
- Payment and billing information, such as address, credit card, or bank account details (this information
will be encrypted and processed by accredited third party providers and will not be retained by the
Company upon successful completion of the transaction).
- Demographic information, such as age, gender, language preference, schools or sports clubs, and
- Health related information, such as symptoms, concussion history, and medical history related to
concussions, and cognitive test results.
- Training and education related data, such as session results, and times/dates of sessions.
- Company website related data, such as browser type and IP address.
How do we use your personal information?
We use your personal information to help us deliver products and services optimized for your needs, or to fulfill
contractual obligations, depending on the purpose for which we collected your personal information. This
- Providing updates regarding your account, such as details of reoccurring payments.
- Providing educational information to guide your use of the Services.
- Internal record keeping.
- To improve our Services.
- We may periodically send promotional emails to account administrators about new products, special offers
or other information, which we think you may find interesting using the email address which you have
provided. Note: when test takers provide their contact info during the test, this information is not
used for marketing and promotional communication.
- When you sign up, we may send you our promotional materials or offers via email. These will always
include an option to opt out of future such emails.
Disclosure and Sharing of Personal Information.
The Company will not disclose, move, access, or use Personal Information except as provided in the customer’s
agreement with the Company, or without your explicit
consent, or when the Company believes it is required to do so by law. However, we may collect and use aggregate,
de-identified (anonymized), or other information that does not identify you (“De-identified Information”) for
research or scientific purposes. For the purposes of research, we may include some of your data in scientific
studies. For example, to show how test scores generally relate to demographic information, such as age, gender,
or sport. If so, this data will be used anonymously, and not directly associated with you in any way.
We do not use or share personal information for any marketing purposes unrelated to the Services.
Choices You Have About Collection, Use, Correction, and Erasure of Your Personal Information
You have a right to be told what Personal Information we hold about you and any third parties we have disclosed
it with (with certain exceptions). You also have a right to provide us with corrections if you believe any of
your personal information is inaccurate. However, if personal information was collected through an organization
such as school, sports team, a medical provider, etc., requests for access, amendments, or deletion should be
directed to the organization through which the data was originally collected.
Because the data generated by the Cognitive Testing Applications can only be used by licensed healthcare
professional, the test takers will not be granted access to this data by the Company. Requests to view these
data should be directed to the healthcare professional.
All institutions and organizations using the Services to administer cognitive tests or collect related data
from test takers, are required, as a condition of use or purchase Service, to agree in writing to adhere to the
The Company will retain test taker Personal Information collected and processed through cognitive testing
applications for 7 years unless you have a contract (e.g., Business Associate Agreement, Data Privacy Agreement)
specifying a different retention schedule. If there is any federal or state requirements that conflict with and
preempt either the Company’s default retention period or a retention period specified in a contract, we will
follow the statutory and/or regulatory requirements. If you request the deletion of your data entirely or in
part by submitting a written request to the Company’s Data Protection Officer (see contact information at the
end of this Notice), we will honor that request as long as we are allowed to do so under applicable law and
regulations. When Personal Information collected by cognitive
testing applications reaches 7 years since the date of creation, it will be deidentified, archived, and
permanently removed from the company production database following a review by legal and regulatory compliance
departments to ensure archiving process follows applicable legal and contractual requirements.
The Company will retain Personal Information required to establish and maintain a customer account with the
Company for as long as you desire to maintain an active account. When account becomes inactive, we’ll delete the
information two years after the account termination or five years since last activity (e.g., renewal).
Use of the Site by Children
Our Services are not directed to children under the age of 18. In accordance with local regulations (such as
COPPA, FERPA, and other state privacy and educational laws), the Company will not knowingly collect or accept
personally identifiable information from a child under the age of 18 without a parent’s or guardian’s prior
consent. The information collected from children under 18 through the cognitive testing and supporting
applications are intended only with the consent and under the supervision of a parent or guardian, or, in the
case of use through an institutional user, with the consent and supervision of such institutional user acting
with authority and consent from the parent or guardian. This information is not used for or shared with third
parties for marketing or commercial purposes.
Compliance with Law Enforcement
The Company will make any legally required disclosures of any breach of the security, confidentiality, or
integrity of your electronically stored personal data. The Company cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of the Company or a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.
Cross-Border Processing and Transfer of Information
All Personal Information and health related data collected through cognitive testing and supporting applications
are stored in secure location in compliance with local regulations governing cross-border data transfer. Data
collected from US users is stored in a datacenter located within the US, while data collected from our
international users is stored in a datacenter located in Canada.
Information collected through all other services or provided during customer support interactions will be
stored in the United States. When you provide personal information, you fully understand and unambiguously
consent to the transfer of your personal information to, and the collection and processing of such personal
information in the United States. For Services users who are residents of the United Kingdom, European Union,
and other European Economic Area nations, please be advised that while there is some uncertainty as to the scope
of the EU General Data Protection Regulation (GDPR) as applied to US-hosted Services such as ours, our
practices in handling personal information collected through the Services relating to residents of your
jurisdictions are designed to conform to the GDPR.
We are committed to ensuring that our customers are accessing applications securely. In order to prevent
unauthorized access or disclosure, we have put in place technical and organizational measures appropriate to the
risks to the information we collect. The following technical controls have been put in place to help protect
customers and meet compliance requirements.
- Data Protection
- Connection to the company applications and environment is via TLS cryptographic protocols ensuring
that users have a secure encrypted connection.
- All data is further encrypted while in transit and also when persisted “at rest”.
- Data is transmitted across a secure connection.
- Perimeter firewalls and edge routers block unused protocols.
- Internal firewalls segregate traffic between the application and database tiers.
- Intrusion detection sensors throughout the internal network report events to a security event
management system for logging, alerts, and reports.
- Periodic network scans to identify potential threats and alert to changes in baseline configuration.
- Managed web application firewall service that monitors all network traffic destined for our
applications, sending alerts to the Company’s security team while blocking suspicious the traffic
- The system replicates customer data to a second datacenter on an hourly basis.
- Data Recovery Time Objective: 24/48 hours (standard / extended).
- All Company Services are validated prior to public launch using documented software validation
procedures to comply with medical device regulations and standards for software quality. Validation
is built into the software development processes.
- The Company tests its applications for security vulnerabilities, and regularly scans the Company’s
network and systems for vulnerabilities. Third-party tools and services are used to assess software
and infrastructure vulnerabilities regularly, including, application vulnerability assessments,
network vulnerability assessments, penetration testing and source code vulnerability review, and
security control framework
- Secure Transmission and Storage of Data
- Network Protection
- Disaster Recovery
- Internal and Third-party Testing and Assessments
- Security Monitoring
The Company’s Information Security team monitors notifications from various sources and alerts from
internal systems to identify and manage threats.
- Company Personnel
- All Company employees must abide by this Notice and internal privacy policies and those who violate them
are subject to disciplinary action, up to and including termination. All employees are required to sign
non-disclosure agreements and are required to complete ongoing security training throughout the year.
- Physical Security
- The Company’s system is hosted with trusted data center partners who maintain ISO 27001 and/or SOC 2 Type II
compliance. Physical access is strictly controlled both at the perimeter and at building access points by
professional security staff utilizing video surveillance, intrusion detection systems, and other electronic
systems. Authorized staff must pass two-factor authentication a minimum of two times to access data center
floors. All visitors and contractors are required to esent identification and are signed in and continually
escorted by authorized staff.
Additionally, these data center facilities provide: automatic fire detection and suppression equipment,
redundant data center electrical power systems, climate control to maintain a constant operating
temperature for servers and other hardware; continuous monitoring of electrical, mechanical, and life support
systems and equipment, and secure storage device decommissioning.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. The file is added,
and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web
applications to respond to you as an individual. The web application can tailor its operations to your needs,
likes and dislikes by gathering and remembering information about your preferences.
The Company uses traffic log cookies to identify which pages are being used. This helps the Company analyze data
about web page traffic and improve the Company Websites in order to tailor it to customer needs. The Company
only uses this information for statistical analysis purposes. Overall, cookies help the Company provide
you with a better website, by enabling the Company to monitor which pages you find useful and which you do not.
A cookie in no way gives the Company access to your computer or any information about you.
settings to decline cookies if you prefer. You can learn more about cookies, and how to control or delete cookies at http://www.aboutcookies.org.
When you participate in various social media forums like Facebook and Twitter, you should be familiar with and
Additionally, depending on the choices you have made regarding your settings on these social media sites, certain personal data may be shared with the Company about your online activities and social media profiles, which the Company may use to contact you or advertise Company’s Services.
California Residents – Your California Privacy Rights
The Company does not permit third parties to collect personal information about an individual’s online activities
over time and across different Websites when an individual uses Company Services or visits Company Websites; and therefore, does not respond to Do Not Track (“DNT”) signals.
If you are a California resident and would like to make a request, the identity of any third parties to whom the
Company has disclosed personal information for the third parties’ direct marketing purposes, within the previous calendar year, along with the type of personal information disclosed please submit your request in writing to firstname.lastname@example.org.
When you use the Services, we will inform you what personal information are necessary to receive the Services.
You may withdraw consent for future processing or communications at any time, and you may lodge a complaint with the data protection supervisory authority in your country of residence if you believe that our processing has violated the law. You may contact our Data Protection Officer at the address listed in Contact below, or our European Representative. We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to email@example.com. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921.
UK Representative under Article 27 of GDPR
We have appointed UK Rep Ltd as our Representative under Article 27 of the UK General Data Protection Regulation
as set out in (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations
2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020, and any amendment or restatement thereof (“UK GDPR”).
All UK GDPR queries from UK Data Subjects or Data Protection authorities should be addressed to
firstname.lastname@example.org. UK Rep Ltd is a company registered in the United Kingdom of Great Britain and Northern Ireland (hereinafter “the UK”) with registered number NI677214, whose registered address is at 80/81, Ebrington Square, Derry, Derry, BT47 6FA, NORTHERN IRELAND.
Privacy Notice Updates
We may occasionally update this Notice. When we do, we will also revise the “Effective Date” at the top of this
page. For material changes to this Notice, we will notify you either by placing a prominent notice on the Company Websites or the Customer Center, or by sending you a notification directly. Your continued use of the Services constitutes your agreement to this Notice and any updates.
If you have any questions about this Notice, your rights or any other aspects of your privacy and how we are collecting, using, protecting, and/or disclosing the personal information we collect, or need assistance submitting a complaint to a data protection supervisory authority (regional government agency) please contact us at:
Attn: Data Protection Officer
ImPACT Applications, Inc.
2140 Norcor Avenue, Suite 115
Coralville, IA 52241