Privacy, Use, and Disclosure Policy (HIPAA)

Neuroscience Innovations

Last Updated: August 15th, 2024

____________________________________________________________________________

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations, provides restrictions on the use and disclosure of protected health information (PHI). 

Purpose

This policy specifies the responsibilities, requirements, and procedures for the safeguarding, use, and disclosure of protected health information (PHI) transmitted or maintained in any form or medium (electronic or otherwise) by Neuroscience Innovations and its members. 

Neuroscience Innovations (“we” or “us”) provides an all-in-one concussion application and platform (Oculabs.com) designed to revolutionize the management of mild traumatic brain injuries (mTBIs). With Oculabs, providers can seamlessly assess and monitor patients remotely, empowering both patients and providers in the journey towards recovery.  We refer to Patients and Organizations as our “Customers.”  We help our Customers enhance concussion protocol assessment, and reporting.  We collect and process such information solely on behalf of and as directed by our Customers, in accordance with our agreements with them, and subject to applicable laws, this Privacy Policy does not apply to information collected by our Customers. Our Customers control and are responsible for correcting, deleting, or updating information they have collected using our products and services. 

Privacy Notice

Neuroscience Innovations’s privacy notice will include:

  • Uses and disclosures of PHI that may be made by the Neuroscience Innovations;

  • Individual’s rights under the HIPAA privacy rules;

  • Neuroscience Innovations’s legal duties with respect to the PHI

  • Notification of access to PHI in connection with administrative functions;

  • Complaint procedures; and,

  • Other information as required by the HIPAA privacy rules.

Neuroscience Innovations will deliver or make available the privacy notice to appropriate individuals:

  • Upon request

  • Within 60 days after a material change to the notice

  • At least once every three years in compliance with the HIPAA Privacy Rule.

This Privacy Policy applies to: 

  • Websites operated by us from which you are accessing this Privacy Policy; 

  • Our platform Oculabs.com

  • Download and use our mobile application (Oculabs), or any other application of ours that links to this privacy notice 

  • Customer business or organization contact information and related details, which we may receive, for example, through our Websites or apps; 

  • Our social media pages such as Facebook, Instagram, LinkedIn and X

  • HTML-formatted email messages that we send to you that link to this Privacy Policy or other communications with you; and

  • Offline interactions you have with us including; sales, marketing or events.

Collectively, we refer to our websites, apps, social media pages, emails and other communications, and offline interactions as the “Services.” 

PERSONAL INFORMATION YOU PROVIDE

Personal Information” is information that is reasonably capable of identifying you as an individual or that relates to an identifiable individual.  We collect PHI, including:  

  • Name

  • Telephone number

  • Gender

  • Sex

  • Pronouns

  • Phone number

  • Date of birth

  • Email address

  • Patient image

  • Sports patients are active in

  • Education information

  • Emergency contact name

  • Emergency contact phone number

  • Emergency contact email address

  • Provider name

  • IP address (from which we may also derive your approximate location, with your permission)

  • Information you provide when you respond our surveys calendar entries, photos, and other information from your device, with your consent

  • Other information that the patient may choose to provide   

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission: 

  • Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device's calendar, camera, sensors, sms messages, and other features. If you wish to change our access or permissions, you may do so in your device's settings. This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.

  • All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information. 

Consent to Collection, Use, and Disclosure 

We collect, use, and disclose your Personal Information with your consent or as permitted or required by law.  How we obtain your consent (i.e., the form we use) will depend on the circumstances, as well as on the sensitivity of the Personal Information collected.  Subject to applicable laws, your consent may be express or implied, depending on the circumstances and the sensitivity of the Personal Information in question.  If you choose to provide Personal Information to us, we assume that you consent to the collection, use, and disclosure of your Personal Information as outlined in this Privacy Policy.

Typically, we will seek your consent at the time your Personal Information is collected.  Where we want to use your Personal Information for a purpose not previously identified to you at the time of collection, we will seek your consent prior to our use of such information for this new purpose, to the extent your consent is required by applicable law.  If you provide personal information about another individual to us, it is your responsibility to obtain the consent of that individual to enable us to collect, use and disclose their information as described in this Privacy Policy. 

You may withdraw your consent to our collection, use, or disclosure of your Personal Information at any time by contacting us using the contact information in the “Contact Us” section below; however, before we implement the withdrawal of consent, we may require proof of your identity.  In some cases, withdrawal of your consent may mean that we will no longer be able to provide certain products or services.

Collection of Personal Information 

We and our service providers collect Personal Information in a variety of ways, including:  

Through the Services.  We collect Personal Information through the Services, for example, when you request information on the products and services we offer, contact customer service, respond to our surveys, apply for a subscription, register an account, or make a purchase. 

From Other Sources.  We may receive your Personal Information from other sources such as, other third-party integrations. 

 We need to collect Personal Information in order to provide the requested Services to you.  If you do not provide the information requested, we may not be able to provide the Services.  If you disclose any Personal Information relating to other people (such as a parent or guardian, physician, emergency contact, or agent) to us or to our service providers in connection with the Services, you represent that you have the authority to do so (including that you have obtained any legally required consent) and to permit us to use the information in accordance with this Privacy Policy.  

Use of Personal Information

We and our service providers use Personal Information for the following purposes: 

  • Providing the functionality of the Services and fulfilling your requests. 

  • To provide the Services’ functionality to you, such as arranging access to your registered account, and providing you with related benefits, special promotions, or customer service.

  • To respond to your inquiries and fulfill your requests, when you contact us via one of our online contact forms or otherwise, for example, when you send us questions, suggestions, compliments or complaints, or when you request a quote for or other information about our Services.

  • To complete your transactions, verify your information, and provide you with related benefits, special promotions, or customer service.

  • To send administrative information to you, such as changes to our terms, conditions, and policies. 

  • We post testimonials on our Services that may contain personal information.

  • Providing you with our newsletter and/or other marketing materials.

  • To deliver marketing communications to you, subject to your consent if required by applicable law.  You may opt out of such communications by contacting us.

  • Analyzing Personal Information for business reporting and providing tailored services. 

  • To analyze or predict our users’ preferences in order to prepare aggregated trend reports on how our digital content is used, so we can improve our Services. 

  • To better understand your interests, preferences, and needs, so that we can personalize our interactions with you and provide you with information and/or offers tailored to your interests.

  • Aggregating and/or anonymizing Personal Information.

  • We may aggregate and/or anonymize Personal Information so that it will no longer be considered Personal Information.  We do so to generate other data for our use, which we may use and disclose for any purpose, as it no longer identifies you or any other individual.  For example, we use anonymized information for machine learning that supports certain product features and functionality.  We will not seek to re-identify aggregated and/or anonymized information.

  • Accomplishing our business purposes. 

  • For data analysis, for example, to troubleshoot and to improve the efficiency of our Services; 

  • For audits, to verify that our internal processes function as intended and to address legal, regulatory, or contractual requirements; 

  • For fraud prevention and fraud security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft; 

  • For developing new products and services; 

  • For enhancing, improving, repairing, maintaining, or modifying our current products and services, as well as undertaking quality and safety assurance measures; 

  • For identifying usage trends, for example, understanding which parts of our Services are of most interest to users; 

  • For customer surveys conducted by us or a service provider, to improve our products and services;

  • For determining the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users; and 

  • For operating and expanding our business activities, for example, understanding which parts of our Services are of most interest to our users so we can focus our energies on meeting our users’ interests.  

 

Definitions

Business Associate. An entity, not a member of the Covered Entity’s workforce, who:

  • Performs or assists in performing a function or activity regulated by HIPAA, on behalf of a covered entity, involving the creation, receipt, maintenance, or transmission (i.e., use and disclosure) of PHI (including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing); or

  • Provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI;

  • Business Associates include:

  • A health information organization;

  • An e-prescribing gateway;

  • Any entity that provides data transmission services with respect to PHI to a covered entity and that requires routine access to PHI;

  • An entity that maintains PHI for a covered entity, whether or not the entity actually reviews the PHI.

De-identified Information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  There are two ways a covered entity can determine that information is de-identified: 

  • Professional statistical analysis

  • Removing 18 specific identifiers.

Designated Record Set. A group of records maintained by or for a company that includes:

  • Enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan; or

  • Other protected health information used, in whole or in part, by or for the Plan to make coverage decisions about an individual.

Disclosure.  For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the human resources department of the location(s) of the Employer.

Health Care Operations.  Health care operations means any of the following activities to the extent that they are related to Plan administration:

  • conducting quality assessment and improvement activities;

  • reviewing health plan performance;

  • underwriting and premium rating;

  • conducting or arranging for medical review, legal services and auditing functions;

  • business planning and development; 

  • business management and general administrative activities;

  • to de-identify the information in accordance with HIPAA Rules as necessary to perform required services.

Payment.  Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care.  Payment also includes:

  • eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;

  • risk adjusting based on enrollee status and demographic characteristics; and

  • billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.

Use.  The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the human resources department of the Employer, or by a Business Associate (defined below) of the Plan.

Scope

Neuroscience Innovations is a business entity that is considered to be a Business Associate with respect to protected health information (PHI), as provided by the standards, requirements, and implementation specifications of HIPAA Privacy Rule. Therefore, this policy applies to Neuroscience Innovations and all the members of its workforce with access to PHI. Additionally, all third parties, subcontractors, or vendors that provide services to Neuroscience Innovations that involve the creation, receipt, maintenance, or transmission of private health information on behalf of the Employer to fulfill its contractual duties, must comply fully with HIPAA’s requirements.

Roles and Responsibilities

Privacy personnel designations will be documented and maintained in written or electronic form for six years from time of designation.

(CE) Neuroscience Innovations’s CEO will serve as the Privacy Official, who will be responsible for:

  • Developing and implementing privacy policies and procedures

  • Developing a program to manage complaints

  • Appointing personnel who will serve as contact persons to respond to questions, concerns, or complaints about individual PHI privacy and protection

  • Ensuring compliance with the HIPAA Privacy Rule regarding Business Associates, Business Associate Agreements (BAA)

  • Monitoring compliance of all Business Associates with the HIPAA Privacy Rule, and this policy

  • Developing privacy training schedules and programs

Documentation

This policy and associated procedures are designed to ensure compliance as it applies to Neuroscience Innovations, its size, and the type of activities it performs. As documented, this policy will be maintained for at least six years from the date last in effect. Any necessary or appropriate changes to this policy will be: 

  • In line with the standards set forth in the HIPAA Privacy Rule;

  • To comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations);

  • Promptly implemented and documented;

  • Reflected in the notice of privacy practices; and

  • Communicated, if required, in writing or electronically, and documented.

The Plan shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights.

General Policy (For Covered Entities - § 164.530)

Training 

Neuroscience Innovations will ensure that all personnel are trained on the company’s privacy policies and procedures, and the HIPAA Privacy Rule as applicable, annually. The training will be reviewed and updated as needed, but annually at the least. 

Administrative, Technical and Physical Safeguards and Firewall

Neuroscience Innovations has appropriate administrative, technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements (see company information security policies and procedures, and controls in place).  

  • Administrative safeguards include implementing procedures for use and disclosure of PHI, as outlined in this policy.  

  • Technical safeguards include limiting access to information by creating computer firewalls, which will ensure that there is only authorized access to PHI at the minimum level necessary for administrative functions

  • Physical safeguards include locking doors or filing cabinets

Sanctions

Violation of this policy or HIPAA Privacy Rule will be met with sanctions in accordance with Neuroscience Innovations’s discipline policy, up to and including termination (See Information Security Policy).

Mitigation of Inadvertent PHI Disclosures

Neuroscience Innovations will, to the extent possible, mitigate any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth in this Policy.  As a result, personnel will immediately contact the Privacy Official for the appropriate steps to mitigate the harm to impacted individuals, if the member becomes aware of:

  • A disclosure of PHI, either by an employee or a business associate 

  • An employee or business associate that is not in compliance with this policy or HIPAA

No Intimidation or Retaliatory Acts

No Neuroscience Innovations member may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No Waiver of HIPAA Privacy

No individual will be required by Neuroscience Innovations or any of its members to waive his or her privacy rights under HIPAA, as a condition of treatment, payment, enrollment or eligibility under a health plan.

Policy and Procedures for Use and Disclosure of PHI

Compliance

All members of Neuroscience Innovations with access to PHI must comply with this Policy and included procedures.

Access to PHI Is Limited to Certain Employees

The following employees (“employees with access”) have access to PHI:

  • Any employee who performs functions directly on behalf of Neuroscience Innovations

  • Any other employee who has access to PHI on behalf of the Employer for its use in “plan administrative functions”.

Employees with access may use and disclose PHI for company administrative functions, and they may disclose PHI to other employees with access for administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function).  Employees with access may not disclose PHI to employees (other than employees with access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and any associated procedures.

Permitted Uses and Disclosures for Plan Administration Purposes

  • Neuroscience Innovations may disclose the following for its use: 

  • (a) de-identified health information;  

  • (b) Enrollment information; 

  • (c) summary health information for the purposes of obtaining premium bids for providing health insurance coverage under a plan or for modifying, amending, or terminating the plan; or, 

  • (d) PHI pursuant to an authorization from the individual whose PHI is disclosed.

PHI may be disclosed to the following employees who have access to use and disclose PHI to perform functions on behalf of Neuroscience Innovations or to perform plan administrative functions (“employees with access”): 

Permitted Uses and Disclosures: Payment and Health Care Operations

PHI may be disclosed for the purposes of Neuroscience Innovations’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity. Same stands for disclosure for health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

  • Uses and Disclosures for Neuroscience Innovations's Own Payment Activities or Health Care Operations.  An employee may use and disclose PHI to perform the Neuroscience Innovations’s own payment activities or health care operations.  

    • Disclosures must comply with the "Minimum-Necessary” Standard.  (Under that procedure, if the disclosure is not recurring, the disclosure must be approved by the Privacy Official.)

    • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

  • Disclosures for Another Entity's Payment Activities.  An employee may disclose PHI to another covered entity or health care provider to perform the other entity's payment activities. These disclosures will be made according to procedures developed by the Privacy Official.

  • Disclosures for Certain Health Care Operations of the Receiving Entity.  An employee may disclose PHI for purposes of the other covered entity's quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the individual and the PHI requested pertains to that relationship.  Such disclosures are made according to procedures developed by the Privacy Official.

    • The disclosure must be approved by the Privacy Official. 

    • Disclosures must comply with the “minimum-Necessary Standard.”

    • Disclosures must be documented in accordance with the procedure for “Documentation Requirements.”

  • Use or Disclosure for Purposes of Non-Health Benefits.  Unless an authorization from the individual (as discussed in "Disclosures Pursuant to an Authorization") has been received, an employee may not use a participant's PHI for the payment or operations of the Employer's "non-health" benefits (e.g., disability, worker's compensation, and life insurance).  If an employee requires a participant's PHI for the payment or health care operations of non-Plan benefits, follow the steps provided by the Privacy Official.

    • Obtain an Authorization.  First, contact the Privacy Official to determine whether an authorization for this type of use or disclosure is on file. If no form is on file, request an appropriate form from the Privacy Official.  Employees shall not attempt to draft authorization forms.  All authorizations for use or disclosure for non-Plan purposes must be on a form provided by (or approved by) the Privacy Official.

    • Questions?  Any employee who is unsure as to whether a task he or she is asked to perform qualifies as a payment activity or a health care operation of the Plan should contact the Privacy Official or his or her designated representative.

No Disclosure for Non-Health Plan Purposes

PHI may not be used or disclosed for the payment or operations of the Neuroscience Innovations’s “non-health” benefits (e.g., disability, workers’ compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

Mandatory Disclosures: Individual and HHS

A participant’s PHI must be disclosed as required by HIPAA in three situations: (1) The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows); (b) the disclosure is required by law; or, (c) the disclosure is made to HHS for purposes of enforcing HIPAA.

  • Request From Individual.  Upon receiving a request from an individual (or an individual's representative) for disclosure of the individual's own PHI, the employee must follow the procedure for "Disclosures to Individuals Under Right to Access Own PHI."

  • Request From HHS.  Upon receiving a request from a HHS official for disclosure of PHI, the employee must take the steps established by the Privacy Official.

  • Follow the procedures for verifying the identity of a public official set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

Permissive Disclosures: Legal and Public Policy Purposes

An employee who receives a request for disclosure of an individual's PHI that appears to fall within one of the categories described below under "Legal and Public Policy Disclosures Covered" must contact the Privacy Official. Disclosures must: (1) be approved by the Privacy Official; (2) comply with the “Minimum-Necessary Standard”; and, (3) be documented in accordance with the procedure for “Documentation Requirements”. Permitted disclosures include:

  • Disclosures about victims of abuse, neglect or domestic violence, if the following conditions are met:

    • The individual agrees with the disclosure; or

    • The disclosure is expressly authorized by statute or regulation and the disclosure prevents harm to the individual (or other victim) or the individual is incapacitated and unable to agree and information will not be used against the individual and is necessary for an imminent enforcement activity.  In this case, the individual must be promptly informed of the disclosure unless this would place the individual at risk or if informing would involve a personal representative who is believed to be responsible for the abuse, neglect or violence.

  • For Judicial and Administrative Proceedings, in response to:

    • An order of a court or administrative tribunal (disclosure must be limited to PHI expressly authorized by the order); and

    • A subpoena, discovery request or other lawful process, not accompanied by a court order or administrative tribunal, upon receipt of assurances that the individual has been given notice of the request, or that the party seeking the information has made reasonable efforts to receive a qualified protective order.

  • To a Law Enforcement Official for Law Enforcement Purposes, under the following conditions:

    • Pursuant to a process and as otherwise required by law, but only if the information sought is relevant and material, the request is specific and limited to amounts reasonably necessary, and it is not possible to use de-identified information.

    • Information requested is limited information to identify or locate a suspect, fugitive, material witness or missing person.

    • Information about a suspected victim of a crime (1) if the individual agrees to disclosure; or (2) without agreement from the individual, if the information is not to be used against the victim, if need for information is urgent, and if disclosure is in the best interest of the individual.

    • Information about a deceased individual upon suspicion that the individual's death resulted from criminal conduct.

    • Information that constitutes evidence of criminal conduct that occurred on the Employer's premises.

  • To Appropriate Public Health Authorities for Public Health Activities.

  • To a Health Oversight Agency for Health Oversight Activities, as authorized by law.

  • To a Coroner or Medical Examiner About Decedents, for the purpose of identifying a deceased person, determining the cause of death or other duties as authorized by law.

  • For Cadaveric Organ, Eye or Tissue Donation Purposes, to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs, eyes or tissue for the purpose of facilitating transplantation.

  • For Certain Limited Research Purposes, provided that a waiver of the authorization required by HIPAA has been approved by an appropriate privacy board.

  • To Avert a Serious Threat to Health or Safety, upon a belief in good faith that the use or disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or the public.

  • For Specialized Government Functions, including disclosures of an inmate’s PHI to correctional institutions and disclosures of an individual's PHI to an authorized federal Official for the conduct of national security activities.

  • For Workers' Compensation Programs, to the extent necessary to comply with laws relating to workers' compensation or other similar programs.

Disclosures Pursuant to an Individual Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by an individual.  All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

Any requested disclosure to a third party (i.e., not the individual to whom the PHI pertains) that does not fall within one of the categories for which disclosure is permitted or required in this policy may be made pursuant to an individual authorization. If disclosure pursuant to an authorization is requested, the following procedures should be followed:

  • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

  • All uses and disclosures made pursuant to an authorization must be consistent with the terms and conditions of the authorization.

  • Verify that the authorization form is valid.  Valid authorization forms are those that:

    • Are properly signed and dated by the individual or the individual's representative; 

    • Are not expired or revoked [the expiration date of the authorization form must be a specific date (such as July 1, 2010) or a specific time period (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure (e.g., for the duration of the individual's coverage)];

    • Contain a description of the information to be used or disclosed;

    • Contain the name of the entity or person authorized to use or disclose the PHI;

    • Contain the name of the recipient of the use or disclosure;

    • Contain a statement regarding the individual's right to revoke the authorization and the procedures for revoking authorizations; and

    • Contain a statement regarding the possibility for a subsequent re-disclosure of the information.

  • Follow the procedures for verifying the identity of the individual (or individual's representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

Verification of Identity of Those Requesting Protected Health Information

Employees must take steps to verify the identity of individuals who request access to PHI.  They must also verify the authority of any person to have access to PHI, if the identity or authority of such person is not known.  Separate procedures are set forth below for verifying the identity and authority, depending on whether the request is made by the individual, a parent seeking access to the PHI of his or her minor child, a personal representative, or a public official seeking access.

  • Request Made by Individual. When an individual requests access to his or her own PHI, the following steps should be followed:

    • Request a form of identification from the individual.  Employees may rely on a valid driver’s license, passport or other photo identification issued by a government agency.

    • Verify that the identification matches the identity of the individual requesting access to the PHI.  If you have any doubts as to the validity or authenticity of the identification provided or the identity of the individual requesting access to the PHI, contact the Privacy Official.

    • Make a copy of the identification provided by the individual and file it with the individual's designated record set.

    • If the individual requests PHI over the telephone, ask for his or her social Security number. 

    • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

  • Request Made by Parent Seeking PHI of Minor Child. When a parent requests access to the PHI of the parent's minor child, the following steps should be followed:

    • Seek verification of the person's relationship with the child.  Such verification may take the form of confirming enrollment of the child in the parent's plan as a dependent. 

    • Disclosures must be documented in accordance with the procedure "Documentation Requirements."

  • Request Made by Personal Representative. When a personal representative requests access to an individual's PHI, the following steps should be followed:

    • Require a copy of a valid power of attorney or other documentation—requirements may vary state-by-state.  If there are any questions about the validity of this document, seek review by the Privacy Official.

    • Make a copy of the documentation provided and file it with the individual's designated record set.

    • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

  • Request Made by Public Official. If a public official requests access to PHI, and if the request is for one of the purposes set forth above in "Mandatory Disclosures of PHI" or "Permissive Disclosures of PHI," the following steps should be followed to verify the official's identity and authority:

    • If the request is made in person, request presentation of an agency identification badge, other official credentials, or other proof of government status.  Make a copy of the identification provided and file it with the individual's designated record set.

    • If the request is in writing, verify that the request is on the appropriate government letterhead.

    • If the request is by a person purporting to act on behalf of a public official, request a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.

    • Request a written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority.  If the individual's request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, contact the Legal Department.

    • Obtain approval for the disclosure from the Privacy Official.

    • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

  • Requests for Disclosure of PHI From Spouses, Family Members, and Friends. PHI will not be disclosed to family or friends of an individual except as required or permitted by HIPAA.  Generally, an authorization is required before another party, including spouse, family member or friend, will be able to access PHI. 

    • If an employee receives a request for disclosure of an individual's PHI from a  spouse, family member or personal friend of an individual, and the spouse, family member, or personal friend is either (1) the parent of the individual and the individual is a minor child; or (2) the personal representative of the individual, then follow the procedure for "Verification of Identity of Those Requesting Protected Health Information."

    • Once the identity of a parent or personal representative is verified, then follow the procedure for "Individual’s Request for Access."

    • All other requests from spouses, family members, and friends must be authorized by the individual whose PHI is involved. See the procedures for "Disclosures Pursuant to Individual Authorization."

Disclosures of PHI to Business Associates

Business Associate is an entity that:

  • performs or assists in performing a Plan function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.); or,

  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.

Business Associates include:

  • health information organizations;

  • e-prescribing gateways;

  • other entities that provide data transmission services with respect to PHI and require routine access to PHI;

  • entities that offer a personal health record to one or more individuals on behalf of a covered entity; or

  • entities that maintain PHI, whether or not the entities actually review the PHI.

Employees may disclose PHI to Neuroscience Innovations’s business associates and allow the business associates to create or receive PHI on its behalf.  However, prior to doing so, Neuroscience Innovations will first obtain assurances from the business associate that it will appropriately safeguard the information. All uses and disclosures by a "business associate" will be made in accordance with a valid business associate agreement. Before sharing PHI with outside consultants or contractors who meet the definition of a “business associate,” employees must contact the Privacy Official and verify that a business associate contract is in place.

The following additional procedures must be satisfied:

  • Disclosures must be consistent with the terms of the business associate contract.

  • Disclosures must comply with the "Minimum-Necessary Standard."  (Under that procedure, each recurring disclosure will be subject to a separate policy to address the minimum-necessary requirement, and each non-recurring disclosure must be approved by the Privacy Official.)

  • Disclosures must be documented in accordance with the procedure for "Documentation Requirements."

Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.

  • Procedures for Disclosures

    • Identify recurring disclosures.  For each recurring disclosure, identify the types of PHI to be disclosed, the types of person who may receive the PHI, the conditions that would apply to such access, and the standards for disclosures to routinely-hired types of business associates.  Create a policy for each specific recurring disclosure that limits the amount disclosed to the minimum amount necessary to accomplish the purpose of the disclosure.

    • For all other requests for disclosures of PHI, contact the Privacy Official, who will ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure. 

  • Procedures for Requests

    • Identify recurring requests.  For each recurring request, identify the information that is necessary for the purpose of the requested disclosure and create a policy that limits each request to the minimum amount necessary to accomplish the purpose of the disclosure.

    • For all other requests for PHI, contact the Privacy Official, who will ensure the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

  • Exceptions

    • The "minimum-necessary" standard does not apply to any of the following:

    • Uses or disclosures made to the individual;

    • Uses or disclosures made pursuant to an individual authorization;

    • Disclosures made to HHS;

    • Uses or disclosures required by law; and

    • Uses or disclosures required to comply with HIPAA.

Disclosures of De-Identified Information

De-identified information is not PHI; it is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  There are two ways to determine that information is de-identified: either by professional statistical analysis, or by removing specific identifiers.

Upon approval and verification from the Privacy Official that the information in question is de-identified, the de-identified information may be used and disclosed freely in accordance with HIPAA privacy regulations.  

Individual’s Request for Access

HIPAA provides individuals the right to access and obtain copies of their PHI (or electronic copies of PHI) that Neuroscience Innovations (or its business associates) maintains in designated record sets.  

Upon receiving a request from an individual (or from a minor's parent or an individual's personal representative) for disclosure of an individual's PHI, the employees will take the following steps:

Follow the procedures for verifying the identity of the individual (or parent or personal representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • Review the disclosure request to determine whether the PHI requested is held in the individual's designated record set.  See the Privacy Official if it appears that the requested information is not held in the individual's designated record set.  No request for access may be denied without approval from the Privacy Official.

  • Review the disclosure request to determine whether an exception to the disclosure requirement might exist; for example, disclosure may be denied for requests to access psychotherapy notes, documents compiled for a legal proceeding, information compiled during research when the individual has agree to denial of access, information obtained under a promise of confidentiality, and other disclosures that are determined by a health care professional to be likely to cause harm.  See  the Privacy Official if there is any question about whether one of these exceptions applies.  No request for access may be denied without approval from the Privacy Official.

  • Respond to the request by providing the information or denying the request within 30 days.  If the requested PHI cannot be accessed within the 30-day period, the deadline may be extended for 30 days by providing written notice to the individual within the original 30 -day period of the reasons for the extension and the date by which the Employer will respond. 

  • A Denial Notice must contain (1) the basis for the denial; (2) a statement of the individual's right to request a review of the denial, if applicable; and (3) a statement of how the individual may file a complaint concerning the denial.  All notices of denial must be prepared or approved by the Privacy Official. 

  • Provide the information requested in the form or format requested by the individual, if readily producible in such form.  Otherwise, provide the information in a readable hard copy or such other form as is agreed to by the individual.

  • Individuals have the right to receive a copy by mail or by e-mail or can come in and pick up a copy.  Individuals (including inmates) also have the right to come in and inspect the information.

  • If the individual has requested a summary and explanation of the requested information in lieu of, or in addition to, the full information, prepare such summary and explanation of the information requested and make it available to the individual in the form or format requested by the individual.

  • Charge a reasonable cost-based fee for copying, postage, and preparing a summary (but the fee for a summary must be agreed to in advance by the individual).  This provision is not needed if the plan will not charge a fee.

  • Disclosures must be documented in accordance with the procedure "Documentation Requirements."

Individual’s Requests for Amendment

HIPAA also provides individuals the right to request to have their PHI amended.  Neuroscience Innovations will consider requests for amendment that are submitted in writing by participants.

Upon receiving a request from an individual (or a minor's parent or an individual's personal representative) for amendment of an individual's PHI held in a designated record set, employees will take the following steps:

  • Follow the procedures for verifying the identity of the individual (or parent or personal representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • Review the disclosure request to determine whether the PHI at issue is held in the individual's designated record set.  See the Privacy Official if it appears that the requested information is not held in the individual's designated record set.  No request for amendment may be denied without approval from the Privacy Official.

  • Review the request for amendment to determine whether the information would be accessible under HIPAA's right to access (see the access procedures above).  See the Privacy Official if there is any question about whether one of these exceptions applies. No request for amendment may be denied without approval from the Privacy Official.

  • Review the request for amendment to determine whether the amendment is appropriate—that is, determine whether the information in the designated record set is accurate and complete without the amendment.

  • Respond to the request within 60 days by informing the individual in writing that the amendment will be made or that the request is denied.  If the determination cannot be made within the 60-day period, the deadline may be extended for 30 days by providing written notice to the individual within the original 60-day period of the reasons for the extension and the date by which the Employer will respond.

  • When an amendment is accepted, make the change in the designated record set, and provide appropriate notice to the individual and all persons or entities listed on the individual's amendment request form, if any, and also provide notice of the amendment to any persons/entities who are known to have the particular record and who may rely on the unconnected information to the detriment of the individual.

  • When an amendment request is denied, the following procedures apply:

    • All notices of denial must be prepared or approved by the Privacy Official.  A Denial Notice must contain (1) the basis for the denial; (2) information about the individual's right to submit a written statement disagreeing with the denial and how to file such a statement; (3) an explanation that the individual may (if he or she does not file a statement of disagreement) request that the request for amendment and its denial be included in future disclosures of the information; and (4) a statement of how the individual may file a complaint concerning the denial. 

    • If, following the denial, the individual files a statement of disagreement, include the individual's request for an amendment; the denial notice of the request; the individual's statement of disagreement, if any; and the Employer's rebuttal/response to such statement of disagreement, if any, with any subsequent disclosure of the record to which the request for amendment relates.  If the individual has not submitted a written statement of disagreement, include the individual's request for amendment and its denial with any subsequent disclosure of the protected health information only if the individual has requested such action.

 

Request for an Accounting of Disclosures of PHI

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI.  

Upon receiving a request from an individual (or a minor's parent or an individual's personal representative) for an accounting of disclosures, the employee must take the following steps:

  • Follow the procedures for verifying the identity of the individual (or parent or personal representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • If the individual requesting the accounting has already received one accounting within the 12 month period immediately preceding the date of receipt of the current request, prepare a notice to the individual informing him or her that a fee for processing will be charged and providing the individual with a chance to withdraw the request. 

  • Respond to the request within 60 days by providing the accounting (as described in more detail below), or informing the individual that there have been no disclosures that must be included in an accounting (see the list of exceptions to the accounting requirement below).  If the accounting cannot be provided within the 60-day period, the deadline may be extended for 30 days by providing written notice to the individual within the original 60-day period of the reasons for the extension and the date by which the Employer will respond.

  • The accounting must include disclosures (but not uses) of the requesting individual's PHI made by Plan and any of its business associates during the period requested by the individual up to six years prior to the request.  (Note, however, that the plan is not required to account for any disclosures made prior to April 14, 2004.  The accounting does not have to include disclosures made:

    • to carry out treatment, payment and health care operations;

    • to the individual about his or her own PHI;

    • incident to an otherwise permitted use or disclosure;

    • pursuant to an individual authorization;

    • for specific national security or intelligence purposes;

    • to correctional institutions or law enforcement when the disclosure was permitted without an authorization; and

    • as part of a limited data set.

  • If any business associate of the Plan has the authority to disclose the individual's PHI, then Privacy Officer shall contact business associate to obtain an accounting of the business associate's disclosures.

  • The accounting must include the following information for each reportable disclosure of the individual's PHI:

    • the date of disclosure;

    • the name (and if known, the address) of the entity or person to whom the information was disclosed;

    • a brief description of the PHI disclosed; and

    • a brief statement explaining the purpose for the disclosure.  (The statement of purpose may be accomplished by providing a copy of the written request for disclosure, when applicable.)

  • If the Plan has received a temporary suspension statement from a health oversight agency or a law enforcement official indicating that notice to the individual of disclosures of PHI would be reasonably likely to impede the agency's activities, disclosure may not be required.  If an employee receives such a statement, either orally or in writing, the employee must contact the Privacy Official for more guidance. 

  • Accountings must be documented in accordance with the procedure for "Documentation Requirements."

Requests for Confidential Communications

Individuals may request to receive communications regarding their PHI by alternative means or at alternative locations.  For example, participants may ask to be called only at work rather than at home.  Such requests may be honored if the requests are reasonable.

However, the Employer shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant.  The Privacy Official has responsibility for administering requests for confidential communications.

Upon receiving a request from an individual (or a minor's parent or an individual's personal representative) to receive communications of PHI by alternative means or at alternative locations, the employee must take the following steps:

  • Follow the procedures for verifying the identity of the individual (or parent or personal representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • Determine whether the request contains a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.

  • The employee should take steps to honor requests.

  • If a request will not be accommodated, the employee must contact the individual in person, in writing, or by telephone to explain why the request cannot be accommodated.

  • All confidential communication requests that are approved must be tracked.

  • Requests and their dispositions must be documented in accordance with the procedure for "Documentation Requirements." 

Requests for Restrictions on Uses and Disclosures of PHI

Individuals may request restrictions on the use and disclosure of the participant's PHI. Upon receiving a request from an individual (or a minor's parent or an individual's personal representative) for access to an individual's PHI, the employee must take the following steps: 

  • Follow the procedures for verifying the identity of the individual (or parent or personal representative) set forth in "Verification of Identity of Those Requesting Protected Health Information."

  • The employee should take steps to honor requests. 

  • If a request will not be accommodated, the employee must contact the individual in person, in writing, or by telephone to explain why the request cannot be accommodated.

  • All requests for limitations on use or disclosure of PHI that are approved must be tracked.

  • All business associates that may have access to the individual's PHI must be notified of any agreed-to restrictions. 

  • Requests and their dispositions must be documented in accordance with the procedure for "Documentation Requirements."

Records

Copies of all of the following items will be maintained for a period of at least six years from the date the documents were created or were last in effect, whichever is later:

  • “Notices of Privacy Practices" that are issued to participants

  • Copies of policies and procedures

  • Individual authorizations

  • When disclosure of certain PHI is made:

    • Date of the disclosure;

    • Name of the entity or person who received the PHI and, if known, the address of such entity or person;

    • Brief description of the PHI disclosed;

    • Brief statement of the purpose of the disclosure; and

    • Any other documentation required under these Use and Disclosure Procedures.

Information Collected Automatically

We and our service providers may collect certain information automatically, as set forth below.  We may use and disclose such information for any purpose, except where we are required to do otherwise under applicable law.  If we are required to treat such information as Personal Information under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Privacy Policy.  In some instances, we may combine the information we collect automatically with Personal Information.  If we do, we will treat the combined information as Personal Information as long as it is combined.

Your browser or device.  

Certain information is collected by most browsers or automatically through your device, such as your computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Services (such as the app) you are using.  We use this information to ensure that the Services function properly and for security purposes.  We also collect the address of the website from which you come to our website.

Your use of our app.  

When you download and use our app, we and our service providers may track and collect app usage data, such as the date and time the app on your device accesses our servers and what information and files have been downloaded to the app based on your device number, to understand our user base and improve the functionality of the app.

Cookies. 

Cookies are pieces of information stored directly on the computer that you are using.  Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences,  and other clickstream and traffic data.  We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize your experience.  We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used, and assist us with resolving questions regarding them.  We do not currently respond to browser do-not-track signals.  If you do not want information collected through the use of cookies, most browsers allow you to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website.  You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Services.

Pixel tags and other similar technologies.  

Pixel tags.  Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the Services and response rates.  

Analytics.  We use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends.  This service may also collect information regarding the use of other websites, apps, and online services.  You can learn about Google’s practices by going to www.google.com/policies/privacy/‌partners/, and exercise the opt-out provided by Google by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

Invisible reCAPTCHA.  We use Google’s invisible reCAPTCHA application on our Services in order to protect against spam and other automated abuse.  The reCAPTCHA tool may make use of cookies, as well as other information like IP address, date, time, language, screen size and resolution, and mouse movements.  The use of the reCAPTCHA tool and any information collected through the tool are subject to Google’s privacy policy, available at https://policies.google.com/privacy and Google’s terms of service, available at https://policies.google.com/terms?hl=en.

Adobe Flash technology (including Flash Local Shared Objects (“Flash LSOs”)) and other similar technologies. 

We may use Flash LSOs and other technologies to, among other things, collect and store information about your use of the Services.  If you do not want Flash LSOs stored on your computer, you can adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel.  You can also go to the Global Storage Settings Panel and follow the instructions (which may explain, for example, how to delete existing Flash LSOs (referred to as “information”), how to prevent Flash LSOs from being placed on your computer without your being asked, and  how to block Flash LSOs that are not being delivered by the operator of the page you are on at the time).  Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications.   

Physical Location.  

We may collect the physical location of your device by, for example, using satellite, cell phone tower, or WiFi signals.  We may use your device’s physical location to provide you with personalized location-based services and content.  In some instances, you may be permitted to allow or deny such uses of your device’s location, but, if you do, we may not be able to provide you with the applicable personalized services.

TrueDepth api

Data captured by the TrueDepth API via your iPhone's front-facing Camera:

  • facePosition

  • faceRotation

  • deviceRotation

  • devicePosition

  • rightEyePosition

  • leftEyePosition

  • rightEyeLookAtPosition

  • leftEyeLookAtPosition

  • rightEyeLookAtPoint

  • leftEyeLookAtPoint

  • centerEyeLookAtPoint

  • rightEyeBlink

  • leftEyeBlink

  • rightEyeDistance

  • leftEyeDistance

  • light

  • isBlink

  • totalBlinks

We utilize this data for various purposes (general description):

  • Detection of a user's face position and rotation relative to their screen's distance.

  • Eye tracking for inferring fixations, saccades, and look-at points during assessments.

  • Calibration to ensure accuracy in eye tracking.

  • Detecting user blinks and counting the occurrences.

  • Ensuring the user's face remains within the camera's view.

Storage and Processing:

  • Eye tracking data collected from the TrueDepth API is initially captured on the device. Subsequently, it is securely transmitted to your Provider and stored within your Provider's encrypted Oculabs tenant for further analytical processing. Utilizing this data, we generate analytics, heatmap visualizations, sequence visualizations, and replay visualizations.

SECURITY

We seek to use reasonable organizational, technical, and administrative measures to protect Personal Information within our organization.  Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.  If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in our “Support” section on our website.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment. 

THIRD-PARTY SERVICES

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which the Services link.  The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates. 

In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, Blackberry, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including with respect to any Personal Information you disclose to other organizations through or in connection with the Apps or our Social Media Pages.

JURISDICTION AND CROSS-BORDER TRANSFER

Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the Services you understand that your information will be transferred to countries outside of your country of residence, including Canada, which may have data protection rules that are different from those of your country.  In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Information.  

We make our products and services available in languages other than English, for the convenience of athletes who are located in Canada or the United States and whose primary language is not English.  We do not currently direct our products or services to individuals located outside of Canada and the United States.

CONTROLS FOR DO-NOT-TRACK FEATURES 

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this 

California Residents 

California Civil Code Section 1798.83, also known as the "Shine The Light" law permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.). 

CCPA Privacy Notice 

This section applies only to California residents. Under the California Consumer Privacy Act (CCPA), you have the rights listed below. 

The California Code of Regulations defines a "resident" as: 

(1) every individual who is in the State of California for other than a temporary or transitory purpose and
(2) every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose

All other individuals are defined as "non-residents."

If this definition of "resident" applies to you, we must adhere to certain rights and obligations regarding your personal information.

Right to be informed — Request to know

 Depending on the circumstances, you have a right to know: 

  • whether we collect and use your personal information; 

  • the categories of personal information that we collect; 

  • the purposes for which the collected personal information is used; 

  • whether we sell or share personal information to third parties; 

  • the categories of personal information that we sold, shared, or disclosed for a business purpose;

  • the categories of third parties to whom the personal information was sold, shared, or disclosed for a business purpose; 

  • the business or commercial purpose for collecting, selling, or sharing personal information;
    And

  • the specific pieces of personal information we collected about you. 

In accordance with applicable law, we are not obligated to provide or delete consumer information that is de-identified in response to a consumer request or to re-identify individual data to verify a consumer request.

Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights We will not discriminate against you if you exercise your privacy rights. 

Right to Limit Use and Disclosure of Sensitive Personal Information If the business collects any of the following:

  • social security information, drivers' licenses, state ID cards, passport numbers

  • account login information

  • credit card numbers, financial account information, or credentials allowing access to such accounts

  • precise geolocation

  • racial or ethnic origin, religious or philosophical beliefs, union membership

  • the contents of email and text, unless the business is the intended recipient of the communication

  • genetic data, biometric data, and health data

  • data concerning sexual orientation and sex life 

Other privacy rights 

You may object to the processing of your personal information.

You may request correction of your personal data if it is incorrect or no longer relevant, or ask to restrict the processing of the information.

You can designate an authorized agent to make a request under the CCPA on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with the CCPA.

You may request to opt out from future selling or sharing of your personal information to third parties. Upon receiving an opt-out request, we will act upon the request as soon as feasibly possible, but no later than fifteen (15) days from the date of the request submission.
To exercise these rights, you can contact us by submitting a data subject access request, by email at info@neuroscienceinnovations.com, or by referring to the contact details at the bottom of this document. If you have a complaint about how we handle your data, we would like to hear from you. 

Colorado Residents

This section applies only to Colorado residents. Under the Colorado Privacy Act (CPA), you have the rights listed below. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law.

  • Right to be informed whether or not we are processing your personal data

  • Right to access your personal data

  • Right to correct inaccuracies in your personal data

  • Right to request deletion of your personal data

  • Right to obtain a copy of the personal data you previously shared with us

  • Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

To submit a request to exercise these rights described above, please email info@neurscienceinnovations.com or submit a data subject access request.
  
If we decline to take action regarding your request and you wish to appeal our decision, please email us at info@neurscienceinnovations.com. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Connecticut Residents
  
This section applies only to Connecticut residents. Under the Connecticut Data Privacy Act (CTDPA), you have the rights listed below. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law.
  

  • Right to be informed whether or not we are processing your personal data 

  • Right to access your personal data 

  • Right to correct inaccuracies in your personal data

  • Right to request deletion of your personal data 

  • Right to obtain a copy of the personal data you previously shared with us  

  • Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

To submit a request to exercise these rights described above, please email info@neurscienceinnovations.com or submit a data subject access request.
  
If we decline to take action regarding your request and you wish to appeal our decision, please email us at info@neurscienceinnovations.com. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Utah Residents
  
This section applies only to Utah residents. Under the Utah Consumer Privacy Act (UCPA), you have the rights listed below. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. 

  • Right to be informed whether or not we are processing your personal data

  • Right to access your personal data

  • Right to request deletion of your personal data

  • Right to obtain a copy of the personal data you previously shared with us

  • Right to opt out of the processing of your personal data if it is used for targeted advertising or
    the sale of personal data

 To submit a request to exercise these rights described above, please email info@neurscienceinnovations.com or submit a data subject access request. 

Virginia Residents
Under the Virginia Consumer Data Protection Act (VCDPA): 

"Consumer" means a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context. 

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information. 

"Sale of personal data" means the exchange of personal data for monetary consideration. 

If this definition of "consumer" applies to you, we must adhere to certain rights and obligations regarding your personal data. 

Your rights with respect to your personal data 

  • Right to be informed whether or not we are processing your personal data

  • Right to access your personal data

  • Right to correct inaccuracies in your personal data

  • Right to request deletion of your personal data

  • Right to obtain a copy of the personal data you previously shared with us

  • Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

Exercise your rights provided under the Virginia VCDPA
You may contact us by email at info@neurscienceinnovations.com or submit a data subject access request.
If you are using an authorized agent to exercise your rights, we may deny a request if the authorized agent does not submit proof that they have been validly authorized to act on your behalf. Verification process
We may request that you provide additional information reasonably necessary to verify you and your consumer's request. If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request. Upon receiving your request, we will respond without undue delay, but in all cases, within forty-five (45) days of receipt. The response period may be extended once by forty-five (45) additional days when reasonably necessary. We will inform you of any such extension within the initial 45-day response period, together with the reason for the extension. 

Right to appeal 

If we decline to take action regarding your request, we will inform you of our decision and reasoning behind it. If you wish to appeal our decision, please email us at info@neurscienceinnovations.com. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may contact the Attorney General to submit a complaint. 

UPDATES TO THIS PRIVACY POLICY

The “LAST UPDATED” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised.  Any changes will become effective when we post the revised Privacy Policy on the Services.  

CONTACT US

If you have any questions about this Privacy Policy, please contact us at info@neuroscienceinnovations.com.  Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us. 

Neuroscience Innovations 

2112 Woodburn St

Colorado Springs, CO 80906 United States