May 13th, 2018
WHAT INFORMATION WE COLLECT AND HOW WE USE IT
At this time, we receive and store any information you enter on our website or give us in any other way. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide in responding to your requests, customizing tools for you, for grading and certification for our courses, improving our site, and communicating with you.
HOW WE STORE & PROTECT YOUR DATA
- User data is maintained securely in a database.
- User login information is password protected, hashed, and salted.
- Database access is limited and specific with regards to accepting connections.
- All site user connections to the website are over https and encrypted end to end.
- All administrative connections to the website and server are encrypted end to end.
- All passwords used for web server, CMS, and database administration are strong passwords.
- The CA (Certificate Authority) used is Let’s Encrypt. An explanation of how the process works can be found here: https://letsencrypt.org/how-it-works/
- The server is firewalled and has additional hardening measures in place, which are are not revealed publicly for security reasons.
HOW LONG DO WE KEEP YOUR DATA?
- If someone signs up for a course, data is retained for a period of 2 years/24 months for easy re-enrollment.
- Data is removed upon user request
- For those who have opted into email lists, data is retained until the user opts out.
- In the event contacts on the mailing list have emails bouncing, after 3 bounced emails or 30 days, their data will be removed
WITH WHOM YOUR INFORMATION IS SHARED
We will also disclose information we maintain when required to do so by law.
We use well known and reputable 3rd party applications for this website to provide services to you, and have carefully examined their practices towards security and storage as well as their use of sensitive data.
We are not responsible for 3rd party security breaches, and cannot insure the safety of your personal information with them, but have made every effort to ensure that we only work with reliable and verified applications that work diligently to keep your sensitive data safe and sound. The details of the 3rd party applications we use are listed below including how you can contact them to get copies of your data or request the removal of it.
(See OUR THIRD PARTY APPLICATIONS LIST below)
Please note that The InterStrength Group, LLC does not want to receive confidential or proprietary information from you through our websites. Any non-personal information or material sent to The InterStrength Group, LLC will be deemed NOT to be confidential. By sending The InterStrength Group, LLC any non-personal information or material, you grant The InterStrength Group, LLC an unrestricted, irrevocable license to use, reproduce, display, perform, modify, transmit and distribute those materials or information, and you also agree that The InterStrength Group, LLC is free to use any ideas, concepts, know-how or techniques that you send us for any purpose. However, we will not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first notify you that the materials or other information you submit to a particular part of a site will be published or otherwise used with your name on it; or (c) we are required to do so by law.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. As part of our efforts to support you and be compliant with the upcoming changes to the EU data protection law (GDPR) on May 25, 2018, we’ve made a couple of changes to create additional transparency and clarity:
- We have conducted an information audit to map data flows.
- We will retain and protect your data on our servers until either: (a) You request we remove it; (b) It is no longer needed; or (c) If legally required to do so.
- Linda Berens keeps copies of data in a private-encrypted directory in Google’s Cloud. Only Linda Berens has access to this directory and uses 2 part authentication when accessing and viewing it over a secured browser.
- You have a right to request a copy of the data stored on our servers and in Google Cloud at any time.
- You have a right to request your data be removed from our servers and Google Cloud.
- You have a right to request that we remove you from our mailing list through Constant Contact and/or Linda’s encrypted directory through her Gmail Suite at any time.
You can request any of the above by emailing Linda directly at firstname.lastname@example.org
For further general information about GDPR:
The Act: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
The Directive: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN
The Governing Body: https://ico.org.uk/
OUR THIRD PARTY APPLICATIONS LIST
Linda Berens uses Google Drive/Cloud to store data in private encrypted directories. Here is what Google does to protect data in the cloud:
Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing Google’s security policies.
Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google.
These teams engage with customers, industry stakeholders, and supervisory authorities to shape our G Suite and Google Cloud Platform services in a manner that helps customers meet their compliance needs.
Processing According to Instructions
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements.
Personnel Confidentiality Commitments
All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
Google uses encryption to protect data in transit and at rest. Data in transit to G Suite is protected using HTTPS, which is activated by default for all users. G Suite and Google Cloud Platform services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data can be found in our Encryption Whitepaper. http://services.google.com/fh/files/helpcenter/google_encryptionwp2016.pdf?utm_medium=et&utm_source=google.com%2Fcloud&utm_campaign=gdpr&utm_content=commitments_to_the_gdpr
For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies.
We scan for software vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community and greatly value their help identifying vulnerabilities in G Suite, Google Cloud Platform, and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk.
Please contact Linda Berens directly to manage your data (request copies or removal): email@example.com
ConstantContact (Email Campaigns and Newsletters)
How Constant Contact Protects Your Data
Our current privacy program has been certified to the obligations and standards of the EU-US and Swiss-US Privacy Shields, which means we lawfully transfer and protect the personal data of EU/EEA residents to the U.S. pursuant to the rules of the Federal Trade Commission and the EU. This means that we have already implemented many privacy requirements that are similar to those required by the GDPR.
Constant Contact is committed to achieving compliance with the GDPR by May 25, 2018. This will include work “behind the scenes,” such as reviewing and updating (as necessary) our agreements, policies, internal processes, features and templates to assure our compliance. Over the coming months leading up to the deadline, you will receive updates on our GDPR compliance status, guides explaining how we will support you and your customers in dealing with additional obligations such as rights requests, and information on making compliance as easy as possible.
If you have any additional questions, need a copy of your personal data ConstantContact has or to request they delete it, please reach out to:
Name: Andy Hutchison?Title: Chief Security and Privacy Officer?Email: firstname.lastname@example.org
Thinkific (Certification Courses)
What has Thinkific done to prepare for the GDPR?
Here at Thinkific, we’ve been working hard to ensure that we’re ready when GDPR takes effect. Here are some of the efforts that we’ve undertaken so far:
- We’ve reviewed our policies and procedures that relate to data protection across the organization and identified any changes that we need to make.
- We’ve started a review of all of our subprocessors of data to ensure that they are obligated to protect our data through policies and/or technological measures.
- We’ve engaged members from across Thinkific to create and review our plan for GDPR compliance implementation.
To request a copy of your data or to request removal of it contact:
I’m a typeform respondent, not a user. What data do you collect from me?
Your usage data whenever you use our services. We share some of this with the typeform creator. The time it took you to complete the typeform, for example.
The device you use to access our services, including the IP address, browser type, and operating system. We may see your geographic location based on the IP address. We share this with the typeform creator.
If you come to our website from an external source (like a link from another website or in an email) we keep information about that source. We share this with the typeform creator.
Typeforms keeps the data they have secret. They apply technical and organizational measures to make sure the level of security matches any risk. This includes, among other things:
- Pseudonymisation and encryption of personal data.
- Ensuring the confidentiality, integrity, availability, and resilience of their systems.
- Getting access to personal data in the event of a technical incident.
- Verifying, evaluating, and assessing the effectiveness of what they are doing.
- Taking particular care when it comes to the risks surrounding data processing.
- Looking at the potential consequences of destruction, loss, accidental or unlawful changing of personal data, and unauthorized access to personal data.
- Typeforms will never share data with people unrelated to the service they provide.
- Typeforms will delete or give back all data and any copies of that data —unless the law tells us not to. As well as give, in writing, a record of everything they have done with data.
- Show you how we’ve met the obligations in this policy.
To request a copy of your data or request it’s removal, send your request to TYPEFORM, S.L. (quoting tax ID number B-63003883) to this address:
Bac de Roda, 163
08018 Barcelona Spain
You can also send a request via the form on https://www.typeform.com/help/
ScheduleOnce (Webinar Application)
NETWORK AND DATA SECURITY
We have implemented and will maintain reasonable security controls to protect the confidentiality, integrity, and availability of personal data (PII), including safeguards such as data back-ups, encryption, and transaction recording to avoid loss, misuse, alteration, or destruction of PII we process. In addition, ScheduleOnce may utilize secure technology to transfer data provided by users and additional measures in the processing of sensitive PII. While we have taken efforts to safeguard your PII, we cannot guarantee that your data will not be disclosed or accessed by way of the unauthorized acts of others.
ACCESS AND CONTROL OF PII
You can access, change, or update PII you have provided and your preferences regarding information you receive from us by changing the respective settings in your ScheduleOnce user account. You may also contact us using the information found in the Contacting Us section of this Policy to exercise your rights described in this section. We will implement any requested changes as soon as we reasonably can, subject to reasonable limitations, such as the need to verify your identity.
When you edit your data or change your preferences, data that you remove may remain in our databases or backup media because it is not always possible to completely remove or delete data from those locations.
INTERNATIONAL TRANSFER OF PII
By using our Site and providing us with data, you acknowledge and agree that due to the international dimension of ScheduleOnce, we may transmit your PII outside of the United States. However, if you are a non-U.S. person, please note that your PII will be stored on our servers in the United States. The privacy laws of the United States may be less stringent than the laws of your country. If you object to your PII being transferred or otherwise processed as described in this Policy, please do not use the Site.
To request a copy of your data or to request its removal please contact them through the following:
Security and Compliance Manager
340 S. Lemon Ave. #5585,
Walnut, CA 91789
Stripe (Payment Processing)
How is Stripe ensuring the adequate protection of European data transfers?
Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc. in the US. To ensure the adequate protection of personal data, we have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. Our Privacy Shield Policy is available here.
In addition to Privacy Shield, Stripe continues to employ additional compliance measures to ensure an adequate level of protection of personal data transferred outside the European Economic Area.
Our aim is to ensure that Stripe remains compliant with European data protection laws and also to assist our users in doing so. If you have additional questions, If you have any additional questions, need a copy of your personal data ConstantContact has or to request they delete it, please reach out to:
PayPal (Former Payment Processor)
How Do We Protect Your Personal Data?
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current. We are not responsible for protecting any Personal Data that we share with a third-party based on an account connection that you have authorized.
To contact PayPal to request copies of your data or to request it is removed:
Via Form: https://www.paypal.com/us/selfhelp/contact/email/privacy