PathCheck SafePlaces App Privacy Policy
Effective as of June 23, 2020.
“Privacy Policy” describes the privacy practices of PathCheck Foundation (“PathCheck”, “we”, “us”, or “our”) in connection with the PathCheck GPS mobile application (the “Service” or “PathCheck GPS”). This Privacy Policy also describes the rights and choices available to individuals with respect to their information when using the Service. PathCheck may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information. These supplemental privacy policies will govern how we may process the information in the context of the specific product or service.
We provide important information for individuals located in the European Union, European Economic Area, and United Kingdom (collectively, “Europe” or “European”) below.
About PathCheck
PathCheck is a technology business operating for the purposes of providing contact tracing and exposure notification technology to government bodies and other organizations (each a “Partner”). PathCheck has and continues to develop software that is intended for use by Partners to facilitate contact tracing and exposure notification, including in connection with their analysis and response to the COVID-19 virus. Similarly, PathCheck continues to develop the PathCheck GPS, which helps individuals more easily participate in contact tracing efforts by those that are using PathCheck’s software.
Contact tracing consists of monitoring individuals in close contact with someone who is infected with a virus and is at risk of potentially infecting others. The PathCheck GPS allows end users to store their personal information locally on the respective end user’s mobile device and, at the end user’s choice, share that information with PCI and specific PCI Partners. At your choice, you may share your personal information with a PathCheck Partner, i.e., the relevant government body or other organization, for that Partner’s purpose(s) including its response to the COVID-19 virus. Each Partner with whom you choose to share your personal information is an independent data controller of your personal information. That means, once you share your personal information with a Partner, the relevant Partner’s practices govern the collection and processing of your personal information and each relevant Partner with whom you choose to share your personal information has a responsibility to comply with applicable data protection laws regarding its collection and processing of your personal information. Therefore, if you have questions or concerns about the processing of your personal information by a relevant Partner, you should contact that Partner directly or refer to its separate privacy policies. This Privacy Policy is not a substitute for any privacy notice that the relevant Partner is required to provide to end users.
How the PathCheck GPS Works
The PathCheck GPS enables a Partner to manage COVID-19 related information that the PathCheck GPS users provide. The PathCheck GPS provides Partners with the following capabilities to help respond to a disease occurrence including epidemics and pandemics:
Information Intelligence
The PathCheck GPS enables Partners to collect personal information in a digital format to enable them to analyze and understand developments in the spread of the COVID-19 virus and other diseases.
The PathCheck GPS enables, through in-band communications (meaning through the PathCheck GPS), the transfer of reliable personal information (including location data) between its users and relevant Partners. The PathCheck GPS’s location data functionality may allow the relevant Partner to transmit automatic exposure notification to the user.
Communications
The PathCheck GPS enables Partners to provide citizens with public health data.
The PathCheck GPS enables end users to share personal information with Partners to help them respond to disease outbreaks.
User Responsibilities
PathCheck GPS is designed to facilitate contact tracing. As such, it is imperative that you: (i) comply with our terms of use; (ii) provide accurate information (including location data) when using PathCheck GPS; and (iii) make informed decisions about how you use PathCheck GPS including your decision to share any personal information with a Partner.
Personal Information We Collect
Information you provide to us. Personal information you provide to us through the Service or otherwise may include:
Contact information, such as first and last name, phone number, addresses, and work location.
Feedback or correspondence, such as information end users provide when they contact the Government Body.
Location information, such as historical precise geolocation and proximity data information. If you provide permission, we may use your device’s GPS and/or Bluetooth signals to determine your location. You choose whether to share your location, and can always revoke our access to your location data in your device settings, but some of our services may not function if we can’t access location data.
Third-Party information, such as Google location data.
Partner information, such as the designated Partner with whom an end user may elect to share personal information.
Health-related information, such as self-reported symptoms related to a virus, including COVID-19.
Other information that PathCheck does not specifically list here but that may be processed through the PathCheck GPS.
How We Use Your Personal Information
We may use your personal information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:
To operate the Service. We may use your personal information to:
provide, operate and improve the Service such as informing you if you may have had approximate contact with another individual who has tested positive for the COVID-19 virus;
communicate with you about the Service, including by sending you announcements, updates, security alerts, and support and administrative messages;
provide support and maintenance for the Service; and
respond to your requests, questions and feedback.
To comply with law. We may use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
For compliance, fraud prevention, and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Service; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity
To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated or de-identified data by removing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties, our Partners or others for our lawful business purposes.
With your consent. In some cases we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.
How We Share Your Personal Information
We do not share your personal information with third parties without your consent, except in the following circumstances or as described in this Privacy Policy:
Service providers. We may share your personal information with third-party service providers that provide services on our behalf or help us operate the Service (such as to provide and develop the PathCheck GPS or Safe Places software).
Partners. At your direction, we share your personal information with Partners or enable partners to collect information directly via our Service. Please review the relevant Partner’s privacy policy for an explanation as to how it may use your personal information.
Other PathCheck GPS Users. We will alert users who were within nearby proximity of an affected user during the preceding 14 days. While this information does not directly identify you, there are circumstances when a user could identify you based on the location and time of contact. For example, this may occur if a user knows you personally and recalls that he or she met you at a specific location on a certain date.
Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above. We will not proactively share your personal information with the government without your consent.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, in connection with a business transaction (or potential business transaction) such as a merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Your Choices
In this section, we describe the rights and choices available to all users. Users who are located within the European Union can find additional information about their rights below. Your use of the PathCheck GPS is voluntary. At any time, you may request that we delete your personal information that may be in our possession by emailing your request to privacy@pathcheck.org.
Privacy settings and location data. We make available certain privacy settings on the Service, including options to control your sharing of personal information with a Partner. Users of our mobile application also have the choice whether to allow us to access your precise location data. Your device settings may provide the ability for you to revoke our ability to access location data. The PathCheck GPS will not function as a means for contact tracing and information sharing if you do not share your location history.
Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
Choosing not to share your personal information. Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Service to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our services. We will tell you what information you must provide to receive the Service by designating it as required at the time of collection or through other appropriate means.
Other Sites, Mobile Applications and Services
The Service may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.
Security Practices
The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.
Please note that we are not a healthcare provider or other “covered entity” that is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are not bound by its requirements for handling protected health information.
International Data Transfers
We are headquartered in the United States and may have service providers in other countries. Your personal information may be transferred to the United States or other locations outside of your state, province, or country where privacy laws may not be as protective as those in your state, province, or country.
European Union users should read the important information provided below about transfer of personal information outside of the European Union.
Children
As a general rule, children under the age of 16 years old are not allowed to use the Service, and we do not collect personal information from them. If we learn that we have collected personal information of a child without the consent of the child’s parent or guardian, we will delete it. We encourage parents with concerns to contact us.
Changes to this Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. We may, and if required by law will, also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through the Service.
Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on the Service (or as otherwise indicated at the time of posting). In all cases, your continued use of the Service after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.
How to Contact Us
Please direct any questions or comments about this Policy or privacy practices to privacy@pathcheck.org. You may also write to us via postal mail at:
PathCheck Foundation
Attn.: Privacy/Legal
955 Massachusetts Ave., Suite 23
Cambridge, MA 02139
support@pathcheck.org
Notice to European Users
The information provided in this “Notice to European Users” section applies only to individuals in Europe and the United Kingdom.
Personal information. References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation.
Controller. PathCheck is the controller of your personal information covered by this Privacy Policy for purposes of European data protection legislation. Once you choose to share your personal information with a Partner, that Partner is an independent controller of your personal information.
Legal bases for processing. We use your personal information only as permitted by law. Our legal bases for processing the personal information described in this Privacy Policy are described below.
Processing Purpose and Legal Basis
Details regarding each processing purpose listed below are provided in the section above titled “How we use your personal information”.
To operate the Service
Legal Basis: Processing is necessary to perform the contract governing our provision of the Service. If we have not entered into a contract with you, we process your personal information based on our legitimate interest in providing the Service you access and request.
For compliance, fraud prevention and safety; To create anonymous, aggregated or de-identified data
Legal Basis: These activities constitute our legitimate interests. We do not use your personal information for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To comply with law
Legal Basis: Processing is necessary to comply with our legal obligations.
With your consent
Legal Basis Processing is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent, or in the Service.
Use for new purposes. We may use your personal information for reasons not described in this Privacy Policy when permitted by law and where the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.
Sensitive personal information. We ask that you not provide us with specific sensitive personal information (for example, information related to racial or ethnic origin, political opinions, religion or other beliefs, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Service, or otherwise to us.
If you provide us with any sensitive personal information (for example, health information) to us when you use the Service, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our Service.
Retention
Personal information is retained in the PathCheck GPS for rolling fourteen (14) day periods. We may retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
Your rights
European data protection laws give you certain rights regarding your personal information. If you are located within the European Union, you may ask us to take the following actions in relation to your personal information that we hold:
Access. Provide you with information about our processing of your personal information and give you access to your personal information.
Correct. Update or correct inaccuracies in your personal information.
Delete. Delete your personal information.
Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
Restrict. Restrict the processing of your personal information.
Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
You may submit these requests by email to privacy@pathcheck.org or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. For example, if we do not have personal information in our possession responsive to your request, we may not be able to fulfill your request. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.
Cross-Border Data Transfer
Personal information processed through the PathCheck GPS is stored locally on your device. If you choose to share your personal information with a Partner, there is a direct transfer between you and the Partner. No personal information is transferred to PathCheck when information is transferred to a Partner. However, if we transfer your personal information out of Europe to a country not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be performed:
Pursuant to the recipient’s compliance with standard contractual clauses, EU-US Privacy Shield (or Swiss-US Privacy Shield, as applicable), or Binding Corporate Rules;
Pursuant to the consent of the individual to whom the personal information pertains; or
As otherwise permitted by applicable European requirements.
You may contact us if you want further information on the specific mechanism used by us if we transfer your personal information out of Europe.