VAST.Rehab, Privacy policy

Last Revised: June 20, 2020

We're committed to protecting the privacy of all individuals that provide Personal Information to us, including the data recorded by customers in VAST.Rehab applications that relates to their clients or patients. This Privacy Policy explains how we collect, protect, use and share personal information.

We may review and change this document from time to time. When we do, we'll update this version located at the url provided below and notify our customers within VAST.Rehab applications, and in other suitable places.

Let's go through a few definitions before we get started:

• 'Brontes Processing', 'we', 'Company' or 'Brontes Processing sp. z o.o.', is us — the company behind VAST.Rehab. We are located in Poland, 44-100 Gliwice, Przewozowa 32
• 'VAST.Rehab' are the VAST.Rehab applications, website, services and servers related to it that don't have a separate privacy policy
• 'Agreement’, 'Terms of Use’ or 'TOU’ refers to the VAST.Rehab Terms of Use provided below
• 'Privacy Policy' refers to the VAST.Rehab Privacy Policy at the url provided below
• 'Customer', 'User' or 'you' is a user of VAST.Rehab who has agreed to our Terms of Use
• 'Personal Information' means information that can identify an individual

Terms of Use: https://vast.rehab/terms-of-use

Privacy Policy: https://vast.rehab/privacy-policy

Your consent (important, please read carefully!)

BY ENTERING, CONNECTING TO, ACCESSING OR USING VAST.REHAB AND/OR BY CLICKING THE “I AGREE” BUTTON WHEN SETTING YOUR ACCOUNT OR USING IT FOR THE FIRST TIME, YOU AGREE TO THE TERMS AND CONDITIONS SET FORTH IN THIS PRIVACY POLICY, INCLUDING TO THE POSSIBLE COLLECTION AND PROCESSING OF YOUR PERSONAL INFORMATION AS SPECIFIED HEREIN.

PLEASE NOTE: IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT ENTER TO, CONNECT TO, ACCESS OR USE VAST.REHAB IN ANY MANNER, DO NOT INSTALL ANY OF THE VAST.REHAB APPLICATIONS AND/OR PROMPTLY UNINSTALL ALL VAST.REHAB APPLICATIONS FROM YOUR DEVICES

Which information we may collect on our Users?

We may collect two types of data and information from our Users:

• The first type of information is non-identifiable and anonymous information (“Non-personal Information”). We are not aware of the identity of the User from whom we have collected the Non-personal Information. Non-Personal Information is any unconcealed information which does not enable identification of an individual User, and which is available to us when such User installs and/or uses VAST.Rehab. Non-personal Information which is being gathered consists of technical information, behavioral information and aggregated information, and may contain, among other things, the activity of the User on VAST.Rehab, type of operating system, device type, User's 'click-stream' on VAST.Rehab, keyboard language, screen resolution, time spent on various screens of VAST.Rehab, etc. We also use third-party service providers such as Google Analytics to obtain detailed analytics on the User's behavior on VAST.Rehab.
• The second type of information is individually identifiable information (“Personal Information”). This information may identify an individual or may be of a private and/or sensitive nature.
• We gather the Users' IP address (or Mac Address, as applicable) mainly to detect anomalies for enhancing the User's experience and security purposes (i.e., in order to safeguard VAST.Rehab).
• In addition, Personal Information which is being gathered consists of any personal details provided consciously and voluntarily by the User:
• Personal Information is collected from the details the Users provide when opening an Account via the registration form available on VAST.Rehab, which include, inter alia, the User's name, email address, password, phone number, gender, date of birth and address. Additional information may be requested in the future.
• Personal Information is included in the reports and collected when you use VAST.Rehab (i.e., when you move in front of the Kinect sensor, we are aware of your movements).
• You may sign-up to VAST.Rehab by providing an email and receiving a verification code or link you will be required to use in order to start using your account.
• Personal Information is collected from the data the Users of VAST.Rehab provide in the contact form which includes, inter alia, full name, e-mail address and phone number. You may optionally provide via the contact form any text you wish to insert into the “message box”. Our representative may collect additional Personal Information from you.
• Users will have the option to use certain Online Payment Processors which will require you to fill out a billing form wherein you will be required to provide to such Online Payment Processors certain Personal Information (such as, a credit card number and other related billing information). We will not store such information on our servers. We only keep token information such Online Payment Processors provide us with (and where applicable, the last four digits of your credit card number), and such information is strictly secured.
• Personal Information may be collected from the details the User may provide us while contacting us via email.

For avoidance of doubt, any Non-Personal Information connected or linked to or associated with any Personal Information shall be deemed as Personal Information as long as such connection, linkage or association exists.

How Do We Collect Information on our Users?

There are two main methods that we use:

• We collect information through your entry, connection, access and/or use of VAST.Rehab. In other words, when you are using VAST.Rehab, we are aware of it and may gather, collect and store the information relating to such usage (such as the Non-personal Information detailed above and your IP address), either independently or through the help of our authorized third-party service providers as detailed below.
• We collect information which you provide us voluntarily. For example, we collect Personal Information when you register and open an Account or when you contact us.
• Personal Information we collect indirectly. We indirectly collect Personal Information when someone uses VAST.Rehab to record data about someone other than themselves. A typical scenario would be when a healthcare professional records information about a patient. This information can include names, genders, dates of birth, countries of birth, residential addresses, telephone numbers, email addresses, a person's emergency contacts, health insurance numbers, and patient treatment notes and records. Please note that we do not use such data unless the User allows us to do so.

What are the Purposes of the Collection of Information?

Non-personal Information is collected in order to:

• Use it for statistical, analytical and research purposes and for customization, developing and improvement of VAST.Rehab.
• Enhance the User's experience while using VAST.Rehab.

Personal Information is collected in order to:

• Operate VAST.Rehab (including account creation, sending messages from User to User, sending receipts to Users, process orders, etc.).
• When you use VAST.Rehab as administrator your facility name, address, email and business phone will be visible for all VAST.Rehab distributors to help them identify your account for their own purposes (e.g. process your order for a new medical device they offer)
• When you use VAST.Rehab as distributor your facility name, address, email and business phone will be visible for all VAST.Rehab suppliers to help them identify your account for their own purposes (e.g. process your order for a new medical device they produce)
• To verify the User's identity when he/she signs in to VAST.Rehab.
• Personalize and enhance the Users experience while using VAST.Rehab.
• Respond to your inquiry.
• Provide the Users (if they agree to receive such information) with commercial materials, updates about Brontes Processing's developments, new offerings, news regarding VAST.Rehab and other services/products that may be of an interest to them, etc.
• Enable payment through third party Online Payment Processors. Please note that we do not collect and store credit card or other financial information.
• Be able to contact Users to provide them with technical assistance.
• Enable the User to use social features.
• Keep VAST.Rehab safe and secured and for prevention of fraud and crime.

Data controlled by our Customers

Our Customers may submit information to VAST.Rehab for hosting and processing purposes (“Customer Data”). Brontes Processing will not review, share, distribute, or reference any such Customer Data except as provided in our Terms of Use, or as may be required by law. In accordance with our Terms of Use, Brontes Processing may access Customer Data only for the purpose of providing VAST.Rehab, or preventing or addressing service or technical problems, or as may be required by law.

Brontes Processing acknowledges that you have the right to access your personal information. If personal information pertaining to you as an individual has been submitted to us by a Brontes Processing's Customer and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please inquire directly with our Customer. We have limited access to data our Customers submit to VAST.Rehab. If you wish to make your request directly to Brontes Processing, please provide details of the Brontes Processing's Customer who submitted your data to VAST.Rehab. We will refer your request to that Customer and will support them as needed in responding to your request.

Sharing Information with Third Parties

Brontes Processing will not share any Personal Information it collects with another third parties, other than in the extreme circumstances as follows:

• to satisfy any applicable law, regulation, legal process, subpoena or governmental request;
• to enforce this Privacy Policy and/or the TOU, including investigation of potential violations thereof;
• to detect, prevent, or otherwise address fraud, security or technical issues;
• if VAST.Rehab was purchased by another party for you to use, the party paying for such service (e.g. parent, child, educator, health professional, or researcher) has the right to control access to and get reports on your use of VAST.Rehab. However, they do not have rights to your personal account. If you don't agree to share your data as described above – please don't use VAST.Rehab with the account provided by the party.
• to respond to claims that contact information (e.g. name, e-mail address, etc.) of a third-party has been posted or transmitted without their consent or as a form of harassment;
• to protect the rights, property, or personal safety of Brontes Processing, its Users or the general public;
• by virtue of undergoing any change in control, including by means of merger, acquisition or purchase of all or substantially all of the assets of Brontes Processing, so long as such acquirer maintains the same privacy terms hereunder; or
• pursuant to your explicit approval prior to the disclosure. Note, that we collect, hold and/or manage your Personal Information through Brontes Processing's authorized third parties' vendors of certain products or services (such as hosting cloud services) (including, as applicable, their affiliates) solely and limited to providing us with such requested services, and not for any other purposes. Such vendors may be located in a country that does not have the same data protection laws as your jurisdiction.

For avoidance of doubt, Brontes Processing may transfer and disclose Non-Personal Information (including anonymized information) to third parties at its discretion including without limitation for statistical, analytical and research purposes and for customization, developing and improvement of VAST.Rehab.

Payment

We accept certain online payment methods, using our Online Payment Processors, which enable Users to send and receive payments securely online using a credit card or bank account. We may add or change the Online Payment Processors at our sole discretion. Brontes Processing is not affiliated with such Online Payment Processors, as each is an independent contractor, and neither is the agent or employee of the other, and neither is responsible in any way for the actions or performance (or lack thereof) of the other. The use of the Online Payment Processors is at the User's discretion and sole liability and risk. It is the User's responsibility to abide by all the terms specified by the Online Payment Processors in their terms of use and privacy policies, including but not limited to any age restrictions specified therein. You acknowledge that you are fully assuming the risks of conducting any transactions via the Online Payment Processors.

Third Party Service Providers

While using VAST.Rehab we may be using third party service providers, who may collect, store and/or process the information detailed herein. Brontes Processing uses commercially reasonable efforts to engage with third parties that post a privacy policy governing their collection, processing and use of non-personal and personal information. Such software may include without limitation:

• Microsoft Azure Cloud servers whose privacy policy can be found at the provided URL http://azure.microsoft.com/en-us/support/legal/privacy-statement
• Google Analytics which privacy policy can be found at the provided URL http://www.google.com/intl/en/policies/privacy
• Mixpanel which privacy policy can be found at the provided URL https://mixpanel.com/legal/privacy-policy
• HubSpot CRM whose privacy policy can be found at the provided URL https://legal.hubspot.com/privacy-policy

Please read such third-party service providers' terms of use and privacy policies to understand their privacy practices.

Children

Persons under the age of 16 (“Children”), or any higher minimum age in the jurisdiction where that person resides, are not permitted to access or use VAST.Rehab unless their parent or legal guardian has consented in accordance with applicable law. If you are creating an account for your patient who is a Child you are responsible to collect written consent from his or her parent or legal guardian.

European Privacy Disclosures

If you live or operate in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, or if you are bound to the General Data Protection Regulation (GDPR) requirement for any other reason - please review these additional privacy disclosures under the European Union's General Data Protection Regulation (GDPR). You will know who is your GDPR Data Controller (“Controller”) and GDPR Data Processor (“Processor”).

According to art. 13 section 1 and 2 of the General Data Protection Regulation dated on 27 April 2016, we inform you that:

• If you use VAST.Rehab as patient:
• If you manually create an account for yourself your Controller is Brontes Processing. In other cases, your Controller is a facility that employs the User who created a VAST.Rehab account for you and Brontes Processing becomes the Processor of your personal data.
• Each facility that you consciously authorize to have access to your VAST.Rehab data will be your additional Controller.
• If you use VAST.Rehab as therapist your Controller is a facility that employs you and/or created a VAST.Rehab account for you.
• If you use VAST.Rehab as administrator, distributor or supplier your Controller is Brontes Processing
• Your personal data is processed for the purpose described in this Privacy Policy document. The processing takes place on the basis of Article 6 (1b) and (1c) and article 9 (1h) of the GDPR.
• The recipient of your personal data will be the entities authorized by the controller of the personal data, entities authorized by law and external entities when a contract is signed.
• Your personal data will be kept for a period consistent with applicable law.
• You have the right to access your personal data and the right to rectify, delete, limit processing, the right to data transfer, the right to object, the right to withdraw consent at any time without affecting the legality of processing, which was made on the basis of consent before its withdrawal.
• You have the right to lodge a complaint with the supervisory body when you feel that the processing of personal data concerning you violates the provisions of the General Data Protection Regulation of 27 April 2016.
• Providing personal data is a prerequisite for the purpose of processing. If you do not provide your personal information, it will not be possible to process it.
• Your data will be processed in an automated manner (including in the form of profiling), however, it will not cause any legal effects to you or similarly significantly affect your situation. Profiling personal data consists in the processing of your data (also in an automated manner) by using them to evaluate certain information, in particular to analyze or forecast personal preferences and interests, and to tailor therapy for patients' needs. You have the right to object to profiling.

Cookies and Local Storage

When you access or use VAST.Rehab, we and/or our third party service providers may use industry-wide technologies such as cookies, web beacons, pixels, clear gifs and other similar tools (or other similar technologies), which store certain local information on your device (“Local Storage“) which may enable us, inter alia, to recognize your device from those of other Users of VAST.Rehab, to improve the performance of VAST.Rehab, to deliver a better and more personalized service according to the User's individual interests and the device or browser used, to track Users' use of VAST.Rehab, to gather information about the Users' approximate geographic location (e.g. city), to prevent fraud and/or abuse, and to estimate our audience size and usage pattern and perform other analytics.

Such information is locally stored in the User's device. Brontes Processing and/or our authorized third-party service providers may access such information. Brontes Processing and/or our authorized third-party service providers may use both session cookies (which expire once you close the web-browser) and persistent cookies (which stay on the User's device until he/she deletes them). Such Local Storage used by VAST.Rehab may store non-personal information (such as the different pages viewed by a User within VAST.Rehab) as well as User persistent identifier, which will be collected in accordance with the terms specified herein.

Most devices and browsers will allow you to erase cookies from your device's hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. However, if you block or erase cookies, your experience of the VAST.Rehab website may be limited. Please note that unless you block the acceptance of cookies, the VAST.Rehab website will utilize cookies upon your use of VAST.Rehab. If you want to remove previously stored cookies, you can manually delete the cookies at any time. However, this will not prevent the Site from placing further cookies on your device unless and until you adjust your settings as described above. For detailed instructions regarding the blocking of cookies, please refer to your browser 'help', 'tool' or 'edit' section or see the URL-COOKIES provided below.

URL-COOKIES: http://www.allaboutcookies.org/manage-cookies

Below are links to instructions regarding the blocking of Cookies on commonly used web-browsers:

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Internet Explorer and Microsoft Edge: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Safari: https://www.apple.com/legal/privacy/en-ww/cookies/

Please note that Brontes Processing uses Mixpanel as a service provider in order to track Users' activities on VAST.Rehab, including by use Mixpanels' persistent cookies. You may opt-out of Mixpanel's tracking by following the instructions on the URL provided below.

URL: https://mixpanel.com/optout/

Google provides a browser-add on which allows users to opt-out of Google Analytics across all websites, which can be found at the URL provide below.

URL: https://tools.google.com/dlpage/gaoptout

Access, correct or delete Personal Information about you

You can request access to the Personal Information you have provided to us, via email to the e-mail provided below.

E-mail: privacy@vast.rehab

This enables you to receive a copy of the data and to check that we are lawfully processing it.

If you think there's a problem with the Personal Information we hold about you, you will either have the tools available to make these changes, or you can request a correction. This enables you to have any incomplete or inaccurate data we hold about you corrected (though we may need to verify the accuracy of the new data you provide to us).

If you want to request erasure of your Personal Information, we'll take all reasonable steps to do so unless we are required to keep it for legal reasons, which will be notified to you, if applicable, at the time of your request. It is likely that revoking your consent will limit the functionality of your VAST.Rehab account.

Should you require to move your data to another service, you may request the transfer of your data (including Personal Information) to you or to a third party. We will provide to you, or a third party that you have chosen, your data in a structured, commonly used, machine-readable format.

You may withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. This will be notified to you at the time of your request if applicable.

Security

We take security seriously. Data is encrypted, stored in state-of-the-art facilities, access is restricted to those who have a need to know, and we regularly review our technology to maintain security.

In the event that there is a breach and your Personal Information that we have collected directly is at risk, you will be notified (if you have provided us with valid email address) within 72 hours of discovering the breach. You will be informed of what information is at risk, steps that we have taken to ensure your safety, and what action we are taking or have taken to rectify the breach. To the extent permissible at law, in the event that there is a breach and indirectly collected information is at risk, we will follow the same protocol, however the affected Customers (rather than the individuals) will be notified instead.

The User Information is hosted on the Microsoft Azure Cloud servers which provide advanced strict security standards (both physical and logical). In addition, we employ highly secure services design and implementation using state of the art encryption and architectures mechanisms. Please note, however, that there are inherent risks in transmission of information over the Internet or other methods of electronic storage and we cannot guarantee that unauthorized access or use will never occur. BRONTES PROCESSING SHALL NOT BE RESPONSIBLE OR LIABLE FOR UNAUTHORIZED ACCESS, HACKING, OR OTHER SECURITY INTRUSIONS OR FAILURE TO STORE OR THE THEFT, DELETION, CORRUPTION, DESTRUCTION, DAMAGE, OR LOSS OF ANY DATA.

Changes to the Privacy Policy

The terms of this Privacy Policy will govern the use VAST.Rehab and any information collected therein. Brontes Processing reserves the right to change this policy at any time, so please re-visit this page frequently to check for any changes. In case of any material change, we will make reasonable efforts to post a clear notice on the VAST.Rehab website or we will send you an e-mail regarding such changes to the e-mail address that you may have provided us with. Such material changes will take effect seven (7) days after such notice was provided on VAST.Rehab website or sent to you via e-mail, whichever is the earlier. Otherwise, all other changes to this Privacy Policy are effective as of the stated “Last Revised” and your continued use of VAST.Rehab on or after the Last Revised date will constitute acceptance of, and agreement to be bound by, those changes. In the event that the Terms should be amended to comply with any legal requirements, the amendments may take effect immediately, or as required by the law and without any prior notice.

Got any Questions?

If you have any questions (or comments) concerning this Privacy Policy, you are most welcome to send us an email to the e-mail provided below.

E-mail: privacy@vast.rehab

We will make an effort to reply within a reasonable timeframe.