nod-logo

Grit Privacy Policy

Grit Privacy Policy

Last Updated:  12/28/2021

 

Grit Digital Health (“Grit”) (on behalf of itself and its affiliates, collectively “We” or “Us”) understands that visitors to our websites, including, but not limited to, gritdigitalhealth.com (collectively, our “Websites”), users of our products, including You at College, Man Therapy, Nod, YOU Staff & Faculty, YOU at Work, Operation Veteran Strong and other products we make available from time to time (collectively, our “Products”), and the users of the services offered by Grit through our Products and Websites (collectively, our “Services”) may have questions about whether and how we collect and use information, and we are committed to protecting your privacy. In support of this, we only use the personally identifiable information (“Personal Information”) that we collect about you in accordance with the privacy practices explained in this policy (“Privacy Policy”).

 

This Privacy Policy applies to our collection and use of Personal Information through our Websites, Products and Services (collectively, the “Platform”).  

 

This Privacy Policy covers any Personal Information we obtain when you visit or contact us, use our Platform, or access the features on the Platform. You can access the Platform in many ways, including from a computer or mobile phone, and this Privacy Policy will apply regardless of the means of access. By accessing the Platform, you are also consenting to our Terms of Use, and represent to us that you meet the necessary requirements to access the Platform, including, without limitation, that you are over 18 years of age or are at least 13 years old and you your parent or legal guardian has granted you permission to access the Platform. By accessing or otherwise using the Platform, you are agreeing to the Privacy Policy and the Terms of Use.  If you do not agree to the Privacy Policy or the Terms of Use, you are not authorized to use the Platform in any way.

 

This Privacy Policy does not apply to other websites which are linked to the Platform. We are not responsible for any actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing Personal Information to them.

 

  1. Information We Collect

 

Information We Collect From You

 

Our primary goals in collecting information are to provide and improve our Platform, to provide you with our Products and Services, to communicate with you, and to enable users of our Platform to enjoy and easily navigate our Platform. When you wish to contact us, create an account for a Product, edit account details, or use some of our Services, we may ask you for certain Personal Information. When we refer to “Personal Information” in this Privacy Policy, we mean information that identifies, describes, relates to, references or is capable of being associated with, or could reasonably be linked, directly or indirectly, to you. We may also collect other information generated when you use our Platform that is not linked or otherwise associated with you, and such information is not subject to the terms of this Privacy Policy. Depending on how your use our Platform, we may directly collect the following types of Personal Information from you: your name, email address, school ID, employer, IP address, telephone number, online identifiers you use, such as your username, social media handles, password, and other similar types of identifiers, and any other Personal Information you elect to provide, including, but not limited to, demographic information about you, your responses to questions and assessments available through our Products, and your photograph.

 

Some of our Products may collect information that is protected under the Family Educational Rights and Privacy Act (“FERPA”). In accordance with FERPA authorization, except for your school-issued login credentials you use to login to these Products through the single sign-on feature described below, we may collect your self-reported Personal Information that is subject to FERPA (“FERPA Personal Information”) through your use of these Products. Our collection of this FERPA Personal Information is authorized via partnership with your school and your FERPA Personal Information will only be used by us as authorized by your school. A school may be defined as a participating higher education entity that has authorized the use of these Products for its student body. 

 

Information We Automatically Collect

 

When you use portions of our Platform, including, but not limited to, our Products and Websites, some information is automatically collected. For example, when you visit our Websites, your computer’s operating system, Internet Protocol (IP) address, access times, browser type and language, and the websites you visited before visiting our Websites are logged automatically (“Usage Information”). We also collect information about your usage and activity on our Platform.

 

We may automatically collect information using “cookies.” Cookies are small data files stored on your hard drive by a website or mobile application. Among other things, cookies help us improve our Platform and your experience. We use cookies to see which areas and features are popular and to understand usage of our Platform. We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which are used only by us to recognize your computer or mobile device when it revisits our Platform; and (2) third party cookies, which are served by service providers on our Platform, and can be used by such service providers to recognize your computer or mobile device when it visits other sites. Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit https://www.allaboutcookies.org/ and, if you are in the UK or European Union (EU), https://www.youronlinechoices.com/uk/ if you are in the UK or European Union (EU). 

 

We may collect information using web beacons, clear gifs, pixel tags or other similar technologies . These technologies are electronic images that may be used on our Platform or in emails we send. We use these technologies to deliver cookies, count visits, understand usage and observe data on email delivery, open rates, link click rates, bounces, unsubscribes and other information.

 

We may also use third-party solutions with cookie tracking such as those outlined below:

 

  • Google Analytics, a web analytics service provided by Google, Inc. (“Google”), which we use to assist us in understanding how our Platform is used. Google Analytics will place cookies on your computer or mobile device that will generate information that we select about your use of the Platform, including your computer’s or mobile device’s IP address. That information will be transmitted to and stored by Google. The information will be used for the purpose of evaluating use of the Platform, compiling reports on Platform activity for our use, and providing other services relating to Platform activity and usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. You may refuse the use of cookies by selecting the appropriate settings on your browser. Please note that by doing so, you may not be able to use the full functionality of our Platform. The use of cookies by Google Analytics is covered by Google’s Privacy Policy, available at: https://policies.google.com/privacy.  Google allows you to opt out of Google Analytics.  You may opt-out by visiting https://tools.google.com/dlpage/gaoptout?hl+en=GB.
  • Google Tag Manager (“GTM”) is a tag management system that allows JavaScript and HTML tags to be quickly deployed and updated on portions of our Platform for tracking and analytics. We use GTM on our Websites to include Google Analytics.  If you have opted out of Google Analytics, GTM takes this opt out into account.  For more information about GTM’s privacy practices, please refer to https://policies.google.com/privacy/ and the terms of use at https://www.google.com/analytics/tag-manager/use-policy.
  • Facebook Pixel, a cookie placed by Facebook, enables us to measure the effectiveness of advertising campaigns served on Facebook.  The information collected by that cookie will be transmitted to and stored by Facebook.  For more information about Facebook’s privacy practices, please refer to https://www.facebook.com/about/privacy/.  To opt-out, please see https://www.facebook.com/ads/preferences.
  • LinkedIn Insight Tag, a cookie placed by LinkedIn, enables us to measure the effectiveness of advertising campaigns served on LinkedIn.  The information collected by that cookie will be transmitted to and stored by LinkedIn.  For more information about LinkedIn’s privacy practices, please refer to https://www.linkedin.com/legal/privacy-policy.  To opt-out you can update your advertising preference through your LinkedIn account.  If you do not have a LinkedIn account, LinkedIn allows you to opt-out of targeted advertising by visiting https://www.linkedin.com/psettings/guest-controls.

 

Information Collected from Other Third Parties

 

We may receive your Personal Information from third parties, including your school or employer (depending on which Products you use), our business partners and third parties we collaborate with on the development and operation of our Products and Services, social media sites, ad networks and analytics providers. We may also receive your Personal Information from others that refer you to our Platform.

 

Single Sign-On

 

Some of our Products may also provide the ability to register and sign in through other services you already utilize. Please see the following sections for information on which services are available, what data we receive, and how that data is used.

 

  • School Single Sign-On: Some of our Products may offer the ability for you to register and sign-in through a school-issued credential or by using a username or password. In these instances, you will either follow the single sign-on steps to login through your school issued credentials, or you will be asked to set up a username and password, depending on the approach your school elected to adopt.  In either case, we ensure the same data security and privacy standards for the data you provide.
  • Apple Single Sign-On: Some of our Products may offer the ability for you to register and sign in using your Apple ID. As with single sign-on for school-based logins, this option only gathers the minimum data necessary to create a user within the applicable Product(s). These Products will store and utilize the following attributes: first name, last name, email address, IP address, device model, device operating system and web browser in order to create your user record. These Products may also store and utilize the following attributes: time zone, disk space, carrier, screen size, processor cores, total disk space and remaining disk space. Your Apple data will not be sold, redisclosed, or edited through this process. We only collect the above noted data, regardless of other data you may have allowed for public consumption. Access to this registration and sign-in option may be limited by which Product(s) you access or having a compatible device/operating system that meets Apple requirements. By using the Apple single sign-on service, Apple will know that you are signing into our Products and that you are a user of our Products.
  • Google Single Sign-On: Some of our Products may offer the ability for you to register and sign in using your Google Account. As with single sign-on for school-based logins, this option only gathers the minimum data necessary to create a user within the applicable Product(s). These Products will store and utilize the following attributes: first name, last name, email address, IP address, device model, device operating system and web browser in order to create your user record. These Products may also store and utilize the following attributes: time zone, disk space, carrier, screen size, processor cores, total disk space and remaining disk space. Your Google data will not be sold, redisclosed, or edited through this process. We only collect the above noted data, regardless of other data you may have allowed for public consumption. Access to this registration and sign-in option may be limited by which Product(s) you access or having a compatible device/operating system that meets Google requirements. By using the Google single sign-on service, Google will know that you are signing into our Products and that you are a user of our Products.
  • Facebook Single Sign-On: Some of our Products may offer the ability for you to register and sign in using your Facebook Account. As with single sign-on for school-based logins, this option only gathers the minimum data necessary to create a user within the applicable Product(s). These Products will store and utilize the following attributes: first name, last name, email address, IP address, device model, device operating system and web browser in order to create your user record. These Products may also store and utilize the following attributes: time zone, disk space, carrier, screen size, processor cores, total disk space and remaining disk space. Your Facebook data will not be sold, redisclosed, or edited through this process. We only collect the above noted data, regardless of other data you may have allowed for public consumption. Access to this registration and sign-in option may be limited by which Product(s) you access or having a compatible device/operating system that meets Facebook requirements. By using the Apple single sign-on service, Facebook will know that you are signing into our Products and that you are a user of our Products.

 

Information Collected in Connection with Research and Evaluation Studies

 

From time-to-time, you may be invited to participate in a research and evaluation study that includes the use of Personal Information we have collected from or about you and may involve the collection of additional Personal Information from or about you in connection with such research and evaluation study.  Prior to releasing or otherwise using your Personal Information in connection with any such research and evaluation study, we will ensure that you: (1) have received and accepted an invitation to participate in such research and evaluation study; and (2) have agreed to any additional terms and conditions applicable to such research and evaluation study.  Without limiting the foregoing, where any research study includes the use of any FERPA Personal Information, we will only release FERPA Personal Information for approved research, authorized by your school, to your school or partners your school authorizes.

 

Please note, as otherwise described in this Policy, the foregoing only applies to research and evaluation studies that utilize your Personal Information and does not apply to any research and evaluation study conducted utilizing aggregated, de-identified or otherwise anonymized information.

 

Non-Personal Information

 

We may collect other information about users whenever they interact with our Platform that are anonymized or otherwise are not associated with a specific individual. Depending on how you use our Products, this may include the device type, login session durations, task or activity completion, activity rating, and anonymized responses to product assessments of mood/loneliness/motivation. Where these data points, which may include, but are not necessarily limited, to Usage Information, are not stored or connected to your Personal Information, they are viewed as aggregate and de-identified data and are not subject to this Privacy Policy unless otherwise required by applicable law. 

 

  1. How We Use Collected Information

 

We use the Personal Information we collect for the purposes described in this Privacy Policy.  Specifically, we may use your Personal Information (with your consent where required) to:

 

  • facilitate access to our Platform;
  • understand your goals and preferences to enhance your experience;
  • track, collate and analyze your use of our Platform;
  • process and deliver your requests for Services;
  • to respond to your comments and questions and provide customer service;
  • send you administrative emails, tips and reminders, and notifications;
  • facilitate your participation in surveys and other information gathering activities;
  • communicate with you about news about other Products and Services offered by us and our selected partners; and
  • link or combine it with other Personal Information we receive from third parties to help understand your needs and provide you with better Products and Services.

 

We may also use any Usage Information we collect in a de-identified, aggregate form to help us understand usage and demographic patterns and improve the functionality of our Products. 

 

We may also use aggregated or otherwise de-identified information for our business purposes.

 

  1. Sharing Your Personal Information

 

We may share certain portions of Personal Information and other information to make the Platform function properly. This may include sharing portions of Personal Information with development, hosting, email and other service providers that provide services to us and need access to your Personal Information to provide you with the Platform.  Our service providers include, but are not necessarily limited to:

 

  • SendGrid, an email service provider that provides services that we use to send out automated emails from our Platform, such as registration and welcome messages, basic notification, and password resets. To learn more about how SendGrid protects your Personal Information, see their privacy policy, available at https://www.twilio.com/legal/privacy
  • MailChimp, an email service provider that provides services to us that we use to issue Product update announcements such as new content, new features, and key information about what is happening with the Product. To learn more about how MailChimp protects your Personal Information, see their privacy policy, available at https://mailchimp.com/legal/privacy/.
  • Salesforce, a customer relationship management service that provides services to us that we use to manage our relationships with our customers. To learn more about how Salesforce protects your Personal Information, see their privacy information, available at https://www.salesforce.com/company/privacy/.

 

We may share Personal Information through some of our Products with your educational institution. However, we also may share aggregated demographic and statistical information that is not personally identifiable: (1) with other educational institutions for informational purposes; and (2) for research purposes. We or educational institutions may view and use your Personal Information with your consent for research purposes as described in this Policy. 

 

You agree that we may use Usage Information and any other aggregated, de-identified or otherwise anonymized information we collect from or about you for research, business and other development purposes, including to improve the Platform and to develop future applications and products. 

 

We may be required to use or disclose your information in connection with a legal action or other proceeding, including without limitation, in response to a court order or a subpoena. We also may disclose such information in response to a law enforcement agency’s request. We may also disclose information if, in the reasonable judgment of Grit, it is necessary to enforce compliance with our Terms of Use or to protect our Platform, customers, or others from imminent physical harm or damage to property.

 

We may share your Personal Information  in connection with or during negotiation of any merger, financing, acquisition, or dissolution, transaction or proceedings involving the sale, transfer, or divestiture of all or a portion of our business or assets to another entity.

 

We may share your Personal Information with our affiliates and subsidiaries with the understanding that they will treat such information consistent with this Privacy Policy.

 

We may share your Personal Information with third parties where you have provided consent to such sharing.

 

Other than what is referenced above, the Personal Information and other information collected from you is not shared with nor sold to any person or entity outside of us.

 

  1. Third Party Websites

 

This Privacy Policy applies only to the Platform and our collection and use of Personal Information through the Platform, and not to the collection of your Personal Information by third parties. We may provide links to other websites which we believe may be of interest to our visitors. However, due to the nature of the internet, we cannot guarantee the privacy standards of websites to which we link or be responsible for the contents of sites other than this one, and this Privacy Policy is not intended to be applicable to any linked, websites, mobile applications or other online services.

 

Some users access our Platform via a webpage that is hosted by the user’s individual school, college or university (“School Product”). We do not control the content or links that appear on these School Products and are not responsible for the practices employed by School Products. In addition, School Products and services each have their own privacy policies and customer service policies. Browsing and interaction on any other School Product is subject to that School Product’s own terms and policies.

 

  1. Security

 

We take reasonable organizational, technical and administrative steps to help protect Personal Information against loss, misuse, unauthorized access or disclosure. Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure.

 

  1. Children’s Information

 

The Platform is intended for individuals 18 years of age and older and individuals 13 to 17 years old that have permission from their parent or legal guardian to access the Platform. If you do not meet one of these requirements, you may not access, attempt to access, or use our Platform.

 

Without limiting the foregoing, the Platform is not directed at, marketed to, nor intended for children under the age of 13 and we do not intentionally collect any information from or about children under the age of 13. If you believe a child under 13 years of age has provided us with information, contact us at support@gritdigitalhealth.com. If we learn that any information was provided through the Product by a person younger than 13 years of age, we will delete the information immediately.

 

  1. Email Opt Out

 

By using some portions of our Platform, you may be consenting to be included in both system generated emails and our mailing list for promotional content.

 

If your registration resulted in joining our promotional mailing list, we may send you updates, news, and information about our services. If at any time you wish to stop receiving emails or mailings from us please send us an email to admin@gritdigitalhealth.com with the phrase “Privacy Opt-out: Grit Mailings” in the subject line, or write to us at the address provided below, and we will remove you from our mailing list. Alternatively, for email communications, you may opt out of receiving such communications by following the unsubscribe instructions set forth at the bottom of most e-mail messages from us.

 

Please note that even if you do not sign up to receive email from us, we may send you important service announcements.

 

Also, please note that we have not yet developed a response to browser “Do Not Track” signals, and do not change any of our data collection practices when we receive such signals. We will continue to evaluate potential responses to “Do Not Track” signals in light of industry developments or legal changes.

 

  1. California Privacy Rights 

 

We do not share Personal Information as defined by California Civil Code Section 1798.83 (“Shine the Light Law”) with third parties for their direct marketing purposes absent your consent. If you are a California resident, you may request information about our compliance with the Shine the Light law by contacting us by email to support@gritdigitalhealth.com or by sending a letter to:

 

Grit Digital Health LLC

2128 15th Street

Denver, CO 80202

 

Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this email address or mail address.

 

  1. European Users’ Rights. If you are located in the EU or Switzerland, you have certain rights with respect to your Personal Information. Following is a summary of those rights and additional information applicable to our collection and use of your Personal Information.

 

Data Controller

 

When you provide us with your Personal Information through the Platform, we serve as a data controller. When we act as a data controller we determine how your Personal Information will be utilized, in accordance with this Privacy Policy.

 

Legal Basis for Processing Personal Information

 

If you are located in the EU or Switzerland, we rely on several legal bases to process your Personal Information. These legal bases include where:

 

  • The processing is necessary to perform our contractual obligations, such as to provide you with our Services;
  • You have given your prior consent, which you may withdraw at any time (such as for marketing purposes or other purposes we obtain your consent for from time to time);
  • The processing is necessary to comply with a legal obligation, a court order or to exercise or defend legal claims; and
  • The processing is necessary for the purposes of our legitimate interests, such as in improving, personalizing, and developing our Site and Services, marketing new features or products that may be of interest, and promoting safety and security as described above.

 

If you have any questions about or would like further information concerning the legal bases on which we collect and use your Personal Information, please contact us by emailing support@gritdigitalhealth.com.

 

Rights Under the General Data Protection Regulation

If you are located in the EU or Switzerland, you have the following rights in respect of your Personal Information that we hold:

 

  • Right of access. The right to obtain access to your Personal Information.
  • Right to rectification. The right to obtain rectification of your Personal Information without undue delay where that Personal Information is inaccurate or incomplete.
  • Right to erasure. The right to obtain the erasure of your Personal Information without undue delay in certain circumstances, such as where the Personal Information is no longer necessary in relation to the purposes for which it was collected or processed.
  • Right to restriction. The right to obtain the restriction of the processing undertaken by us on your Personal Information in certain circumstances, such as where the accuracy of the Personal Information is contested by you, for a period enabling us to verify the accuracy of that Personal Information.
  • Right to portability. The right to portability allows you to move, copy or transfer Personal Information easily from one organization to another.
  • Right to object. You have a right to object to processing based on legitimate interests and direct marketing.

 

If you wish to exercise one of these rights, please email us at support@gritdigitalhealth.com. You also have the right to lodge a complaint to your local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

 

Retention of Personal Information

 

When reserve the right to retain any Personal Information as long as it is needed to: (1) fulfill the purposes for which we collected the Personal Information; and (2) comply with applicable law.

 

Transfers of Personal Information

 

If you are located in the EU, the personal information we collect may be stored and processed in any country in which we or our affiliates, suppliers, third party electronic payment processors and/or financial institutions or agents maintain facilities, including, but not limited to, the United States of America. YOU CONSENT TO ANY AND ALL PERSONAL INFORMATION YOU PROVIDE AND SUBMIT VIA THE SITE AND SERVICES BEING SENT TO THE UNITED STATES OF AMERICA. The United States of America has not sought nor received a finding of “adequacy” from the EU under Article 45 of the GDPR. We rely on derogations for specific situations as set forth in Article 49 of the GDPR. YOU ARE ALSO INFORMED THAT THE UNITED STATES OF AMERICA PRESENTLY DOES NOT HAVE AN ADEQUATE LEVEL OF PERSONAL DATA PROTECTION AS DETERMINED BY THE EUROPEAN COMMISSION’S ADEQUACY DECISION ON OCTOBER 6, 2015 (CASE C-362/14) AND ARTICULATED IN THE EUROPEAN UNION’S GENERAL DATA PROTECTION REGULATION AND HAS NOT RECEIVED A SIMILAR DESIGNATION OF ADEQUACY BY ANY OTHER FOREIGN DATA PROTECTION AUTHORITY. YOU AGREE TO THE TRANSFER OF YOUR DATA AND PERSONAL INFORMATION TO THE UNITED STATES OF AMERICA, HOWEVER, TO BE USED IN ACCORDANCE WITH THIS PRIVACY POLICY.

 

Obligations to Data Protection Authorities (DPAs)

 

We will respond diligently and appropriately to requests from DPAs about this policy or compliance with applicable data protection privacy laws and regulations. We will, upon request, provide DPAs with names and contact details of the individuals designated to handle this process. With regard to transfers of Personal Information, we will (1) cooperate with inquiries from the DPA responsible for the entity exporting the data and (2) respect its decisions, consistent with applicable law and due process rights. With regard to transfers of data to third parties, we will comply with DPAs’ decisions relating to it and cooperate with all DPAs in accordance with applicable legislation.

 

10.     Updates to this Policy and Contact Information

 

We reserve the right to change this Privacy Policy at any time. If we decide to change our Privacy Policy, we will post those changes on this page so that you are always aware of what information we collect, how we use it and under what circumstances we disclose it. As we may make minor changes from time to time without notifying you, we suggest that you periodically consult this Privacy Policy. Your continued use of the Platform after the effective date of any modification to the Privacy Policy will be deemed to be your agreement to the changed terms.

 

If you have any questions about your privacy or security on our Platform, please contact us using the following information: 

 

Grit Digital Health LLC

2128 15th Street

Denver, CO 80202