Privacy Policy

Transformative Healthcare & Crowd-Safe Privacy Policy

Securing data and protecting privacy is job #1 for us at Transformative Healthcare. Our customers trust us to provide frictionless experiences, to keep your data safe and to protect your privacy and we’re obsessed with delivering on that promise. Importantly, we will never sell or rent your personal information. We are transparent about what we know about our customers, how we protect that information, and how customers engage with us from the very beginning–starting with the privacy policy below.

Transformative Healthcare developed proprietary software and services in response to the COVID pandemic and has securely processed millions of COVID tests and vaccinations through our platform. Our diagnostic testing, vaccine administration and mobile health services platform (www.app.transformativehealthsite.com) manages every aspect of the testing, vaccination and other mobile health services including event scheduling, staffing, booking appointments, in-field test, vaccine or procedure administration, lab order generation & transmittal, receipt & communication of test results and reporting of testing or vaccination data as required by federal, state or local governmental authorities. Our Crowd-Safe platform (www.app.crowd-safe.us) enables participants to link their identity to certain health characteristics to automate compliance with their organization’s vaccination and testing requirements as well as to submit and validate professional licenses and credentials. Given the nature of the information we collect, any software that collects or reports private health information is provisioned on secure HIPAA compliant servers provided by Amazon Web Services under a Business Associates Agreement and access to that data is tightly controlled. This policy also covers data collected on our websites at www.transformativehc.com and www.crowd-safe.us.

Effective Date: December 15, 2021

We at Transformative Healthcare, along with our subsidiaries and affiliates (collectively, “Transformative”), respect your concerns about privacy and value our relationship with you. This Privacy Policy describes the types of personal information we obtain about individuals, how we may use the information, with whom we may share it, and the choices available regarding our use of the information. The Privacy Policy also describes the measures we take to safeguard your personal information and how you can contact us about our privacy practices.

1. INFORMATION WE OBTAIN

We may obtain personal information about you from various sources. The types of personal information we may obtain include:

  • Contact details (such as name, email and postal address and, telephone number);
  • Business contact information (such as employer’s name and address, job title and business email address and telephone number);
  • Biometric data (such as facial images or scans);
  • Physical characteristics (such as gender);
  • Government-issued identification information (such as driver’s license number, as well as copies of government-issued identification documents);
  • Digital photographs (such as images from your mobile device camera);
  • Demographic details (such as date of birth, race, ethnicity);
  • Location information (such as GPS data from your mobile device to enable a location-based service);
  • Information about your health, as described further in Section 14;
  • Contact information for family or others you would like us to contact;
  • Survey information; and
  • Other information you may provide to us or authorize to be provided to us (such as language preferences).

We also may collect personal information typed into forms on our websites, whether or not the form is submitted.

In addition, when users visit our websites, we may collect certain information by using cookies, web beacons and other tracking tools to collect certain information including your device’s IP address, device type, browser type, operating system, referring URLs, actions taken on our sites, and dates and times of website visits. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon”, also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. Through these automated collection methods, we may obtain “clickstream data”, which is a log of content on which a visitor clicks while browsing a website. As the visitor clicks through the website, a record of the action may be collected and stored. Clickstream data also can tell us the type of computer and browsing software a visitor uses, the address of the website from which the visitor linked to our site, and the pages she visits on our site.

2. HOW WE MAY USE THE INFORMATION WE OBTAIN

A. BIOMETRIC DATA AND OTHER PERSONAL INFORMATION, INCLUDING HEALTH INFORMATION

We may use biometric data, health information and other personal information we obtain about you to:

  • Facilitate and manage the testing, vaccination and related services provided by Transformative Healthcare
  • Deliver automated appointment confirmations, reminders and test results via email, text and /or automated voice calls
  • Operate and administer the Crowd-Safe vaccine and test status automation platform
  • Verify individuals’ identities, including authenticating users of our services
  • Comply with and enforce applicable legal requirements and policies, including this Privacy Policy and to enforce our Terms of Use

We also may use the information in other ways with your express consent, such as when you choose to use a service or participate in a program we may offer jointly with another entity.

B. NON-BIOMETRIC AND NON-HEALTH PERSONAL INFORMATION

In addition to the uses described in 2.A. above, we also may use non-biometric and non-health personal information to:

  • Provide services to our consumers
  • Respond to and communicate with you about questions and comments
  • Create and manage online accounts that you may establish on our sites
  • Send news and updates about our services or those offered by our marketing partners
  • Offer our consumers products or services we believe may be of interest to them
  • Communicate with our consumers about, and administer participation in, special events, programs, surveys, and other offers and promotions
  • Operate, evaluate and improve our business (including developing new products and services; analyzing our products and services; managing our communications; and performing accounting, auditing and other internal functions)
  • Perform data analyses (including market and consumer research)

In addition, by collecting information through cookies, web beacons and other automated means on our websites, we learn how to best tailor our websites to our visitors. We may use cookies to customize visits to our sites and deliver content consistent with our visitors’ interests and the manner in which our visitors browse the site. We may use IP addresses to help diagnose problems with our server and to administer our website. We also may use IP addresses to help identify visitors to our site for the duration of a session and to gather demographic information about our visitors. We may use clickstream data to determine how much time visitors spend on each web page of our websites, how visitors navigate through the sites, and how we may tailor our sites to better meet the needs of our visitors.

We do not collect personally identifiable information about a consumer’s online activities over time and across third-party websites or online services. Therefore, “do not track” signals transmitted from web browsers do not apply to our website, and we do not alter any of our data collection and use practices upon receipt of such a signal.

We also may use the information we obtain about you in other ways for which we provide specific notice at the time of collection.

C. HEALTH INFORMATION

In addition to the uses described in 2.A. above, we may use health information as described in greater detail below in Section 14.

D. INTEREST-BASED ADVERTISING

Data about your visit to our websites may be collected and used to provide advertising about products and services tailored to your individual interests. You can choose whether or not to have your information collected for that purpose. This section of the Privacy Policy provides details and explains how to exercise that choice.

You may see certain ads on other websites because we participate in advertising networks administered by third-party vendors. These networks track your online activities over time by collecting information through automated means, including through the use of cookies and web beacons. The networks use this information to show you advertisements that are tailored to your individual interests. The information our ad network vendors collect includes information about your visit to our websites, such as the pages you have viewed. This process also helps us track the effectiveness of our marketing efforts. To learn more about how to opt out of ad network interest-based advertising, CLICK HERE.

3. INFORMATION WE SHARE

We never sell or rent personal information about you.

In addition, we do not share or otherwise disclose such information except as described in this Privacy Policy.

A. BIOMETRIC DATA AND OTHER PERSONAL INFORMATION, INCLUDING HEALTH INFORMATION

We may share biometric data, health data, and other personal information we obtain with service providers we have retained to perform services on our behalf (such as transmitting diagnostic lab test orders, vaccine administration record keeping and data analytics). We also may disclose biometric data and other personal information for the purposes described in Section 2.A of this Privacy Policy to government agencies if required by contract or law. In addition, we may disclose the information to other third parties with your express consent, such as when you choose to use a service or participate in a program that we may offer jointly with another entity.

B. NON-BIOMETRIC AND NON-HEALTH PERSONAL INFORMATION

In addition to the disclosures described in Section 3.A above, we also may share non-biometric and non-health personal information (except for government-issued identification numbers and payment card and financial account numbers) we obtain about you with our affiliates for the purposes described in Section 2.B of this Privacy Policy.

C. HEALTH INFORMATION

In addition to the disclosures described in Sections 3.A above, if you use Crowd-Safe we also may share health information we obtain about you or information based on this information with organizations or locations that use the Crowd-Safe platform for managing authorization to work or access to venues, for the purposes described in Section 2.A and Section 14 of this Privacy Policy.

D. SERVICE PROVIDERS

We contractually prohibit our service providers who access our consumers’ personal information from using or disclosing the information other than to perform services on our behalf or comply with legal requirements. We require these service providers to appropriately safeguard the privacy and security of the consumer personal information they collect, use, disclose or otherwise process on our behalf.

E. DISCLOSURES FOR OTHER PURPOSES

We may disclose information we obtain about you (1) if we are required to do so by law or pursuant to legal process (such as a court order or subpoena); (2) in response to requests by government agencies, such as law enforcement authorities; (3) to establish, exercise or defend our legal rights; (4) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (5) in connection with an investigation of suspected or actual illegal activity; or (6) otherwise with your consent or at your direction.

We reserve the right to transfer information we have about you in the event we sell or transfer all or a portion of our business or assets, as permitted or required by law. Should such a transfer occur, we will use reasonable efforts to direct the transferee to use the personal information in a manner that is consistent with this Privacy Policy.

We also may share the information we obtain about you in other ways for which we provide specific notice at the time of collection.

F. NOTICE FOR PARTICIPANTS RESIDENT OUTSIDE OF THE UNITED STATES

Your personal information may be maintained and processed by Crowd-Safe, its affiliates and third-party service providers in the United States. Personal information transferred to the U.S. will be subject to U.S. laws and may be disclosed to or accessed by the courts, law enforcement and governmental authorities in accordance with those laws.

We or our service providers may also disclose information we obtain about you if we are required or permitted to do so by law or pursuant to legal process (such as court order or subpoena), which may include lawful access by U.S. courts, law enforcement or other government authorities in those jurisdictions. If you have any questions about the manner in which we or our service providers treat your personal information, please contact us at the contact information in Section 11 below.

4. YOUR CHOICES

We offer you certain choices in connection with the personal information we maintain about you. At any time, you may tell us not to use your personal information for marketing purposes. In addition, you may ask us to refrain from sharing the personal information we maintain about you with third parties for the third parties’ own marketing purposes.

You can direct us at any time not to send you marketing emails by (1) clicking on an unsubscribe link in marketing emails you may receive from us, (2) replying to marketing emails you receive from us and including the word “unsubscribe” in the subject line, or (3) emailing us at [email protected] and including the word “unsubscribe” in the subject line and your name and date of birth in the body of the email. In addition, you can tell us your preference by contacting us as specified in the “How to Contact Us” section of this Privacy Policy.

5. ACCESS AND CORRECTION

You may request a copy of certain personal information we maintain about you or update or correct inaccuracies in that information by contacting us at [email protected]. To help protect your privacy and maintain security, we will take steps to verify a consumer’s identity before granting access to the information. In addition, if you believe that the personal information we maintain about you is inaccurate, you may request that we erase, rectify, complete or amend the information by contacting us as indicated in the “How to Contact Us” section of this Privacy Policy. If we deny an access request, we will notify you of the reasons for the denial and offer an opportunity to challenge our decision. Please note that certain changes to the personal information we maintain about you may require us to (1) reevaluate eligibility for participation in our programs and (2) obtain new copies of government-issued identification documents.

6. OTHER ONLINE SERVICES AND THIRD-PARTY FEATURES

Our websites may provide links to other online services for your convenience and information, and may include third-party features such as apps, tools, widgets and plug-ins. These online services and third-party features may operate independently from us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of these parties, which we strongly suggest you review. To the extent any linked online services or third-party features are not owned or controlled by us, Crowd-Safe is not responsible for these third parties’ information practices.

7. HOW WE PROTECT PERSONAL INFORMATION

We maintain administrative, technical and physical safeguards designed to protect personal information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

To safeguard certain sensitive information (such as biometric data and government-issued identification information), we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems. 

In addition, the following are examples of security measures that are used to safeguard all types of personal information we maintain about our consumers:

  • Procedures for the identification and classification of personal information and implementation of safeguards appropriate to the sensitivity of the information;
  • Access control procedures designed to verify a business need before access to personal information is granted, and procedures for the periodic review of access permissions;
  • Procedures for termination of access to personal information designed to curtail access to the information by terminated personnel or when there is no longer a business need for access;
  • Personnel security controls designed to reduce the risk of human error, theft, fraud or misuse of facilities.

8. RETENTION OF PERSONAL INFORMATION

When you permanently discontinue use of our services, you may request that we remove from our databases any personal information we maintain about you. You may request removal of your personal information as described in this paragraph by contacting us as specified in the “How to Contact Us” section of this Privacy Policy, and we will honor your request, except that we may retain limited information so we can comply with your request not to be contacted in the future.

9. CHILDREN’S PERSONAL INFORMATION

We recognize the importance of protecting children’s online privacy. Our websites are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from children under the age of 13 unless required to provide the requested services.

10. UPDATES TO OUR PRIVACY POLICY

This Privacy Policy may be updated periodically to reflect new Crowd-Safe program features or changes in our personal information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes to this Privacy Policy. We will indicate at the top of the Privacy Policy when the policy was most recently updated.

11. HOW TO CONTACT US

If you have any questions or comments about this Privacy Policy, any privacy related complaints, or would like us to update information we have about you or your preferences, please contact us by email at [email protected]. You also may write to us at:

Chief Privacy Officer

Transformative Healthcare

275 Grove Street – Suite 2-400

Newton, MA  02466

12. BIOMETRIC DATA RETENTION FOR ILLINOIS RESIDENTS

For Illinois residents, in accordance with Illinois state law Crowd-Safe will retain biometric data only until the occurrence of the first of the following:

(a) The initial purpose for collecting or obtaining such biometric data has been satisfied

(b) Three years following your last interaction with Crowd-Safe

13. NOTICE TO CALIFORNIA USERS

The information provided in this section applies only to California residents.

We are required by the California Consumer Privacy Act of 2018 (“CCPA”) to provide an explanation of the rights and choices we offer California residents regarding our handling of their personal information, along with information regarding the categories of personal information we collect, use and share.

A. CALIFORNIA RESIDENTS’ PRIVACY RIGHTS

The CCPA grants California residents the following rights:

  • Information.  You can request information about how we have collected, used and shared and used your personal information during the past 12 months.
  • Access.  You can request a copy of the personal information that we maintain about you.
  • Deletion. You can ask us to delete the personal information that we collected or maintain about you.

Please note that the CCPA limits these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request.  If we deny your request, we will communicate our decision to you.  You are entitled to exercise the rights described above free from discrimination.

B. HOW TO SUBMIT A REQUEST

To request access to or deletion of personal information from our databases:

  • Send an email to us at: [email protected].
  • Identity verification. CCPA requires us to verify the identity of the individual submitting a request for their personal information before providing a substantive response to the request.  Because we take the privacy and security of your personal information seriously, we will verify your identity by asking you to both (a) provide certain information about yourself, and then (b) provide us with a notarized affidavit. Once your identity is verified, we will work to provide you with your requested information in a timely manner.
  • Authorized agents.  California residents can empower an “authorized agent” to submit requests on their behalf.  To protect your privacy we will require the authorized agent to have a written authorization confirming that authority.

C. PERSONAL INFORMATION THAT WE COLLECT, USE AND SHARE

Transformative or Crowd-Safe will never sell or rent your personal information.

As described above in this Privacy Policy, we do use cookies and other tracking tools on our website to analyze website traffic and facilitate advertising. In addition, by using our services at a specific organization, you direct us to disclose certain information about your health to that organization.

The CCPA requires that companies disclose their collection and use of specific categories of Personal Information enumerated in CCPA. Below is a table of those categories and a notification as to whether Crowd-Safe collects each. Please note that, while each “CCPA category” may cover many types of personal information, Crowd-Safe collects, uses and shares only the personal information described in Section 1 of this Privacy Policy.

CCPA Categories (Definitions are available HERE) Collected

  • Identifiers: Yes
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)):  Yes
  • Protected classification characteristics under California or federal law:  Yes (age)
  • Commercial information: No
  • Biometric information:  Yes
  • Internet or other similar network activity:  Yes
  • Geolocation data:  Yes
  • Sensory data:  No
  • Professional or employment-related information:  Yes
  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)):  No
  • Inferences drawn from other personal information:  Yes

We describe the sources through which we collect Personal Information in Section 1, Information We Obtain, above. We describe the purposes for which we use and share this information in Section 2, How We Use the Information We Obtain, above, and Section 3, Information We Share.

14. DIAGNOSTIC TESTING, VACCINE ADMINISTRATION & CROWD-SAFE

Transformative Healthcare provides a range of diagnostic testing and vaccination services, tracked and managed using proprietary and HIPAA compliant testing and vaccine administration software. Crowd-Safe is a HIPAA compliant web-based service that enables individuals to securely submit and share their vaccination or test result status with employers to indicate eligibility for work or for statistical reporting purposes, or to employers and other organizations to gain access to facilities or event venues. Crowd-Safe may collect, use or share personal health information, such as responses to a health symptom and exposure questionnaire, the results of a body temperature check, vaccination status and/or diagnostic test results. We may receive such health information from you directly or from third parties (such as health care providers or labs) that are permitted to share this information with us. We may also share your health information with third parties (such as health care providers, labs, state vaccination registries) if required to deliver the services we provide.

If you use the Crowd-Safe, we may use your health information or information derived from this data to operate and administer Crowd-Safe’s services, to evaluate and improve our service, as well as for the purposes set forth above in Section 2A. Additionally we may share health information we obtain about you or information based on this information with your employer or with locations that use the Crowd-Safe platform, solely for the purpose of managing authorization to work or granting access to buildings or venues as allowed by law. We may also share de-identified information with public interest organizations, health care organizations and researchers. We will prohibit these organizations from attempting to re-identify the information we share with them.

How We Protect Your Data

Transformative is committed to providing a robust and comprehensive security program for its Services, including the security measures set forth below under “Enterprise Security Measures”. During the Subscription Term, these Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as we deem reasonably necessary.

Enterprise Security Measures Utilized by Us

We will abide by these Enterprise Security Measures to protect Service Data as is reasonably necessary to provide the Services:

1. Security Policies and Personnel. We maintain a security program to identify risks and implement preventative technology, as well as processes for common attack mitigation. This program is reviewed on a regular basis to provide for continued effectiveness. We maintain an information security resource responsible for monitoring and reviewing security posture for our systems and services, responding to security incidents, and developing and delivering training to our employees in compliance with our security policies.

2. Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Service Data. These safeguards include encryption of Service Data at rest and in transmission with our user interfaces or APIs (using TLS or similar technologies) over the internet, except for any Service that does not support encryption.

3. Audits and Certifications. Upon Client request, and subject to the confidentiality obligations set forth in our Client Agreement, Transformative shall make available to Clients (that are not a competitor of Transformative) information regarding our compliance with the obligations set forth in this Agreement in a mutually agreeable form (and under appropriate non-disclosure protections).

4. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of our systems or data that includes a response time under which Transformative will contact its Clients upon verification of a security incident that affects their Service Data. The incident response program includes centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, Clients will be notified within seventy-two (72) hours of the discovery of a Service Data Breach. “Service Data Breach” means an unauthorized access or improper disclosure that has been verified to have affected Client’s Service Data.

5. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique login credentials and strong passwords changed on a regular basis. Upon termination of personnel, or where compromise of such credentials is suspected, these credentials are revoked. Access rights and levels are based on our employees’ job function and role, using the concepts of least-privilege and need-to-know basis to match access privileges to defined responsibilities.

6. Network Management and Security. The Sub-Processors utilized by us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. 

7. Data Center Environment and Physical Security. The Sub-Processors’ environments which are utilized by us for hosting services in connection with our provision of Services employ the following security measures:

  • A security organization responsible for physical security functions 24x7x365.
  • Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
  • N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.

Technical and Organizational Enterprise Security Measures for Third-Party Service Providers Who Process Service Data

Third-party service providers, if any, that are utilized by Transformative will only be given access to Client Account and Service Data as is reasonably necessary to provide the Services. Transformative requires any third-party service providers who have access to Service Data to maintain compliance with the following appropriate technical and organizational security measures:

1. Physical Access Controls. Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is Processed.

2. System Access Controls. Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.

3. Data Access Controls. Third-party service providers shall take reasonable measures to provide that Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to Service Data to which they have the privilege of access; and, that Service Data cannot be read, copied, modified, or removed without authorization in the course of Processing.

4. Transmission Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.

5. Input Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.

6. Data Protection. Third-party service providers shall take reasonable measures to provide that Service Data is secured to protect against accidental destruction or loss.

These terms were last updated on December 15, 2021.