Privacy Policy

Last updated: September 27, 2021

Welcome to The Commons Project Foundation! This Privacy Policy (“Policy”) describes how The Commons Project Foundation (“TCP,” “we” or “us”) collects, uses, and shares information about how TCP collects, uses, and shares information about you when you use the CommonHealth mobile application (the “App”) for storing your digital health records. Before using the App, please read the following carefully to understand how we will treat your personal data.

Overview of the App

To retrieve your digital health records (“Health Data”), you will use existing third-party portal logins (“Providers”) to log-in and obtain a copy of your digital health record. A window will open connecting you directly to Your Provider, and Your Providers will ask you to input your login credentials (usernames and passwords) for their portals to log in. Your usernames and passwords will not be seen by the App or TCP. Your Health Data will be downloaded over an encrypted connection directly from Your Provider to your mobile device where it is stored within the mobile application entirely under your control, This connection does not pass through any TCP information systems. You may also choose to import data in the form of a SMART Health Card, either by scanning a QR code with your camera or importing a file stored on your device. This data may include your COVID-19 vaccination or laboratory testing results. The data is not shared with TCP. Health Data is stored on the mobile device and remains under your control.

You may choose to share your health-related information on the App with third-party apps that request access to the App (“Third-Party Apps”). If you choose to grant access to your Health Data to Third-Party Apps, that data is sent directly from your mobile device to the Third-Party App. When you provide consent for Third-Party Apps to access your Health Data, you can decide whether (a) some or all of your Health Data is shared, (b) if new health records are automatically shared or if the Third-Party Apps must ask each time before accessing new records.

What We Collect

The only data we collect is the following “App Data”:

Information You Provide To Us. We collect the information that you may choose to provide to us (eg. request customer support). While there is a profile page in settings, that is solely stored on the device and not accessible by TCP.
Information We Collect Automatically. When you download the App from the Google Play store, we may also automatically collect some device information about you (eg. Android operating system version, country, language settings, the type of device, settings, unique device identifiers, and crash data that helps us understand when something goes wrong).
Information Collected from Other Sources. We sometimes use certain third-party online services to provide services to TCP, including our website, which is hosted on Squarespace (those services we refer to as “Other Services”). When you engage with us through these Other Services, we may receive personal data about you (that information, “Other Service Information”). You can check the privacy policy of any Other Service for more information on how it collects, uses, and shares personal data, including the Other Service Information that may be provided to us.

How We Use Information About You

In connection with the App Data that we collect in order to provide the App, we use that information about you for the following purposes only:

To provide and maintain the App. We use the App Data we collect to provide or serve our App and to maintain and improve the App;

To communicate with you. We may also use your personal data to directly communicate with you about your use of the App or to respond to an email or submission from you.
To comply with the legal obligations. We may in some cases need to process your personal data in order to comply with TCP legal requirements; protecting the rights, property, or safety of you, TCP, or another party; or otherwise to resolve legal disputes.

How We Share Information

With respect to App Data, we may share information about you as follows:

We share information with vendors, consultants, and other service providers who need access to such information to carry out work for us;
We may share information (and will provide you with prior notice, to the extent legally permissible) in response to a request for information if we believe disclosure is in accordance with or required by, any applicable law, regulation, legal process, or governmental request (including as noted above in “How We Use Information”);
We may disclose personal data to law enforcement, regulators or others if we believe in good faith that it’s necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on us; (c) to protect or defend our rights or property or users of our Services or others; and/or (d) to investigate or assist in preventing any violation of the law;
We may share information if we believe your actions are inconsistent with the Terms of Service or the Code of Conduct, or to protect the rights, property, and safety of ourselves and others;
We may share information in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company; and
We may share information between and among TCP, and its current and future parents, affiliates, subsidiaries, and other companies under common control and ownership.

Information Not Covered

We may also share aggregated or de-identified or anonymized information, which cannot reasonably be used to identify you for our lawful business purposes, including to analyze, build and improve the App and promote our business, provided that we will not share such data in a manner that could identify you.

Security

We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction.

Retention and Deletion

You can delete all of your Health Data stored in the App by going to “Settings.” If you delete some or all of your Health Data, this deletion from your device is permanent. You can also disconnect and remove any of Your Providers or any Third-Party Access also through “Settings.”

With respect to App Data, we will keep your personal data only for as long as we believe that we need it for the purpose we have collected it (as described above) or to meet legal obligations, resolve disputes, maintain security, prevent fraud and abuse, or enforce our agreements with you. When your App Data is no longer needed, we will destroy or de-identify it. We may archive App Data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.

Children

The App is not designed or intended for children under 13. If you are based outside the United States, you must be over the age required by the laws of your country to use the Services. If we become aware that we have the personal data of such children collected through the App, we will promptly delete it.

Your Choices

The California Consumer Protection Act (“CCPA”) gives consumers who are residents of California the right to request certain information from businesses about their data collection practices. The CCPA does not apply to TCP because TCP is a non-profit organization. However, as part of TCP’s commitment to advancing the public good, it has voluntarily committed to CCPA compliance. As a reminder, your Health Data is stored on your device and TCP can not access this Health Data. In order to submit a CCPA request related to your App Data, please contact us at privacy@thecommonsproject.org. Please include in your request sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information. Please note that we do not sell your personal data and that TCP will not discriminate against you in any way based on your exercise of these rights.

Changes

We may change this Policy from time to time. If we do, we will let you know by revising the date at the top of the Policy. If we make a change to this policy that, at our sole discretion, is material, we will provide you with additional notice. We encourage you to review this Policy whenever you access or use App or otherwise interact with us to stay informed about our information practices and the ways you can help protect your privacy. If you continue to use the App after the Policy changes go into effect, you consent to the revised policy.

Contact Us

If you have any questions about this Privacy Policy, please email privacy@thecommonsproject.org or in writing to our US corporate office:

The Commons Project Foundation

745 Fifth Avenue, 5th Floor

New York, NY 10151

ATTN: PRIVACY REQUEST