Contents

1. Applicability of this Privacy Policy2. Personal Data We Collect About You3. Use of Your Data4. Sharing Your Data5. Choices and Rights over your Personal Data6. Retention and Deletion7. Data Transfer8. Our Legal Bases9. California Residents10. Other Important Information

SMART® Health Card Verifier App - Privacy Policy

Last Revised: Sep 10, 2021

We want you to understand how and why The Commons Project Foundation (“TCP,” “we,” “us”) collects, uses, and shares information about you when you use the SMART Health Card Verifier application (the “App”). Before using the App, please read the following carefully to understand how we will treat your personal data.

Applicability of this Privacy Policy

For the purposes of applicable data protection laws, TCP is the “controller” or “data user” of your personal data provided to, collected by, or processed in connection with the App. If you don’t agree with this Privacy Policy, do not access or use the App.  This means that TCP is responsible for determining how and why your personal data is processed.

This Privacy Policy does not apply to TCP’s products, websites, or applications that do not incorporate this Privacy Policy by reference or that expressly refer to a separate privacy policy.

Personal Data We Collect About You

When you use the App, we collect the following personal data:  

  • From You. The App allows you to scan a person’s SMART Health Card (“SHC”) to help verify an individual’s COVID-19 vaccination or test status. The App does not collect any personal data about you as the user of the App, but will display some personal data about the person showing you their SMART Health Card to help verify their COVID-19 vaccination status. It is not required by the App, but if you correspond with us via email, we will collect your email address.
  • From Your Device. The App will assign a random identifier to your device when you install the App, and will send us some non personally identifiable information about the SMART Health Cards that you scan.  This may include the name of the issuer of the SMART Health Cards, whether the SMART Health Cards meet the verification criteria and a timestamp of when the SMART Health Cards are scanned.  The SMART Health Cards are interpreted on your device when you scan the QR code and information from the SMART Health Cards are shown on the device screen but the SMART Health Cards themselves are not shown in the App and the SMART Health Cards are not stored on your device. No personally identifiable information from the SMART Health Cards you scan will be shared with us.

The App will also collect limited information about how you access and use the App if you experience a crash or another bug within the application. We may also collect statistics on how many times you use the App, your IP address, device type and its unique device identifier, the type of mobile browser, the mobile operating system that you are using, and other log data. Finally, with your permission, we may also access the Camera on your device solely for the purpose of scanning QR codes that are part of the SMART Health Cards.

Use of Your Data

We use your data for the following purposes only:  

  • To provide and maintain the App. We use the personal data we collect to enable the App to function and to maintain and improve the App.  This includes our efforts to keep the App and our users safe and secure, enforcing the Terms of Use, ensuring our records are accurate and up to date; and otherwise administer the App, including through troubleshooting and testing.
  • To communicate with you. We may also use your personal data to directly communicate with you about your use of the App or to respond to an email or submission from you.
  • To comply with the law. We may disclose personal data to law enforcement, regulators or others if we believe in good faith that it’s necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on us; (c) to protect or defend our rights or property or users of our Services or others; and/or (d) to investigate or assist in preventing any violation of the law.” See comment in attached document.
  • To establish, exercise, or defend legal claims and for related purposes such as the prevention or detection of fraud where necessary.

Unless otherwise indicated, there is typically no contractual or legal requirement to provide your personal data, however, if you do not provide it, then we may not be able to provide the App to you.

Sharing Your Data

Except for the limited data we collect from the App as stated above, we do not collect personal information about you.  With respect to that limited data, except in the instances listed below, we will not disclose your personal data to others unless you consent to it, nor will we ever sell your personal data to advertisers. However, we may share your personal data in the following ways:

  • We may share information with vendors, consultants, and other service providers who need access to such information to carry out work for us. Their use of personal data will be subject to appropriate confidentiality and security measures (e.g. cloud providers who host our App).
  • We may also disclose personal data to law enforcement, regulators or others if required by any applicable law, regulation, legal process, or enforceable governmental request. To the extent the law allows it, we will attempt to provide you with prior notice before disclosing your information in response to such a request.

Choices and Rights over your Personal Data

You have a number of rights with respect to the personal data we have about you, which may be restricted by law. One key right is the right to ‘object’ to the processing of your personal data in certain circumstances (e.g., if we have no legal right to keep using it). You also have the right:  

  • To delete personal data. You can ask us to erase or delete all or some of your personal data. We will comply with this request unless there is a legal right for us to deny this request (for example, if we need to retain your data to comply with a legal obligation to which we are subject).  
  • To change or correct personal data. You can also ask us to change, update or fix your data in certain cases, particularly if it’s inaccurate.  
  • To limit, or restrict use of personal data. You can ask us to limit our use of your personal data (e.g., if your personal data is inaccurate or unlawfully held).
  • To access and/or take your personal data away (data portability). You can ask us for a copy of your personal data. For your own privacy and security, we may sometimes ask you to prove your identity before providing the requested information.  In some cases, you also have a right to receive your personal data or have it transmitted to others in an interoperable, machine-readable format.
  • To withdraw consent which you have given. If you have given consent to process your personal data, you may withdraw it at any time by deleting the App and/or submitting a request to delete your personal data.  This does not affect the lawfulness of our processing based on your consent prior to such withdrawal.
  • To not be discriminated against. TCP will not discriminate against you in any manner for exercising any of the above rights with respect to your personal data. However, TCP cannot control the actions of third parties with whom you choose to share information through the App.

Contact us at legal@thecommonsproject.org if you would like to exercise any rights you have to control your personal data.

If you are based in the European Economic Area (“EEA”) or the UK, you also have the right to lodge a complaint with your local data protection authority if you believe that we have not yet complied with our data protection obligations.  If you are based in, or the issue relates to, the UK, the Information Commissioner’s Office can be contacted as follows:

Email: casework@ico.org.uk

Webform: www.ico.org.uk/concerns/

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

If you are based or the issue you would like to complain about took place in the EEA, please click here for a list of local data protection authorities in the countries within the EEA in which we operate.

Note that the rights outlined above only extend to personal information.

Retention and Deletion

We will keep your personal data only for as long as is reasonably necessary to provide the App to you and to fulfill the purposes described in this policy.  When your personal data is no longer needed, we will destroy or irreversibly de-identify it.

Data Transfer

When you use our App, you may be sending personal data into countries that have different data protection rules than those of your country.  As an example, the cloud service which we use to process personal data may be hosted in Switzerland or the data may be viewed from the United States by authorized TCP personnel.  We take appropriate steps to protect your personal data when it is transferred across borders, and certain laws may require us to implement particular safeguards including ensuring there is adequate level of protection for the data transferred.

Our Legal Bases

We will collect, use and share your personal data only where we have a legal basis for doing so. This section explains the legal bases we rely on for processing personal data:

  • Consent.  When you use the App, we rely on your (explicit) consent in order to process and transfer your personal data.  In the context of this App, you have been asked to review this policy and provide specific consent for the App to install it on your device and to scan SMART Health Cards.  If you consent, you may also withdraw your consent at any time – see Section 5 (Rights) above.
  • Legitimate Interests. We also process your personal data where it is necessary based on our legitimate interest in providing our App, understanding how our App is being used, improving the performance of our App, and protecting our App against illegal or fraudulent activity (ie. cyberattacks).
  • Legal Obligations. In some circumstances, we may need to process personal data where necessary to comply with applicable laws.
  • Contract Necessity. In some circumstances, we may need to process personal data for the performance of an agreement we have with you or in order to take steps at your request prior to entering into an agreement with you.

California Residents

The California Consumer Protection Act (“CCPA”) gives consumers who are residents of California the right to request certain information from businesses about their data collection practices.  The CCPA does not apply to TCP because TCP is a non-profit organization.  However, as part of TCP’s commitment to advancing the public good, it has voluntarily committed to CCPA compliance.  In order to submit a CCPA request, please contact us at legal@thecommonsproject.org.  Please include in your request sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information. Please note that we do not sell your personal data and that TCP will not discriminate against you in any way based on your exercise of these rights.

Other Important Information

10.1 Security of Your Personal Data. Security of personal data is important to us. We implement security safeguards designed to protect your personal data. This includes safeguards to protect against anticipated threats or hazards to the security or integrity of the data, and to protect against unauthorized access, acquisition, leak, destruction, alteration, loss, disclosure or destruction. Despite these efforts, we cannot guarantee that your data may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or administrative safeguards.  Please notify us immediately at security@thecommonsproject.org if you become aware of any security issues relating to our App.

10.2 Changes to This Privacy Policy.  We evaluate our privacy policies and procedures to implement improvements and refinements from time to time.  If we make any material changes to how we process your data, we’ll provide you notice through this Privacy Policy and by publishing a notice in the App. If you object to any changes, you may stop accessing the App or exercise other opt-outs or rights that we provide.

10.3 Children.  The App is not designed or intended to be directly used by children (as defined by applicable law).  However, a guardian or parent of a child may choose to use a health provider to consent to the use of the App to create a CommonPass certificate for their child.  If we become aware that we have the personal data of such children collected through the App without parental consent, we will promptly delete it.

10.4 Contact Information.  For any questions regarding this policy, please contact us at our US headquarters:

The Commons Project Foundation

420 Fifth Avenue, 19th Floor

New York, NY 10018

legal@thecommonsproject.org

Our representative in the EU and the UK may be contacted at:

First European Data Rep BV

Schiphol Boulevard 195

1118 BG Schiphol

tcp-euprivacy@eudatarep.com

The Commons Project has earned a Candid Gold Seal of Transparency! Check out our  GuideStar Profile  to keep up to date with our impact.

 

 

© 2019-22 The Commons Project Foundation. All Rights Reserved. Privacy Policy - Terms of Service - App Privacy

You can obtain a copy of our most recently filed financial report from the Charities Bureau Registry on the New York Attorney General's website (www.charitiesnys.com) or by contacting us at: The Commons Project Foundation 745 5th Ave Ste 5, New York, NY 10151, or from the New York State Attorney General's Charities Bureau at: 28 Liberty Street, New York, NY 10005, (212) 416-8401. Information on charitable organizations can also be found at the New York State Attorney General's website (www.charitiesnys.com) or by calling (212) 416-8401.

DISCLAIMER: THE COMMONS PROJECT FOUNDATION (“TCP”) DOES NOT PROVIDE MEDICAL ADVICE OR ADMINISTER ANY DIAGNOSTIC MEDICAL TESTS, VACCINES OR OTHER HEALTHCARE INTERVENTIONS. TCP MAKES NO ENDORSEMENT OR REPRESENTATION AS TO THE ACCREDITATION, LICENSING OR GOOD-STANDING OF ANY HEALTHCARE PROVIDER UNDER APPLICABLE STATE, FEDERAL, NATIONAL OR SUPRANATIONAL LAWS AND REGULATIONS. TCP EXPRESSLY DISCLAIMS ANY AND ALL LIABILITY FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION ANY LOSS OF REVENUES OR PROFITS OR ANY LOSS OF USE OF DATA, ARISING OUT OF OR CONNECTED IN ANY WAY WITH ANY DIAGNOSTIC TESTING, MEDICAL TREATMENT, VACCINATION OR OTHER HEALTHCARE INTERVENTION OR OTHERWISE PROVIDED, SPONSORED, OR PROMOTED BY ANY CTN MEMBER, WHETHER PROVIDED BY THE MEMBER ITSELF OR BY ITS AFFILIATES, REPRESENTATIVES, AGENTS OR SUBCONTRACTORS.