Effective August 14, 2023, Supersede Date: JULY 1, 2023
When you join us, you are trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.
When we refer to ourselves as “we” or “Engage”, we mean Engage Health, Inc. As a convenience to our visitors, our Site may contain links to third-party websites / content / services that are not owned or controlled by Engage. Engage is not responsible for how these properties operate or treat your personal data, so we recommend that you read the privacy policies and terms associated with these third-party properties carefully. Such third-party links do not constitute an endorsement of those third-party websites, the content displayed therein, or the persons or entities associated therewith. Please read the following to learn our privacy and data storage policies as they pertain to information we gather from individuals.
We collect personal data you choose to provide, e.g. through registrations, applications, and surveys. For example, you may choose to provide your name, contact information, and health information in connection with events or to participate in health research. Healthcare providers may choose to provide information relating to their specialties and professional affiliations.
In addition, we may gather information about you through your use of the Site, e.g. your anonymized IP address and how you navigate our Site. See also, the Section below on Cookies and Other Tools.
From time to time, we may use or augment the personal data we have about you with information obtained from other sources, such as public databases, and other third-parties. For example, we may use such third-party information to confirm contact information, to verify licensure of healthcare professionals or to better understand your interests by associating demographic information with the information you have provided.
You have, at any time, the right to access your personal data stored by Engage, to have the data rectified, completed, blocked or deleted and you may at any time withdraw your consent to the storage, processing and use of your data with effect for the future. Further, your consent is optional and voluntary. Denying consent does not have any negative consequences for you other than you will not be able to participate in a given survey, interview or health research project as outlined in the section How We Use Personal Data. More specifically;
- You have the right to request disclosure of our collection and sales practices in connection with your data, including the categories of personal information collected, the source of the information, the use of the information and, if the information was disclosed or sold to third-parties, the categories of personal information disclosed or sold to third-parties and the categories of third-parties to whom such information was disclosed or sold;
- You have the right to request a copy of the specific personal information collected during the 12 months before your request (together with right #1, a “personal information request”);
- You have the right to have such information deleted (with exceptions);
- You have the right to request that your personal information not be sold to third-parties, if applicable; and
- You have the right not to be discriminated against because you exercised any of these rights.
If you wish to exercise one or more of your rights above, you may contact our Data Protection Officer at email@example.com or at 651-994-0510. Please note you may only make personal information requests twice in a 12-month period, that we will need to collect information from you so we can verify your identity, and that we will respond within 30 days of receiving your personal information request.
We use your personal data to serve you in the following ways:
- Provide you with newsletters, articles, alerts, announcements, invitations, and other information about health topics, disease states, research studies, clinical research, and other topics related to rare or other health conditions;
- Operate our business e.g. schedule interviews or pay honoraria;
- Process, complete and fulfill your requests or inquiries;
- Communicate with you;
- To connect you with educational opportunities such as conferences; On occasion, Engage may connect you to activities, events or promotions that have specific terms, privacy notices and / or consent forms that explain how any personal data you provide will be processed in connection with that program;
- To provide insights to our clients as they work to develop therapies for various diseases; We use the information you provide for data analysis, to better understand the disease and how certain products and services impact you and those you care for, to track and respond to concerns, and to further develop and improve the products and services of our clients. In addition, we use information you provide to comply with our regulatory monitoring and reporting obligations;
We may aggregate and / or de-identify data about persons, including study responders and visitors to our Site and use it for any purpose, such as conducting historical studies, providing reports to third-parties, and product and service development and improvement activities.
Engage may share your personal data as follows:
- With our service providers; We may hire other companies and individuals to perform services on our behalf and we may collaborate with other companies and individuals with respect to particular products or services (collectively, “Providers”). Examples of Providers include data analysis firms, customer service and support providers, email and SMS vendors, web hosting and development companies and fulfillment companies. Providers also include our co-promote partners for products that we jointly develop and / or market with other companies. Some Providers may collect personal data on our behalf on our Site. These third-parties may be provided with access to personal data needed to perform their functions, but they may not use such data other than on our behalf or subject to contracts that protect the confidentiality of the data;
- To comply with the law; We reserve the right to disclose your personal data as required by law, when we believe disclosure is necessary or appropriate to comply with a regulatory requirement, judicial proceeding, court order, government request, or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Engage or others;
We may also aggregate and / or de-identify data about persons, including study responders and visitors to our Site and share it to third-parties for any purpose.
Healthcare providers’ information
As part of our work, we have a legitimate interest in collecting information that is provided to us by healthcare providers (“HCPs”) under consent that helps us understand certain diseases or the opinions of healthcare providers. Data collected is that which is necessary to answer questions, and can be sourced from multiple mediums including but not limited to surveys and interviews. Engage often pays an honorarium in exchange for an HCP’s participation.
In these cases, personal data relating to a HCP that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If a HCP does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.
Engage collects Non-Personally Identifiable Information (“Non-PII”) on HCPs, which is anonymous and may be HCPs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Research Data”) on Engage’s proprietary, secure encrypted servers.
Patients’ and / or their parents’ / legal guardians’ information
As part of our work, we have a legitimate interest in collecting information provided to us by patients (“PTs”) or their parents / legal guardian(s) (“LGs”) under consent, that helps us understand the burden of illness, the disease, and their opinions about products or services or other issues of interest. Data can be sourced from surveys, interviews, demographic profiles or other means. Engage often pays an honorarium in exchange for a PT’s or LG’s participation. Any and all compensation is solely for time spent and is in no way tied to the use or recommendation of any product or service that is owned by Engage Health or any third-party. Likewise, participation in any survey, interview or other health research opportunity is voluntary and does not afford participation in clinical trials or other activities / programs.
In order to participate in a specific study, often there are specific criteria established. These criteria are clearly laid out in the invitation to participate in order that potential participants know if a certain project pertains to them or their disease.
In these cases, personal data relating to a PT or LG that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If a PT or LG does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.
Engage collects Non-Personally Identifiable Information (“Non-PII”) on PTs and LGs, which is anonymous and may be PTs’ or LGs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Research Data”) on Engage’s proprietary, secure encrypted servers.
Minor patients’ information
We generally only allow participation / provision of information of patients (“PTs”) who are aged 18 years or older. If PTs are younger than 18 years or are unable to answer for themselves, we allow participation by their parent or legal guardian (“LG”). We do not collect personal data from persons not authorized to give it (e.g. we will not collect a PT’s or LG’s personal data from a friend, cousin, acquaintance, etc.).
Additionally, this Site is not directed toward children under the age of 13, and Engage does not knowingly collect information from children under the age of 13. For more information about our policies with regard to the collection of children’s information, read the section Children’s Privacy.
Other interested parties’ information and the Rare Collective®, LLC
As part of our work, we have a legitimate interest in collecting information provided to us by various interested parties (“IPs”) under consent, that helps us understand interest in topics, such as a specific blog post, meetings, events, or forums. Engage collects this information under consent either on its own or from the Rare Collective®, LLC, of which Engage is a proud partner.
In these cases, personal data relating to an IP that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If an IP does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.
Engage collects Non-Personally Identifiable Information (“Non-PII”) on HCPs, which is anonymous and may be HCPs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Research Data”) on Engage’s proprietary, secure encrypted servers.
The Health Information Portability and Accountability Act (HIPAA (Public Law 104-91)), establishes the US national standards to protect individuals’ personal information and is regulated by the US Department of Health and Human Services (HHS).
Under HIPAA, a “covered entity” is a;
- Health Care Provider: Any provider of medical or other health services, or supplies, who transmits any health information in electronic format in connection with a transaction for which HHS has adopted standard requirements.
- Health Plan: Any individual or group plan that provides or pays the cost of health care.
- Health Care Clearinghouse: A public or private entity that transforms health care information received from another entity into a standard (i.e. standard electronic format or data content), or vice versa.
Under HIPAA, “standard transactions” include;
- The processing of claims or encounters
- Remittance advice
- Eligibility inquiry and response
- Prior authorization and referral
- Claims status inquiry and response
Because Engage does not provide any of the services noted above noted under the section that addresses “covered entities” and does not conduct one or more of the standard HIPAA transactions, counsel has determined that Engage is a non-covered entity and therefore is not subject to HIPAA regulations.
However, because certain clientele of Engage may consider themselves covered entities, Engage uses reasonable efforts, including technical, administrative and procedural measures, to protect personal data and privacy in the spirit of HIPAA.
At no time does Engage promote itself as a covered entity under HIPAA.
Engage is storing and processing personal data on encrypted servers in its possession (i.e. servers owned and operated solely by Engage) in the United States of America (the “US”) and therefore transfers personal data within the US. While we make every reasonable effort to protect information collected, please be aware there is always some risk involved when submitting data. We cannot guarantee that our research site, website, and servers are 100% safe from illegal tampering or “hacking”. Any data transmitted over the Internet may be at risk, however, once it is received at Engage and entered into our databases, any data you have submitted has the same protection Engage extends to its own confidential information.
Details of retention periods for your personal data can be obtained by contacting our Data Protection Officer at firstname.lastname@example.org. Engage Health destroys or de-identifies personal data that is no longer needed using secure methods. If you revoke your consent or request erasure of your personal data, we will delete your personal data typically within 15 business days, but in no case greater than one month.
GDPR (Regulation EU2016/679), or the General Data Protection Regulation, establishes EU standards to protect the personal data of natural persons, while ensuring free movement of information between Member States.
Under GDPR, a “controller” is the organization directing how the data will be used. This may be Engage or its clients. A “processor” is the organization that processes data at the direction of the “controller”, for example, conduct data analyses. This may be Engage, its clients, or service providers.
Engage has legitimate interests and consent as legal bases for processing personal data of EU citizens. Consistent with GDPR, Engage has established reasonable technical, administrative and procedural measures to ensure data protection, even though storage and processing of data is conducted in the US. The section How We Use Personal Data describes Engage’s processing activities.
The processing of personal data by Engage Health is lawful, fair, and along with data use is implicitly outlined at affirmative consent for a given project – and all prospective research participants have the right to decline participation if they desire.
Engage Health routinely collects personal data that are particularly sensitive, including, but not limited to information regarding racial / ethnic origin, information regarding diagnosis, treatment and other issues related to one or more rare diseases, and other health issues. These data are processed for the purposes of benefit to the respondent, other rare disease patients and / or health research purposes, and are subject to consent at / prior to the time of data collection.
Engage and the California Consumer Privacy Act (CCPA; Came into Effect January 1st, 2020)
The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. The CCPA applies to businesses, including Engage, that collect personal information of “consumers.” The Act defines a “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. . .”, and grants “consumers” five new rights respecting their personal information. These rights are reflected in the section Your Rights Related to Information We Collect and Store About You.
“Sale” is defined by CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” (Cal. Civ. Code § 1798.140(t)(1). Please be aware that Engage does not sell your personal information.
- Under the code, a sale does not occur where data is disclosed to a “service provider.” Several requirements need to be met for this exception to apply: (1.) the transfer must be necessary to perform a task that has a “business purpose”; (2.) the transfer must take place “pursuant to a written contract” that prohibits the service provider from “selling, retaining, using, or disclosing the personal information”; (3.) the business has provided compliant notice to consumers of the fact that it intends to share with service providers; and (4.) the service provider does not further “collect, sell, or use” the personal information of the consumer except as necessary to perform the “business purpose.” Personal information Engage shares with third-party service providers meets the aforementioned requirements, and are consequently not “sales”;
- Under the code, a sale does not occur when a consumer intentionally directs or uses a business to disclose the consumer’s personal information. This seems to be the equivalent of controller-to-controller transfers with consent of the data subject under EU data protection law. Engage only shares personal information with non-service provider third-parties at the explicit consent of consumers; and
- We may aggregate and / or de-identify data about persons, including study responders and visitors to our Site, and share with third-parties. Because aggregated and / or de-identified data is not personally identifying, such actions do not constitute a “sale” of personal information under CCPA;
Again, Engage does not sell personal information as per CCPA.
ENGAGE AND THE VIRGINIA CONSUMER DATA PROTECTION ACT (VCDPA; CAME INTO EFFECT JAN. 1, 2023)
The Virginia Consumer Data Protection ACT (VCDPA) went into effect on January 1, 2023. The VCDPA applies to businesses, including Engage, that conduct business in Virginia or produce products or services that are “targeted” to residents of Virginia, AND that collect (control or process) personal information of at least 100,000 “consumers” in a calendar year. The Act defines a “consumer” as a Virginia resident “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context”, and grants “consumers” eight new rights respecting their personal information;
- The right to know, access and confirm personal data
- The right to delete personal data
- The right to correct inaccuracies in personal data
- The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company)
- The right to opt out of the processing of personal data for targeted advertising purposes
- The right to opt out of the sale of personal data
- The right to opt out of profiling based upon personal data
- The right to not be discriminated against for exercising any of the foregoing rights
Each of these rights are reflected in the section Your Rights Related to Information We Collect and Store About You.
Practically speaking, in order to comply with the VCDPA, companies need to inform consumers of their rights under the Act and create a process through which consumers can exercise those rights. The Act also implements other business obligations with regard to personal data. For example, companies subject to the Act must obtain consent prior to collecting and processing certain categories of sensitive personal data such as precise geolocation data, data about protected characteristics and genetic or biometric data (addressed in the section Patients’ and / or their parents’ / legal guardian information). The VCDPA also requires that when a company uses service providers to process data on the company’s behalf, the company must enter into a special contract with that service provider which implements the requirements of the Act and makes clear the service provider’s responsibilities with respect to the personal data that they process (addressed in the section How we share your personal data).
Additionally, the VCDPA requires that companies only hold the pieces of data they need for a specific purpose and for only as long as is necessary to achieve that purpose (addressed in the section Retention Period). The VCDPA also requires that companies implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data (addressed in section Security Policies). Finally, like the European Union General Data Protection Regulation (the “GDPR”), the Act requires companies to conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling (addressed in section Engage and the European Union’s General Data Protection Regulation – GDPR).
“Sale” is limited by the VCDPA to “the exchange of personal data for monetary consideration”. Please be aware that Engage does not sell your personal information.
- A sale does not occur where data is disclosed to a “service provider.” Several requirements need to be met for this exception to apply: (1.) the transfer must be necessary to perform a task that has a “business purpose”; (2.) the transfer must take place “pursuant to a written contract” that prohibits the service provider from “selling, retaining, using, or disclosing the personal information”; (3.) the business has provided compliant notice to consumers of the fact that it intends to share with service providers; and (4.) the service provider does not further “collect, sell, or use” the personal information of the consumer except as necessary to perform the “business purpose.” Personal information Engage shares with third-party service providers meets the aforementioned requirements, and are consequently not “sales”;
- A sale does not occur when a consumer intentionally directs or uses a business to disclose the consumer’s personal information. This seems to be the equivalent of controller-to-controller transfers with consent of the data subject under EU data protection law. Engage only shares personal information with non-service provider third-parties at the explicit consent of consumers; and
- We may aggregate and / or de-identify data about persons, including study responders and visitors to our Site, and share with third-parties. Because aggregated and / or de-identified data is not personally identifying, such actions do not constitute a “sale” of personal information under VCDPA;
Engage does not sell personal information as per VCDPA.
ENGAGE AND PRIVACY ACTS FROM OTHER STATES:
Many states across the US are passing privacy legislation which address certain consumer rights as well as business obligations.
In summary, consumer rights address the following issues;
- Right to access — The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
- Right to correct — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
- Right to delete — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
- Right to opt out of certain processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.
- Right to portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
- Right to opt-out of sales — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
- Right to opt in for sensitive data processing — The right for a consumer to opt in before a business can process their sensitive data.
- Right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
- Private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
Business obligations address the following issues;
- Opt-in default (requirement age) — A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
- Notice/transparency requirement — An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
- Risk assessments — An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
- Prohibition on discrimination (exercising rights) — A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
- Purpose/processing limitation — An EU General Data Protection Regulation–style restrictive structure that prohibits the collection/processing of personal information except for a specific purpose.
We comply with each issue noted under “consumer rights” as reflected in the section Your Rights Related to Information We Collect and Store About You. We comply with each issue noted under “business obligations” in that Engage Health does not sell your data, we are transparent regarding data practices and privacy operations, we conduct formal risk assessments of our privacy procedures on a regular basis, we prohibit discrimination of consumers who exercise their data privacy rights, and we collect and process information only for specific purposes.
The following chart, from the IAPP (the International Association of Privacy Professionals) outlines the enacted privacy bills from across the US and highlights thirteen key provisions that commonly appear. If one of these key provisions appear in the legislation in a particular state, an “X” is placed in the corresponding column. The chart also notes the name of the legislation in each state and the date that each comes into effect.
The following information provides enacted privacy bills, by state, with links to the enacted legislation, with the exception of California and Virginia, which are noted above;
- COLORADO PRIVACY ACT –SB 190; CAME INTO EFFECT JULY 1, 2023
- CONNECTICUT DATA PRIVACY ACT –SB 6; CAME INTO EFFECT JULY 1, 2023
- INDIANA CONSUMER DATA PROTECTION ACT – SB 0005; COMES INTO EFFECT JANUARY 1, 2026
- IOWA CONSUMER DATA PROTECTION ACT – SF 262; COMES INTO EFFECT JANUARY 1, 2025
- MONTANA CONSUMER DATA PRIVACY ACT – SB 384; COMES INTO EFFECT OCTOBER 1, 2024
- TENNESSEE INFORMATION PROTECTOIN ACT – HB 1181; COMES INTO EFFECT JULY 1, 2025
- UTAH CONSUMER PRIVACY ACT –SB 227; COMES INTO EFFECT DECEMBER 31, 2023
The Children’s Online Privacy Protection Act (COPPA) defines the term “child” to mean an individual under the age of 13. If you are under the age of 13, you may not use this site or submit to Engage information about yourself including, but not limited to, your name, address, telephone number or e-mail address without the written permission of your parent or legal guardian (Collectively referred to as “LG”). We suggest that you have your LG register if you are interested in Engage’s activities. We do not knowingly collect data from children under the age of 13. If we discover a child under the age of 13 or someone other than a LG, we will remove that information from our databases as soon as possible.
Visitors between the ages of 13 and 18 must obtain permission from their parents or guardian before registering on this website, sending any personally identifiable information, participating in online discussions, or submitting content to this website.
Engage’s website (“Site”) uses a technology called cookies, which is a small data file that a server gives to your browser when you access a website in order to let you access the pages you request and to track the pages visited. Using cookies to track page visits helps us analyze Site usage more accurately. In cases in which cookies are used, we will not collect your personally identifiable information (“PII”) except with your explicit permission.
Some users of our site access our site through ads or notices on third party sites (such as Facebook and other Meta-owned sites), some users of our site link from our website to a third party site (such as the site of a patient organization).
- Please note that third-party websites that you use to connect to our site may use a technology called pixels, which is a small data file that is a function of your browser that tracks your website activity across all of the devices you use. When you link from another website to this website, if a pixel is applied to a requested page, that original site may have the ability to recognize that you have come to our site and what information you provide. In general, any page that we apply a pixel will be annotated in the consent.
Please see the sections Data We Collect and Use and How We Use Personal Data if you sign up for participation in health research via our Site. We may track the total number of visitors to our Site, the number of visitors to each page of our Site, the sequence or duration of visitors to each page, anonymized IP addresses, and the domain names of our users’ Internet Services Providers, and we may analyze these data for trends and statistics in aggregated or de-identified forms.
Engage Health may restrict the ability of any visitor to submit content or to access any part of the Site at Engage’s sole discretion.
Any person who desires to see their data, know how their data is being used, or desires that their data is updated or deleted (i.e. the “Right to Be Forgotten”), can do so by contacting our Data Protection Officer via email providing your name and the nature of your request. Such requests will be met to the best of our ability, typically within 15 business days, but in no case greater than one month.
Mr. Steve Stevenson, Data Protection Officer
3265 Lexington Avenue S, Eagan, MN 55121
email@example.com, (651) 994-0510