SHOEBOX LTD.  PRIVACY STATEMENT

Last Revised:  May 12, 2020

At SHOEBOX Ltd. (“SHOEBOX”), your privacy is important to us. The purpose of this privacy statement is to let you know how we collect, use, and disclose Personal Information, and to inform you of your rights with respect to such Personal Information.

About SHOEBOX Products

SHOEBOX® Audiometry Standard and SHOEBOX® Audiometry Pro are registered medical devices in certain jurisdictions.  They are tablet-based audiometers that perform diagnostic hearing testing.

SHOEBOX® QuickTest is a tablet-based hearing screening test.  SHOEBOX QuickTest is not a medical device.

SHOEBOX® Online is an online hearing screening test.  SHOEBOX Online is not a medical device.

SHOEBOX® Data Management Portal is a cloud data storage system that is used to synchronize and store the data collected in association with the use of all SHOEBOX products. SHOEBOX Data Management Portal is not a medical device.

Collectively, we refer to these products as the “SHOEBOX Solutions”.

Audiological Services are professional audiological services performed by in-house SHOEBOX audiologists and independent contractors within SHOEBOX’s Audiological Services Network.

Managed Services are consulting services that may include services such as integration support, deployment services, or a dedicated support representative.

Support Services are help desk services that are provided to assist or redirect our Customers as required.

Collectively, these services and any other services that we may perform during the course of its  engagement with its Customers or participants, including but not limited to, integration services or translation services, as “Services

Applicability of Privacy Statement

This Privacy Statement relates to “Personal Information”, meaning information about an identifiable individual. This applies whether, for example, that individual is our Customer’s provisioned user or is a Participant, as these terms are defined below. Whether a person is “identifiable” means that they can be identified by the information itself or by that information combined with other information reasonably available.

This Privacy Statement applies to Personal Information processed by SHOEBOX as follows: (i) through use of the SHOEBOX Solutions and Services by our Customers; and, (ii) through use of the SHOEBOX Solutions and Services by SHOEBOX (applicable to non-EU Personal Information only).  This Privacy Statement also applies to information that is collected via our websites. In this Privacy Statement we will refer to the organization that is primarily responsible for the collection, use, and disclosure of Participant information as the “Custodian”.

(i)  USE OF THE SHOEBOX SOLUTIONS AND SERVICES BY OUR CUSTOMERS

Classification of information

When the SHOEBOX Solutions and Services are used by our Customers, we classify the Personal Information we collect, use, and disclose into two main categories: The first is information about our Customers and the second is about our Customers’ Participants. Mainly, our “Customers” are organizations and individuals that are involved in carrying out hearing screening or hearing testing of Participants. The term “Participant” refers to those individuals whose audiograms, hearing screening results, and/or other information are collected and processed using the SHOEBOX Solutions and Services.

Where the SHOEBOX Solutions and Services are made available to a Participant by a Customer, the Customer is the Custodian.

The way we handle Personal Information varies depending on whether it relates to a Customer’s provisioned user (e.g. a Customer employee or other representative) or a Participant, so each is specifically addressed in this Privacy Statement. You should also note that we are managers of Participant Personal Information as service providers to our Customers and, therefore, as a general rule, we only ever process Participant Personal Information on behalf of our Customers except as set out in Section ii (Use of the SHOEBOX Solutions and Services by SHOEBOX). The collection, use, and disclosure of Participant Personal Information will be subject to the privacy practices of the relevant Customers, so Participants should refer to them for additional information.

Participants should also be aware that Customers are able to export data from the SHOEBOX Solutions and Services. Customers are solely responsible for the use of such data and for safeguarding it. Participants should therefore be aware that their Personal Information may also be directly held by the relevant Customer.

What information we collect

From our Customers, we collect information that is necessary to establish and maintain the provision of the SHOEBOX Solutions and Services to them, as well as to understand and improve the usage and performance of the SHOEBOX Solutions and Services.  Most of our Customers are corporations, so this information is not “Personal Information”. This information may include:

  • Customer name
  • Contact information, including postal and email addresses
  • Billing address
  • Billing details  (as necessary for our internal accounting purposes and for processing payments through our contracted processing service)
  • Login information for provisioned users, as applicable, such as usernames and encrypted passwords
  • Information about how the Customer and its provisioned users, as applicable, use the SHOEBOX Solutions and Services, including information about the Customer and intended use of the SHOEBOX Solutions and Services
  • Information provided by the Customer and its provisioned users, as applicable, in connection with any support given by the SHOEBOX team related to the SHOEBOX Solutions and Services.

The use of SHOEBOX Audiometry Standard and Pro may involve the collection and processing of the following Participant Personal Information on behalf of Customers:

  • Participant name (Title and full name)
  • Participant gender
  • Participant date of birth
  • Participant contact details (including company or school)
  • Participant hire date
  • Participant ID number
  • Care providers (physicians, etc)
  • Information about the Participant’s hearing
  • Participant test results
  • Location and date of the test
  • Home phone number
  • Cell phone number
  • Work phone number
  • Email address
  • Chart number
  • Health card number
  • Notes
  • Employment information, such as employee ID, department, job classification, job position, job status (active or not active), facility

Only your name is mandatory for SHOEBOX Audiometry Standard and Pro.   The audiometry results and location information are generated and saved at the time of testing. SHOEBOX Audiometry Standard and Pro only require information that is necessary to conduct the testing. Participants should be aware that our Customers may collect additional Participant Personal Information using questionnaires within SHOEBOX Audiometry Standard and Pro.  Providing information other than your name is optional and is under the control of the Custodian when SHOEBOX Audiometry Standard or Pro is set up for that Custodian.

The use of QuickTest and SHOEBOX Online may involve the collection and processing of the following Participant Personal Information on behalf of Customers:

  • First name
  • Last name
  • Email address
  • Phone number
  • Location data
  • Age range
  • Gender (SHOEBOX Online only)
  • Hearing test results

There is no mandatory Participant Personal Information for QuickTest.  Participants should be aware that our Customers may collect additional Participant Personal Information using questionnaires within QuickTest or SHOEBOX Online. Only age range and the questionnaire are mandatory for SHOEBOX Online.  Providing any other information for either QuickTest or SHOEBOX Online is optional and, if provided, is under the control of the Custodian when QuickTest or SHOEBOX Online is set up for that Custodian.

Purposes for collection

As stated in more detail in its Terms of Service, SHOEBOX does not use any identifiable Participant Personal Information for its own purposes. Participant Personal Information is only processed by SHOEBOX on behalf of our Customers to provide them with the SHOEBOX Solutions and Services. Participants should refer to the Customer’s privacy policy for an understanding of how Participant Personal Information is collected, used, disclosed, and otherwise processed by the Customer through its use of the SHOEBOX Solutions and Services before submitting any Personal Information to the SHOEBOX Solutions and Services. Further, if you have any questions or concerns about the processing of your Personal Information, you should consult the Custodian.

Disclosure of Personal Information

SHOEBOX may share Personal Information with people within the company who have a “need to know” the information for business or legal reasons. For example, to perform contractual obligations; in order to carry out an administrative function, such as processing an invoice; or to direct a question you have submitted to the relevant department at SHOEBOX.

We may share Personal Information with third parties, including:

  • Government and regulatory authorities. For example, to respond to a legal request or comply with a legal obligation, in which case we will make reasonable efforts to give the relevant individual notice of the disclosure, provided we are able to identify the individual and are lawfully able to do so;
  • For the purposes of seeking legal or other professional advice;
  • Suppliers of IT services and third-party service providers engaged by SHOEBOX as further detailed earlier in this Privacy Statement and our Terms of Service; and
  • In the event that we sell, buy, or merge any business or assets, including to the prospective seller or buyer of such business or assets and their respective professional advisers.
  • We may also share anonymous or de-identified information with other third parties in connection with the purposes outlined in this Privacy Statement and our Terms of Service.

Right of Access

Pursuant to applicable law, you may have certain rights in relation to your Personal Information, including a right of access. Participants should contact the relevant Custodian directly and the Custodian can facilitate this access directly by use of the SHOEBOX Solutions and Services.  If we are required to assist the Custodian, we may require additional information to confirm a Participant’s or provisioned user’s identity, which will only be used for that purpose.

Data Location 

SHOEBOX uses service providers in the United States and Canada to store and manage the data associated with the SHOEBOX Solutions and Services as follows:

Data is stored in the United States from Customers:

  • We have identified as being located in the United States; or,
  • That subscribed to the SHOEBOX Solutions prior to March 7, 2018; or,
  • Who used SHOEBOX QuickTest prior to September 8, 2018.

Data is stored in Canada from Customers who:

  • We have identified as being located outside of the United States and
    • Who subscribed to SHOEBOX Audiometry Standard and SHOEBOX Audiometry Pro on or after March 7, 2018; or,
    • Who used QuickTest on or after September 8, 2018; or,
    • Use SHOEBOX Online.

(ii) USE OF THE SHOEBOX SOLUTIONS AND SERVICES BY SHOEBOX – APPLICABLE TO NON-EU PERSONAL INFORMATION ONLY

The defined terms used in this section are defined above in this Privacy Statement.

There may be cases where the SHOEBOX Solutions and Services are deployed as a “self-serve” kiosk, used in a product demonstration, used for product development, or used by SHOEBOX employees directly to test the hearing of Participants.  In each such case, it would be deployed, operated, and managed by SHOEBOX directly.

Where the SHOEBOX Solutions and Services are operated by SHOEBOX directly, SHOEBOX is the Custodian, and this Privacy Statement applies to the collection of Personal Information by SHOEBOX.

What information we collect

From our Participants, we collect information that is necessary to establish and maintain the provision of the SHOEBOX Solutions and Services to them.  The use of SHOEBOX Audiometry Standard and Pro by SHOEBOX may involve the collection of the following Participant Personal Information:

  • Participant name (Title and full name)
  • Participant gender
  • Participant date of birth
  • Participant contact details (including company or school)
  • Participant hire date
  • Participant ID number
  • Care providers (physicians, etc)
  • Information about the Participant’s hearing
  • Participant test results
  • Location and date of the test
  • Home phone number
  • Cell phone number
  • Work phone number
  • Email address
  • Chart number
  • Health card number
  • Notes
  • Employment information, such as employee ID, department, job classification, job position, job status (active or not active), facility

Only your name is mandatory for SHOEBOX Audiometry Standard and Pro. The audiometry results and location information are generated and saved at the time of testing.  SHOEBOX Audiometry Standard and Pro only require information that is necessary to conduct the testing.  Participants should be aware that we may collect additional Participant Personal Information using questionnaires within SHOEBOX Audiometry Standard and Pro.   Providing information other than your name is optional.

The use of QuickTest and SHOEBOX Online by SHOEBOX may involve the collection and processing of the following Participant Personal Information:

  • First name
  • Last name
  • Email address
  • Phone number
  • Location data
  • Age range
  • Gender (SHOEBOX Online only)

There is no mandatory Participant Personal Information for QuickTest.  Participants should be aware that we may collect additional Participant Personal Information using questionnaires within QuickTest and that providing such information is optional.  Only age range and the questionnaire are mandatory for SHOEBOX Online.

Purposes for collection

SHOEBOX does not use any identifiable Participant Personal Information for its own purposes. When SHOEBOX is the Custodian, Participant Personal Information is only processed by SHOEBOX to provide the SHOEBOX Solutions and Services to our Participants.

Disclosure of Personal Information

SHOEBOX may share Personal Information with people within the company who have a “need to know” the information for business or legal reasons. For example, in order to carry out an administrative function, such as processing an invoice; or to direct a question that you have submitted to the relevant department at SHOEBOX.

We may share Personal Information with third parties, including:

  • Government and regulatory authorities. For example, to respond to a legal request or comply with a legal obligation, in which case we will make reasonable efforts to give the relevant individual notice of the disclosure, provided we are able to identify the individual and are lawfully able to do so;
  • For the purposes of seeking legal or other professional advice;
  • Suppliers of IT services and third party service providers engaged by SHOEBOX as further detailed earlier in this Privacy Statement and our Terms of Service; and,
  • In the event that we sell, buy, or merge any business or assets, including to the prospective seller or buyer of such business or assets and their respective professional advisers.
  • We may also share anonymous or de-identified information with other third parties in connection with the purposes outlined in this Privacy Statement and our Terms of Service.

Right of Access

Pursuant to applicable law, you may have a right of access to your Personal Information. Where the Custodian is SHOEBOX, please contact our Chief Privacy Officer at privacy@shoebox.md. We may require additional information to confirm our Participant’s identity, which will only be used for that purpose.

Data Location 

When SHOEBOX is the Custodian, SHOEBOX uses a service provider in the United States to store and manage the data associated with the SHOEBOX Solutions and Services.

THE FOLLOWING SECTIONS APPLY TO ALL COLLECTION AND USE OF PERSONAL INFORMATION FROM ALL SOURCES INCLUDING OUR WEBSITES

When you visit our websites or use the applications powering the SHOEBOX Solutions and Services, we may use cookies, pixel tags, analytics tools, and other similar technologies to help provide and improve our services to you, and as detailed below:

Cookies: Cookies are pieces of information stored directly on the computer that you are using. Cookies allow us to collect information such as browser type, time spent on the websites or applications, pages visited, language preferences, and other web or application traffic data. We use the information for security purposes, to facilitate online navigation, to display information more effectively, to personalize your experience while using the websites or applications, and to otherwise analyze user activity. We can recognize your computer to assist your use of the websites or applications.

We also gather statistical information about the usage of the websites and applications in order to continually improve their design and functionality, understand how the websites and applications are used, and assist us with resolving questions regarding the websites and applications. Cookies may further allow us to select which of our advertisements or offers are most likely to appeal to you and to display them to you. We may also use cookies in online advertising to see how you interact with our advertisements, and we may use cookies or other files to understand your use of other websites.

If you do not want information to be collected through the use of cookies when using our websites or applications, there is a simple procedure in most browsers that allows you to automatically decline cookies or gives you the choice of declining or accepting the transfer to your computer of a particular cookie (or cookies) from a particular site. You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html. However, if you do not accept these cookies, you may experience some inconvenience in your use of the websites or applications. For example, we may not be able to recognize your computer, and you may need to login every time you visit the websites or applications.

Pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used in connection with our websites and applications to, among other things, track the actions of users of the websites or applications and other means of communication with you (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the websites or applications and response rates.

Analytics tools: We use website and application analytics services provided by third parties that use cookies, JavaScript, and other similar technologies to collect information about website or application use, perform data enrichment, and to report patterns or trends.  These analytics providers may store this analytics data in the United States and other locations. Click on this link: https://www.shoebox.md/third-party-software/ to find the list of analytics tools we use so that you may review their terms of service, some of which include instructions on how you may opt-out of certain third party information collection practices.  We will update this list as we change our analytics tools.

Safeguarding Personal Information

We are required by law to safeguard the Personal Information in our custody or control. We use industry-standard measures to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. We protect Personal Information regardless of the format in which it is held. We recognize that Participant Personal Information may contain sensitive health information and we protect it accordingly. If you have any questions or concerns in relation to the handling of your sensitive health information, you should contact the Custodian.

Our methods of protection include: (a) physical measures, such as restricted physical access to our information system; (b) organizational measures, including employee training and limiting access on a “need-to-know” basis; and, (c) technological measures, including the use of passwords and encryption.  More information about our security practices can be found at https://www.shoebox.md/security-policy/.

We use service providers, including data hosting providers, to facilitate providing the SHOEBOX Solutions and Services. We use contractual means to make sure that our service providers only deal with Personal Information on our behalf to provide the SHOEBOX Solutions and Services and not for any other purposes. We also undertake diligence to satisfy ourselves that our service providers will implement adequate safeguards to protect Personal Information.

If we have reason to believe that there has been a breach of security safeguards that has resulted in the inappropriate loss or disclosure of Personal Information, we will take reasonable measures to notify the affected Customers or Participants, as applicable, promptly and with sufficient detail to enable them to evaluate the breach and understand the likely consequences.

Revisions to this Privacy Statement 

SHOEBOX may update this Privacy Statement from time to time and, when we do, we will update the “Last Revised” date at the top of the Privacy Statement. The new date will be the effective date of the revised Privacy Statement. In the event of a significant revision, Customers may receive notification by email or through the SHOEBOX Solutions and Services. All Personal Information collected after the new Last Revised date will be subject to the revised Privacy Statement.

Anonymous information

SHOEBOX collects, compiles and analyzes anonymous, aggregate and/or de-identified data derived from Customers’ and Participants’ access to and use of the SHOEBOX Solutions and Services, including Personal Information (“Compiled Data”).  SHOEBOX employs an automated system to securely de-identify the data used to create the Compiled Data and then uses third party software to perform analytics on the Compiled Data.

SHOEBOX uses Compiled Data to:

  • understand how our customers and their provisioned users access and use the SHOEBOX Solutions and Services;
  • understand the results generated by our customers’ use of the SHOEBOX Solutions and Services;
  • evaluate how the SHOEBOX Solutions and Services perform;
  • perform analyses of the Compiled Data, including but not limited to, analysis of geographic data, demographic data, the number of hearing tests conducted, the number of hearing impairments found, and to identify trends in audiological data;
  • determine how to make improvements to the SHOEBOX Solutions and Services and to develop new capabilities;
  • investigate reported bugs in the SHOEBOX Solutions or Services and identify customers who may be affected by such bugs; and,
  • conduct research, whether such research is conducted by SHOEBOX, its affiliates or partners.

We will take industry-standard steps so that Compiled Data cannot be connected to any particular individual.

EU PERSONAL INFORMATION

This section shall apply only in respect of Personal Information relating to individuals located in the EU (“EU Personal Information”).

For the purposes of applicable EU data protection and privacy laws, SHOEBOX, with its registered offices at 301- 80 Aberdeen St., Ottawa, ON K1S 5R5, Canada is considered the Data Controller in respect of all EU Personal Information that it collects, uses, and otherwise processes for its own purposes as set out in this Privacy Statement.

If you are a Customer, website user, or other individual with whom we communicate and / or do business and you are located in the EU, you should read this Privacy Statement in full and particularly this section, before you provide us with any Personal Information or browse our website, and make sure that you are comfortable with our privacy practices.

Please note that for the purposes of EU data protection and privacy laws, personally identifiable information collected in a business context (for example an individual’s business email address or job title) will be Personal Information. All provisions in this Privacy Statement relating to Personal Information will therefore apply to any Personal Information that we collect about representatives of our Customers, such as Customer employees (and see in particular the section entitled “What information we collect”).

Purpose of Processing

The purposes for which we process EU Personal Information are as set out in this Privacy Statement. In most cases, we will be processing EU Personal Information on behalf of a Customer as a Data Processor, but in certain circumstances we will process EU Personal Information as a Data Controller, including for the purposes of communicating with you, administering your account, and for carrying out data analytics and enrichment.

Legal Basis for Processing

In accordance with the purposes for which we collect and use EU Personal Information, as set out above, the legal basis for SHOEBOX processing EU Personal Information will typically be one of the following:

  • Your consent;
  • The performance of a contract that we have in place with you or other individuals;
  • SHOEBOX or our third parties’ legitimate business interests; or
  • Compliance with our legal obligations.

Sharing of EU Personal Information

SHOEBOX may share EU Personal Information with people within the company who have a “need to know” the information for business or legal reasons. For example, in order to carry out an administrative function, such as processing an invoice; or to direct a question that you have submitted to the relevant department at SHOEBOX.

We may share EU Personal Information with third parties, including:

  • Government and regulatory authorities. For example, to respond to a legal request or comply with a legal obligation, in which case we will make reasonable efforts to give the relevant individual notice of the disclosure, provided we are able to identify the individual and are lawfully able to do so;
  • For the purposes of seeking legal or other professional advice;
  • Suppliers of IT services and third-party service providers engaged by SHOEBOX as further detailed earlier in this Privacy Statement and our Terms of Service; and
  • In the event that we sell, buy, or merge any business or assets, including to the prospective seller or buyer of such business or assets and their respective professional advisers.
  • We may also share anonymous or de-identified information with other third parties in connection with the purposes outlined in this Privacy Statement.

Information Transfers

In order to provide the SHOEBOX Solutions, Services, and our websites and as further detailed in the ‘Data Location’ section above, any EU Personal Information that we obtain may be transferred to and stored in a country outside the EEA, including Canada and the US. This may include transferring EU Personal Information to countries where the law provides less protection for Personal Information. If we transfer EU Personal Information to a country outside of the EEA, we will, as required by applicable law, ensure that your privacy rights are protected by appropriate safeguards. Please contact us if you would like more information about these safeguards.

Glossary

For the purposes of this section relating to EU Personal Information, the following terms will have the following meanings:

“Data Controller” an entity which determines the purposes and means of the processing of Personal Information.

“Data Processor” an entity which processes Personal Information on behalf of a Data Controller.

“EEA” European Economic Area.

“process” any operation that can be performed on Personal Information, including collecting it, storing it, accessing it, combining it with other data, sharing it with a third party, and deleting it.

If you have any questions or concerns about our privacy practices, or if you wish to access your Personal Information, please contact our Chief Privacy Officer at privacy@shoebox.md.