O p e r a t i o n   CHARLIE  BRAVO

Veteran Impact Services

ONLINE PRIVACY POLICY

When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information.

 

Veteran Impact Services, Inc.
ONLINE PRIVACY POLICY


Last Modified: 07 MAR 2023

INTRODUCTION

Veteran Impact Services, Inc. and it's subsidiaries Operation Charlie Bravo ("VIS",OCB,” “we,” “our,” orus”) we treat your privacy as if it was our privacy. We believe that managing your privacy is important, and we want you to be informed. Please take a few minutes to review this privacy policy (this “Policy”) to understand how we use, disclose, and otherwise interact with information we collect from you. We respect your privacy and are committed to managing it through our compliance with this Policy.

The purpose of this Policy is to describe the types of information we may collect from you or that you may provide to us when you visit http://www.ocbravo.org/ or any website that links to, references, or displays this Policy, or information otherwise provided to us online or offline as described in this Policy (the “Site”). By accessing, using, or submitting information to or through the Site or to us, you agree to this Privacy Policy. If you do not agree, you should not use the Site or submit information to us. This Policy may change from time to time and your continued use of the Site is or submission of information to us after any such change is deemed to be your acceptance of those changes. We encourage you to visit this Site periodically to ensure you keep up to date with our privacy practices.

VIS / OCB DATA COLLECTION

Information You Voluntarily Provide to Us Online. As part of the fun and interactive experience of using our Site, there will be places where you can enter personal information, such as your name, postal address, billing or shipping address, email address, telephone number, date of birth, gender, location, preferences, payment method, or any other identifier by which you may be identified online or offline. For example, you may be asked to provide personal information when you:

  • Create an account;
  • Purchase a product;
  • Sign up for email or news updates;
  • Fill out online surveys or respond to marketing initiatives, contests, events, or promotions;
  • Provide information in fillable forms or fields;
  • Request information about us or the Site; whether via email or other electronic means;
  • Submit product reviews;
  • Create a wish list; or
  • Request a catalog


If you apply for a job position with us we may also collect personal and other information when you apply for a job at VIS / OCB such as, work experience, education, skills, behaviors, motivations, licenses and certifications, and any other information you provide to us through our employment application.

In addition, if you make a debit or credit payment online or offline, our third party payment service providers (our “Payment Providers”), including, for example, PayPal, may take your payment information on our behalf and process it. Our Payment Providers may provide information back to us to confirm your purchase, allow us to fulfill your order, and for other purposes outlined in this Policy. We encourage you to visit the privacy policies of our Payment Providers to understand their privacy practices, which may differ from ours.

Information You Provide Through Other Means. We like to know who our supporters are and how they are using our products, so we can market the right products to the right people. As a result, we may also collect, obtain, or supplement information about you (including personal information) from sources other than you, including publicly available sources like social networking sites, forums and blogs, other users of our products and services, our affiliates, and our business and marketing partners and service providers.

Information When You Shop at Our Stores. We may also collect information from you when you shop at our stores, including much of the same information we would collect if you shopped online (i.e., order information, payment information, etc.). If you pay by personal check, we may also collect your driver’s license number for verification and fraud prevention purposes. In addition, to keep you and our employees safe, we use CCTV cameras in our retail stores and other company locations. These cameras collect and store images, video and other associated information, to help us with fraud prevention, security, and risk management. Our CCTV cameras are provided by a trusted third-party vendor, so video and images, as well as other associated information, is shared with both VIS / OCB and that trusted vendor.

Information We Collect Automatically When You Use the Site.When you use or interact with our Site, we do not collect information automatically. If you are interacting with the Site on a mobile device, we do not collect information automatically. The information will not be collected, received by, or shared with third-party vendors.

 

THIRD PARTY DATA COLLECTION

We want to make it clear that we may contract with third parties such as Google or Facebook to assist us with marketing (no one sends e-mails on our behalf), analytics, payment, social, and other business purposes. These third parties may use third-party cookies, or other methods or technologies like website scripting, pixels, or action tags to collect information about you when you visit the Site or interact with emails. The information collected by those third parties is not shared with VIS / OCB except for name and shipping location in order to receive your product that you purchased. We use the information collected by third parties for contact information such as Name, phone #, e-mail, and address. The use of your information by such third parties is governed by each third party’s privacy policy.

Information from Emails. VIS / OCB does not collect data from e-mails. We only keep information that you ask us to keep. Statement in all e-mail correspondence: “CONFIDENTIALITY NOTICE: The information contained in this communication is confidential, private, proprietary, or otherwise privileged and is intended only for the use of the addressee. Unauthorized use, disclosure, distribution or copying is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately. Thank you.”

Information from Chat Function. We do not have a chat function on our website currently.

Information from Customer Service Calls. You may also provide us order information, payment information, and other similar information while speaking with our customer service representatives. We do not record our calls with you for quality and training purposes. We’re a small nonprofit and do not have the funding to cover this kind of service.

Information from Third Party Analytics. We also use third party analytics on the Site, such as those provided by Google Analytics, Adobe, GoDaddy, and Clicktale to, for example, enable us to continually improve upon the content we offer to you, for systems administration purposes, to evaluate your use of the Site, to compile reports on activity, to analyze performance metrics, and to collect and evaluate other information related to the Site. Some of our analytics can be used to track users over time, for geo-location purposes, and across third-party websites.

Information from Social Media Platforms. We do not contract with or otherwise use third parties to gather and analyze data from social media platforms, including, for example, Facebook®, Instagram®, Pinterest®, YouTube ®, and Twitter®.

Performance of the Site. We do use third-party services to track information about the performance of the Site. The third-party services collect aggregated data from visits to the Site to help troubleshoot any problems with performance, such as errors in code or page load times. We use this information to optimize your experience with the Site.

Online Behavioral (Targeted) Advertising. VIS / OCB does not do this.

 

HOW WE USE INFORMATION

The information we gather allows us to serve you and thank you better. Never shared outside our organization without your consent.

Use of Information Collected Automatically. We do not collect information automatically.

Uses of Personal Information. We may use your personal information:

  • To thank you for a donation or reward for volunteer time;
  • To respond to any request you have made, including for information, products, and/or services;
  • For our marketing efforts, including to keep you informed about existing and new products and services;
  • To confirm and complete transactions requested by you;
  • To provide you with customer support;
  • To resolve problems and disputes;
  • To improve the Site, and our products and services;
  • To protect the security and integrity of the Site and our physical locations;
  • To monitor compliance with and enforce this Policy and our Terms of Use and any other applicable agreements and policies;
  • If necessary, to notify you about changes to the Site and any products or services we offer or provide;
  • In any other way we may describe when you provide the information;
  • To fulfill any other purposes for which you provide it, or offer your consent; and
  • As generally permitted under applicable law.


DISCLOSURE OF YOUR INFORMATION

We will not share your information, including your personal information without your consent:

  • With our subsidiaries and affiliates;
  • With our subcontractors, service providers, and other third parties we use to support our business and the Site, including our purchasing processors, maintenance providers, and marketing partners;
  • With carefully screened companies and organizations (including marketing cooperatives) whose products and activities might be of interest to you
  • To a buyer or other successor in the event of or during a restructuring, dissolution, or other sale or transfer of some or all of VIS / OCB’s assets or equity, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by VIS / OCB is among the assets transferred;
  • For any other purposes disclosed by us when you provide the information; or
  • Without your consent.


We may share your personal information to comply with any court order or legal obligation, including responding to any lawful government or regulatory request, or if we believe disclosure is necessary to enforce or protect our rights, property, or safety, or that of our users or third parties.

YOUR CHOICES ABOUT OUR COLLECTION, USE, AND DISCLOSURE

There are steps you can take to manage your privacy. You have choices regarding the information you provide to us and that we collect, including:

Cookies. If you do not wish us to collect cookies, you may set your browser to refuse some cookies, or to alert you when cookies are being sent. If you do so, please note that some parts of the Site may then be inaccessible or may not function properly. Information on deleting or controlling cookies can be found at https://www.aboutcookies.org/​

Analytics. Some analytics providers allow you to opt out:

Google Analytics: https://tools.google.com/dlpage/gaoptout
Clicktale: https://research.clicktale.com/SubscriptionCenter_preferences.html
Adobe: https://www.adobe.com/privacy/opt-out.html

Location Information. If you do not wish to share GPS location information with VIS / OCB, you may be able to turn off location sharing in your mobile device settings, or otherwise decline the option to allow your web browser to use your location for certain functionality like finding the nearest VIS / OCB location or address location on one of our online forms.

E-mail Opt-Out. You may opt-out of receiving future communications from us by clicking on the “unsubscribe” link at the bottom of any email from us (or sent on our behalf).

Accessing and Correcting Personal Information. Please send an e-mail to: info@ocbravo.org to make any desired changes.

Google Ads and Online Behavioral Advertising. VIS / OCB does not use these kinds of services to assist us with advertising. To learn more about Google’s practices with regard to data collection, and to manage Google Ads, click here: https://policies.google.com/technologies/ads. You can also opt out of online behavioral advertising from certain ads on third-party websites by visiting https://youradchoices.com/.

You can also opt out of some advertising networks by visiting their opt-out pages:

Personal Information Opt-Out. If you prefer not to have your personal information shared with other companies or organizations, just let us know by sending us an email at info@ocbravo.org or contact us by mail at 1670 E. North St., Crown Point, IN 46307, or call 1-219-323-3940.

EXTERNAL WEBSITES

Third Party Links. Our Site may contain links to websites operated and maintained by third parties. We have no control over and are not responsible for the privacy policies or content on those websites, and any links to third-party websites do not imply an affiliation between VIS / OCB and the website owner, or any endorsement, approval, or verification of any content contained on those websites. Privacy policies on third-party websites and mobile applications may be different from our Policy. You access such links at your own risk. You should always read the privacy policy of a website or mobile application before disclosing any of your information.

Social Media. If you use any functionality of the Site allowing you to interact with social media platforms (e.g., Facebook®, Instagram®, Twitter®, Pinterest®, and YouTube®) or otherwise interact with us on social media, generally, then please be aware that: (a) we may display your email address and/or social media handle (e.g., username) to other users; (b) we may use information you provide about yourself or other users to facilitate communications; and (c) we may collect information about interactions with us and receive information from social media platforms about you, including as described in the section titled “THIRD-PARTY DATA COLLECTION.” Please note that any content you post to social media platforms is subject to the data handling practices of each social media platform, as described in their respective terms of use and privacy policy, which we encourage you to read before posting content.

DO NOT TRACK

The Site does not respond to “do not track” requests. All traffic is treated as equal and processed the same. If you desire to have your browsing be private, we suggest that you use your web browser’s private or incognito function, or a similar option.

NOTICE TO CALIFORNIA RESIDENTS

California Civil Code Section § 1798.83 (the “Shine the Light” law) and the California Consumer Privacy Act of 2018 (“CCPA”) afford additional rights to the residents of the State of California. If you are a California Resident, please scroll down to Appendix A (Your California Privacy Rights) to learn more.

CHILDREN UNDER THE AGE OF 13

Although we appreciate the VIS / OCB supporters of the future, this Site is not intended for anyone under the age of 13, and we do not knowingly collect personal information from children under 13. In the event that we learn that we have collected personal information from a child under the age of 13 without parental consent, we will delete that information and otherwise comply with the requirements of any applicable law including the Children’s Online Privacy Protection Act. If you believe that we might have any information from or about a child under the age of 13, please contact us at info@ocbravo.org.

SECURITY

We strive to use reasonable means to secure your personal information while you are using the Site. However, please keep in mind that the transmission of information over the Internet and on mobile platforms is not always secure, which means we cannot and do not guarantee the security or confidentiality of any personal information you provide to us. Given this reality, your use of the Site, and your decision to provide personal information to us, is at your own risk.

CHANGES TO THIS POLICY

Innovation is part of our organization’s vision. As we constantly evolve and improve how we do business online, from time to time this Policy may change. The effective date of this Policy is the date next to the words “Last Modified” at the top of this Policy. We may update this Policy at any time, at our sole discretion, if we make material changes to the way we handle your personal information, or if material changes are necessary due to law. Our most current Policy will always be posted at https://www.combatbikesaver.org/, and at any other link you clicked on to reach this Policy. Any changes we make to this Policy will be effective immediately upon the posting of the updated Policy. As such, we encourage you to review this Policy regularly. Your continued use of the Site after we make changes will constitute your acceptance of any such changes.

CONTACT US

Have questions or comments? We want to hear from you. If you have feedback about this Policy or our Terms of Use, wish to remove or change your contact information in our database, or do not want to receive future mailings or other communications, as well as other inquiries, just contact us at any time using one of the options below:

Via e-mail: info@ocbravo.org
Via telephone: 1-219-323-3940
Via mail: Veteran Impact Services, Inc., 1670 E. North St., Crown Point, IN 46307


APPENDIX A

(Privacy Information for California Residents)

This Appendix supplements the information contained in Veteran Impact Services, Inc. ("VIS",“OCB,” “we,” “our,” or “us”)  https://www.combatbikesaver.org/privacy-security-policy.html and applies solely to residents of the State of California ("consumers" or "you").

We collect personal information, as that term is defined under the California Consumer Privacy Act (“CCPA”), which is information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.

Personal information does not include publicly available information from government records, deidentified or aggregated consumer information, or information excluded from CCPA’s scope, like health or medical information subject to HIPAA, and financial information subject to GLBA or FCRA.

Disclosures

In the past twelve (12) months, our personal information practices were as follows:


Category of Personal Information - Identifiers

This may include a real name, alias, address, email address, phone number, driver’s license number (if payment by personal check), online identifier, IP address, account username and password, job title, or other similar identifiers.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, our other customers; through our third-party service providers, ad networks, data analytics providers, marketing partners and cooperatives, data security services, and social media networks.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; to secure our site from malicious traffic; for anti-fraud measures; to evaluate store locations; and for our own legal obligations and business needs.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers (e.g., shipping partners, fraud analytics partners); ad networks; data analytics providers; prospective purchasers of our business; marketing partners and cooperatives; outside auditors and lawyers; and social networks.

Category of Personal Information - Internet and network information

This may include information on your interaction with a website, application, or advertisement, such as browsing history and how you use your account.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, through our third-party service providers, ad networks, data analytics providers, marketing partners and cooperatives, and social media networks.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; to improve our services and products; and to secure our website and prevent fraud.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers (e.g., fraud analytics partners); marketing partners and cooperatives; ad networks; data analytics providers; and social networks.

Category of Personal Information - Payment and credit information

This may include your credit or debit card information, banking information, information about your payment transaction, or other financial information you provide us.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, and through our third-party service providers.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; to secure our site from malicious traffic; for anti-fraud measures; to evaluate store locations; and for our own legal obligations and business needs.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers (e.g., payment processors and fraud analytics partners); and outside auditors and lawyers.

Category of Personal Information - Device information

This may include the operating system of your device, device identifier, the type of device you are using, or your geolocation information.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, through our third-party service providers, marketing partners and cooperatives, ad networks, data analytics providers, and social media networks.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; to improve our services and products; to show you our store locations; and to secure our websites.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers; marketing partners and cooperatives; ad networks; data analytics providers; and social networks.

Category of Personal Information - Protected classification characteristics under California or federal law

This may include your age and sex.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, through our service providers, marketing partners and cooperatives, ad networks, and social media networks.

How We Use the Personal Information (Business Purposes)

To provide you with information, products or services; to advertise or market to you; and to improve our services or products.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; and service providers.

Category of Personal Information - Commercial Information

This may include information about what you order, shipping, returns, product complaints, product reviews, or warranties.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, through our third-party service providers, and marketing partners and cooperatives.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; for our own legal obligations and business needs; and to improve our services and products.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers (e.g., shipping partners,); marketing partners and cooperatives; ad networks; data analytics providers; prospective purchasers of our business; outside auditors, insurers, and lawyers; and social networks.

Category of Personal Information - Geolocation Data

This includes information about your physical location or movements.

Categories of Sources from Which the Personal Information Is Collected

You and your agents.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; show you our store locations; and advertise or market to you.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; marketing partners; ad networks; data analytics providers; and service providers.

Category of Personal Information - Audio, Electronic, or Visual Information (Sensory Data)

This includes the collection of CCTV images in our stores and audio recordings of customer service calls.

Categories of Sources from Which the Personal Information Is Collected

You and through our service providers.

How We Use the Personal Information (Business Purposes)

To improve our services and products; for fraud prevention, security, and risk management.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers (e.g., Avtex Solutions); and outside auditors and lawyers.

Category of Personal Information - Inferences we draw about you

This may include information about your preferences, characteristics, predispositions, behavior, or other trends that help us identify which products you may be interested in.

Categories of Sources from Which the Personal Information Is Collected

You, your agents, through our third- party service providers, marketing partners and cooperatives, ad networks, data analytics providers, and social media networks.

How We Use the Personal Information (Business Purposes)

To provide you with information, products, or services; to advertise or market to you; to improve our services and products and their availability; and for our own business needs.

Categories of Service Providers and Third Parties with Whom Personal Information Is Shared

Entities that we are legally required to share with pursuant to law; service providers; marketing partners and cooperatives; ad networks; data analytics providers; and social networks.


Sales of Personal Information

CCPA defines a “sale” of personal information broadly to include more than exchanges for monetary purposes. A sale can include personal information shared with a third party for “valuable consideration,” or information shared with a third party (even if they are performing services on our behalf) if they are permitted to use the information for their own purposes.

OCB does not sell your personal information for monetary payment, whatsoever.

Given the foregoing, we have disclosed the following information for valuable consideration (“sold”) during the past twelve (12) months: Identifiers, Internet and Network Information, Device Information, Commercial Information, and Inferences.

OCB does not knowingly sell the personal information of minors under sixteen (16) years of age.



California Residents’ Rights and Choices

Effective January 1, 2020, the CCPA provides California residents with specific rights regarding their personal information, described below. Below are your CCPA rights and how to exercise those rights.

1. Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources of the personal information we collected about you.
  • Our business or commercial purpose for collecting that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you.


2. Deletion Request Rights

You have the right to request that we delete some or all of the personal information that we have collected from you and retained, subject to a number of exceptions. We (and our service providers) are not required to delete personal information where it is, for example: (a) necessary to complete a transaction with you or for warranty or product recalls; (b) used for security purposes, to prevent fraud, to fix errors, or to comply with law; (c) reasonable for us to use for internal purposes given our relationship with you; or (d) compatible with the context in which you provided the information. The list of exceptions above is not exhaustive and we may also deny a deletion request as otherwise permitted by law.

3. Exercising Your Rights

To exercise your rights described above, please submit a verifiable consumer request to us by either:


Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. If you are making a request on behalf of another person, you must provide written legal documentation that you are authorized to act on behalf of that individual.

You may make a verifiable consumer request for access or data portability only twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.


We may not be able to fulfill your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. To verify your identity, we may request certain pieces of personal information about you, and we reserve the right to take additional steps as necessary to verify your identity if we have reason to believe a request is fraudulent.

We will use the personal information provided in a verifiable consumer request only to verify the requestor's identity or authority to make the request.

4. Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will cover only the 12-month period preceding the date we receive your verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

5. Non-Discrimination

You have the right to not be discriminated against for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.


Other California Privacy Rights

California's “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us through the information provided in the CONTACT US section of our Privacy Policy.



JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

This HIPAA Business Associate Agreement (“HIPAA BAA”) is made between
JotForm, Inc., (“JotForm”) and Veteran Impact Services, Inc. / Operation Charlie Bravo (“Covered Entity” or “Customer” ) as an agreement to the JotForm Terms of Use (the “Terms of Use”).
This HIPAA BAA is effective as of October 1, 2019 (“Effective Date”), which is the
date Customer indicated its acceptance of this HIPAA BAA electronically. This
HIPAA BAA was electronically signed by Jason Zaideman, Executive Director / Director of Veteran Services / Founder on behalf of Customer on the Effective Date.


In accordance with this HIPAA BAA, Customer may disclose to JotForm certain
"Protected Health Information" subject to the Health Insurance Portability and
Accountability Act of 1996, as codified at 42 U.S.C. Section 1320d-6 and 1320d-9
(“HIPAA”) and any current and future regulations promulgated thereunder,
including, without limitation, the federal privacy regulations contained in 45 C.F.R.
Parts 160 and 164 Subparts A and E (“Privacy Rules”), the federal security
standards contained in 45 C.F.R. Part 160 and 164 Subparts A and C (“Security
Rules”), and the Health Information Technology for Economic and Clinical Health
Act (“HITECH Act”) contained in Section 13402 of Title XIII of the American
Recovery and Reinvestment Act of 2009 (“ARRA”) (all are collectively referred to
herein as the “The Regulations”).

JotForm and Customer hereby agree to the terms and conditions of this HIPAA
BAA in compliance with the The Regulations.

1. Definitions
1.1. The terms of this HIPAA BAA are incorporated herein by reference as part
of the Terms of Use to comply with the The Regulations.

1.2. Required by law shall have the same meaning as in the term “required by
law” in 45 CFR § 164.103.

1.3. “Security Rule” shall mean the Security Standards for the protection of
Electronic Protected Health Information, located at 45 CFR Part 160 and
Subparts A and C of Part 164

1.4. “Privacy Rule” shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR part 160 and part 164, subparts A
and E.

1.5. Unless otherwise specified, all terms used in this HIPAA BAA have the
meaning set forth in the Privacy Rules and Security Rules.

1.6. “Form Hosting Services” shall mean the building of forms to collect user
data including PHI data that will be stored by JotForm.

2. Business Associate Obligations

2.1. Permitted Uses and Disclosures. JotForm shall not, and shall ensure
that its directors, officers, admin users, employees, contractors do not, use or
disclose Protected Health Information ("PHI") created, received, maintained, or
transmitted for the customer in any manner that would violate HIPAA. JotForm
acknowledges and agrees that it will not use or disclose PHI other than as
permitted or required by this HIPAA BAA or as required by law. Except as
otherwise limited in this HIPAA BAA, JotForm may use or disclose PHI to
perform functions, activities, for the sole purpose of the proper management
and administration of Form Hosting Services or services for (or on behalf of)
the customer as specified in the Agreement, provided that such use or
disclosure would not violate the HIPAA Privacy Rule if done by customer.

2.2. Use/Disclosure for Administrative Activities. Notwithstanding Section

2.1, JotForm may use and/or disclose PHI for management and administrative
activities of JotForm or to comply with the legal responsibilities of JotForm;
provided, however, that with respect to any such disclosure: (i) the disclosure
is required by law; or (ii) JotForm obtains reasonable assurances from the third
party that receives the PHI that the third party will treat the PHI confidentially
and will only use or further disclose the PHI in a manner consistent with the
purposes that the PHI was provided by JotForm, and contact support any
breach of the confidentiality of the PHI to JotForm.

2.3. Use of PHI for Data Aggregation. Except as otherwise limited in this
HIPAA BAA, JotForm may use PHI to provide Data Aggregation services to
Customer consistent with 45 C.F.R. §164.504(e)(2)(i)(B).

2.4. Safeguards. JotForm will implement appropriate safeguards which
includes Data Encryption and Encryption In-Transit services and, with respect
to Electronic PHI, comply with the applicable provisions of 45 C.F.R Part 164,
Subpart C, to prevent any Use or Disclosure of PHI other than as provided for
by this HIPAA BAA.

2.5. Subcontractors of JotForm. JotForm acknowledges and agrees to enter
into written contracts with any agent or independent contractor that creates,
receives, maintains, or transmits PHI on behalf of the JotForm with regards to
services provided by JotForm pursuant to the Agreement (collectively,
"Subcontractors"). Such contracts shall obligate Subcontractor to abide by
substantially the same terms and conditions as are required of JotForm and
agree to implement reasonable and appropriate safeguards to protect PHI
under this HIPAA BAA.

2.5.1 Amazon Web Services, JotForm uses Amazon Web Services to
provide highly available, highly scalable and highly secure hosting for both
services and data. JotForm has entered into a HIPAA BAA with Amazon
covering all aspects of JotForm hosting via Amazon Web Services.

2.6. Restrictions. JotForm acknowledges and agrees to comply with any
requests for restrictions on certain disclosures of PHI to which Customer has
agreed in accordance with 45 C.F.R. § 164.522 and of which JotForm has
been notified by Customer.
JOTFORM BAA v2.0 3

2.7. HIPAA Enabled Account Usage. Customer acknowledges and agrees
that PHI shall only be managed or transferred using the Customer’s HIPAA
Enabled Account. Use of Non-HIPAA Enabled Account with the Business
Associate for the transmission of PHI is strictly prohibited.

2.7.1. Forms. Customer acknowledges and agrees to only copy forms
containing PHI to other HIPAA Enabled Accounts. While building forms,
Customer acknowledges and agrees to label PHI fields to grant permission
for JotForm in order to maintain additional measures required for PHI
protection.

2.7.2. Data Export. Customer acknowledges and agrees that JotForm
shall not be responsible for PHI after It is exported from JotForm HIPAA
Enabled Account and It shall be Customer’s responsibility to use and
protect exported PHI according to The Regulations. This covers all data
export services provided by JotForm.

2.7.3. Data Sharing. Customer acknowledges and agrees that PHI shared
via JotForm by HIPAA Enabled Account shall abide by JotForm Terms of
Service and The Regulations. It will be Customer's sole responsibility after
it is shared or transferred. Also, Customer complies that it is Customer’s
sole responsibility to protect data in further circumstances that indicates
The Regulations. This covers all data sharing services provided by
JotForm.

2.7.4. Third Party Integrations. Customer acknowledges and agrees to
only use third party integrations if;
a) Customer has a BAA or related agreements in place with the Third
Party Service Provider consistent under The Regulations, or;
b) Third Party Service Provider publicly announces HIPAA compliance
in all the services provided, or;
c) JotForm announces HIPAA Compliant Integration with Third Party
Service.

2.8. Performance of Covered Entity's Obligations. To the extent JotForm
has agreed to carry out one or more of Customer's obligations under 45 C.F.R.
Part 164, Subpart E, JotForm shall comply with the requirements of Subpart E
that apply to Customer in the performance of such obligations. The parties
agree and acknowledge that Business Associate has not agreed to carry out
any of Covered Entity's obligations under 45 C.F.R. Part 164, Subpart E.

2.9. Access and Amendment. JotForm shall notify the Customer of receipt of
a request received by JotForm for access to, or amendment of, PHI. The
Customer shall be responsible for responding or objecting to such requests.

2.9.1. Access. Upon request, JotForm acknowledges and agrees to furnish
Customer with copies of the PHI maintained by JotForm in a Designated
Record Set in the time and manner designated by Customer to enable
Customer to respond to an individual request for access to PHI under 45
C.F.R. § 164.524.

2.9.2. Amendment. Upon request and instruction from Customer, JotForm
shall make available PHI for amendment and incorporate any amendments
to such PHI in accordance with 45 C.F.R. §164.526 and related laws and
regulations.

2.10. Accounting. JotForm acknowledges and agrees to document
disclosures of PHI as would be required for Customer to respond to a request
by an Individual for an accounting of disclosures of PHI in accordance with 45
C.F.R. §164.528 and, if required by and upon the effective date of, Section
13405(c) of the HITECH Act and related regulatory guidance; and provide to
Customer information collected in accordance with this Section. In the event an
individual delivers the initial request for an accounting directly to JotForm,
JotForm shall forward such request to Customer.

2.11. Security Obligations. JotForm shall implement the administrative,
physical, and technical safeguards set forth in 45 C.F.R. §§ 164.308, 164.310,
and 164.312 that reasonably and appropriately protect the confidentiality,
integrity, and availability of any Electronic PHI that JotForm creates, receives,
maintains, or transmits on behalf of Customer, and, in accordance with 45
C.F.R. § 164.316, implement and maintain reasonable and appropriate policies
and procedures to enable JotForm to comply with the requirements set forth in
Sections 164.308, 164.310, and 164.312.

2.12. Access by Secretary of U.S. Department of Health and Human
Services.
 JotForm agrees to allow the Secretary of the U.S. Department of
Health and Human Services (the "Secretary") access to its books, records, and
internal practices with respect to the disclosure of PHI for the purposes of
determining the Customer's or JotForm’s compliance with HIPAA.

3. Notification Obligations

3.1. Unauthorized Use or Disclosure of PHI. JotForm shall report to
Customer in writing, within ten business days, any use or disclosure of PHI not
provided for by this HIPAA BAA of which JotForm becomes aware.

3.2. Security Incident. JotForm shall report to Customer in writing, within ten
business days, any Security Incident affecting Electronic PHI of Customer of
which JotForm becomes aware. The Parties agree that this Section satisfies
any notice requirements by JotForm of the ongoing existence and occurrence
of attempted but Unsuccessful Security Incidents (as defined below) for which
no additional notice to Customer shall be required. For purposes of this HIPAA
BAA, “Unsuccessful Security Incidents” include: (a) “pings” on an information
system firewall; (b) port scans; (c) attempts to log on to an information system
or enter a database with an invalid password or user name; (d) denial-ofservice
attacks that do not result in a server being taken offline; or (e) malware
(e.g., a worm or virus) that does not result in unauthorized access, use,
disclosure, modification, or destruction of Electronic PHI.

3.3. Breach of Unsecured PHI. JotForm will notify Customer of any Breach of
Unsecured PHI in accordance with 45 C.F.R. §164.410. The notice required by
this Section will be written in plain language and will include, to the extent
possible or available, the following:

3.3.1. The identification of each individual whose Unsecured PHI has been,
or is reasonably believed by JotForm to have been, accessed, acquired,
used, or disclosed during the Breach;

3.3.2. A brief description of what happened, including the date of the
Breach and the date of discovery of the Breach, if known;

3.3.3. A description of the types of Unsecured PHI that were involved in
the Breach (such as whether full name, Social Security number, date of
birth, home address, account number, diagnosis, disability code, or other
types of information were involved);

3.3.4. Any steps Individuals should take to protect themselves from
potential harm resulting from the Breach;

3.3.5. A brief description of what is being done to investigate the Breach,
mitigate the harm, and protect against future Breaches; and

3.3.6. Contact procedures for Individuals to ask questions or learn
additional information which shall include a toll-free number, an e-mail
address, Web site, or postal address, if Customer specifically requests
JotForm to establish contact procedures.

4. Covered Entity's Obligations

4.1. Notice of Privacy Practices. Customer shall, upon request, provide
JotForm with its current notice of privacy practices adopted in accordance with
HIPAA.

4.2. Limitations in Notice of Privacy Practices. Customer shall notify
JotForm of any limitations in the notice of privacy practices of Customer under
45 C.F.R. § 164.520, to the extent that such limitation may affect JotForm’s
use or disclosure of PHI.

4.3. Restrictions or Changes in Authorization. Customer shall not agree to
any non-mandatory restrictions on the use or disclosure of Protected Health
Information if such restriction could affect JotForm’s permitted or required uses
and disclosures of PHI hereunder except upon JotForm’s express, written
consent. Customer shall notify JotForm of any changes, revocations or
restrictions of the use or disclosure of PHI if such changes, revocations or
restrictions affect JotForm’s permitted or required uses and disclosures of PHI
hereunder including, without limitation, any revocation of any authorization for
the use or disclosure of PHI.

4.4. Requests for Use and Disclosure. Customer shall not request that
JotForm collect, access, use, maintain or disclose PHI, or act in any manner,
contrary to or in violation or breach of the Regulations or this HIPAA BAA.
4.5. Appropriate Use. JotForm is a tool for securely collecting complex
information using customizable forms. JotForm is not an electronic health
record or other medical record system and should not be used to maintain a
Designated Record Set or relied upon directly to provide patient care.
Information collected via JotForm must be transferred into an appropriate
system of record (for example, an electronic health record) in accordance with
appropriate processes to assure confidentiality, accuracy and availability
before being used for patient care.

4.6. Communications Made Outside of JotForm, Inc. Customer
acknowledges and agrees that texting and other communications of protected
health information that Customer request JotForm to relay outside of the
JotForm pose heightened privacy and security risks. Customer further
acknowledges and agrees that it is Customer’s sole responsibility to determine,
as part of its HIPAA Risk Analysis, whether to prohibit or permit such
communications and, to the extent such communications are permitted, to
implement appropriate safeguards (including policies, procedures and training
of all authorized users) to manage these risks to a reasonable and appropriate
level consistent with HIPAA.

5. Termination

5.1. Termination upon Material Breach. Upon Customer's knowledge of a
material breach of this HIPAA BAA by JotForm, Customer shall notify JotForm
of such breach in reasonable detail and provide an opportunity for JotForm to
cure the breach or violation, or if cure is not possible, Customer may
immediately terminate this HIPAA BAA.

5.2. Return or Destruction of PHI. Upon termination of this HIPAA BAA,
JotForm will return to Customer all PHI received from Customer or created or
received by JotForm on behalf of Customer which JotForm maintains in any
form or format, and JotForm will not maintain or keep in any form or format any
portion of such PHI. Alternatively, JotForm may destroy all such PHI and
provide written documentation of such destruction.

5.3. Alternative Measures. If the return or destruction of PHI is not feasible
upon termination of the HIPAA BAA, then JotForm acknowledges and agrees
that it shall extend its obligations under this HIPAA BAA to protect the PHI and
limit the use or disclosure of PHI to those purposes that make the return or
destruction of PHI infeasible.

6. Third Party Beneficiaries

6.1. No Third-Party Beneficiary Rights. Nothing express or implied in this
HIPAA BAA is intended or shall be interpreted to create or confer any rights,
remedies, obligations, or liabilities whatsoever in any third party.

7. Miscellaneous

7.1. Survival. Customer and Business Associate’s respective rights and
obligations under this HIPAA BAA shall survive the termination of the
Agreement.

7.2. Interpretation. Any ambiguity in the JotForm Terms shall be resolved to
permit Customer to comply with HIPAA and the Privacy Rule.





Author of this privacy policy: Jason Zaideman

Date of publication: 11 MAR 2020