Skip to main content

HealthSmart Data Security and Privacy Plan

Effective Date: 07/29/2020
Revised Date: 12/02/2024

General Points

  • HealthSmart uses personally identifiable information (PII) for educational purposes and only to the extent necessary to provide each user access to the information needed to support their use of HealthSmart.
  • HealthSmart does not share, rent, sell, trade, or disclose PII.
  • The HealthSmart site will have no ads, and PII is not used for ad targeting.
  • Your contributions on HealthSmart are owned by you.
  • When your account is deleted
    • All student submissions will be deleted.
  • HealthSmart may use de-identified data to improve HealthSmart, e.g., to improve the user experience or to understand which functionality is often used and needs improving.
  • HealthSmart will not re-identify de-identified data.
  • You can request a complete export of your data.
  • In the case of a breach of user data, unless contractually or legally prohibited, we will communicate about the breach and its extent as quickly as possible but no later than 24 hours following the confirmation of a breach.
  • HealthSmart has signed and is happy to sign strict data protection agreements, such as the NDPA and the New York State Model Data Privacy Agreement for Educational Agencies.
  • HealthSmart is FERPA, NY Ed Law §2-d and NY regulations §121 (Bill of Rights) compliant and can be used COPPA compliantly (when schools or parents consent to its use).
  • We assume that we are compliant with any reasonable data privacy regulation world-wide, given that we are a privacy-first company, collect as little personal information as possible, and don’t abuse the little data we collect.
  • HealthSmart staffs director-level positions for Information Security & Compliance and Regulatory Affairs. All contracts are reviewed at least annually for any updates to legal or regulatory requirements. Updates that require policy, procedure or process changes are submitted to the Information Security and Compliance team for inclusion in HealthSmart Data Security and Privacy program.

Regarding Subcontractors

  • HealthSmart uses the following subcontractors that, in unusual circumstances, could access PII:
    • Amazon AWS - the world’s biggest cloud infrastructure provider, which governments around the world are using to host confidential data.
    • If someone emails support, their message and email address may be stored in HubSpot, Service Hub and Microsoft Office365.
  • We use first-tier subcontractors with whom we have signed rigorous confidentiality and data protection agreements that equal or exceed customer requirements.
  • We reserve the right to change which subcontractors we use and will provide an up-to-date list upon request.

Data Privacy and What Data Is Collected

  • HealthSmart operates under a policy of minimizing the information we collect about users. The less data we collect, the better. Below is a list of data, apart from user contributions, which we do collect:
    • HealthSmart’s firewall stores your IP for 30 days.  
    • Metadata your browser submits, like screen size, operating system etc., is currently not being collected.  
    • When you sign up with an email address, we store your email address, username, and password.
    • When you sign up via Google single sign-on, we store your Google account ID, email address, and derive your initial HealthSmart user and display names from your Google account name. You can remove and change these data as you wish.
  • All HealthSmart use of cookies and browsers’ local store is essential for providing HealthSmart functionality:
    • HealthSmart uses cookies to log you in and to correctly associate your contributions and activities on HealthSmart with your account.
    • HealthSmart uses local stores to store which popups you have already seen.
  • HealthSmart uses browser fingerprinting, session cookies, and tracking pixels to provide our service and collect user activity statistics for quality improvement purposes. No form of ad targeting is used by our systems.

Regarding Data Security

  • HealthSmart follows best practices of the Zero Trust Security model, which, in a nutshell, means that in order to gain access to a server or service, extensive user authentication has to always happen and that the least privileged access principle is followed.
  • HealthSmart minimizes who can access confidential data and currently only essential team members have access to all user data
  • All administrative accounts are secured by strong passwords and two-factor authentication. Devices used to access confidential data use full disk encryption and are rigorously secured.
  • Regular developers do not work with data from production systems, nor can they access the production systems themselves.
  • All developers’ source code modifications are independently reviewed by another developer and new versions of HealthSmart will only be deployed after the Quality Assurance and Release Team have successfully completed extensive automatic and manual tests.
  • Support staff have the ability to look up the email address associated with a username to verify that a person with a support request is really who they are purporting to be.
  • All staff have signed confidentiality agreements and those with access to confidential user data have received additional security and confidential data handling training.
  • All staff are required to complete information security awareness training annually. This training covers the general threat landscape for business information security, including how to recognize phishing attempts, social engineering tactics, and executive impersonation, as well as best practices for password hygiene. Staff who handle customer PII receive additional, specialized training focused on data privacy and practical strategies for protecting sensitive information. Compliance is assessed through automated testing methods, such as simulated phishing emails. Staff who fail to meet the compliance threshold are enrolled in remedial training programs.
  • HealthSmart user data is always encrypted in transit and at rest.
  • Our production data is backed up hourly and the backups are stored for 30 days, after which they are destroyed.
  • On customer request or not more than 60 days following the end of a contract term, customer data is deleted. The method of deletion is prescribed and documented in the Customer Data Deletion Playbook. The request to run the playbook has multiple approvals. Once the data is deleted, any necessary data destruction agreements are completed and sent to the customer.
  • Our Incident Response Plan is available upon request.
  • We have signed the Student Privacy Pledge 2020.

Google APIs Limited Use Policy

HealthSmart's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Request a quote for your district, school or classroom

Buy Now

Get access to preview sample HealthSmart lessons

Preview

Learn more about HealthSmart – curriculum, format and language options

Learn More