Clear2Go Application Privacy Policy

Effective Date: July 07, 2021
Date Last Updated: July 07, 2021

1. About Us and This Application
iCrypto, Inc. (iCrypto) is a privately held software company that provides a full-stack implementation of omnichannel mission-critical access control technologies for large enterprises and service providers. Our solution provides a mobile-centric, automated, highly accurate and user-friendly identity vetting solution combined with standards based OAUTH2 and OpenID Connect (OIDC) verification systems that allow Single-SignOn for embedded and legacy applications. Mobile based authenticators (FIDO2, etc.) provide cryptographic signed operations to verify identity for any Enterprise transaction.

The iCrypto CLEAR2GO Application (“Application”) is a smart digital health self-reporting service that allows real-time verification of certain Electronic Health Record (EHR) credentials such as vaccination records (including, but not limited to COVID-19 vaccination records) and diagnostic test results (including, but not limited to COVID-19 test results EHR records) on your mobile device.

2. Our Privacy Protection Values
iCrypto understands that you entrust us with your personal information with the expectation that it will be used only for specific purposes. We respect your expectation and place a high priority on protecting this information by limiting its use. At iCrypto, protecting your privacy is fundamental to the way our company conducts its business and we leverage the latest state of the art technology in order to aim for maximum protection.
3. Scope of this Privacy Policy

This Privacy Policy (Policy) applies only to the personal information collected by the CLEAR2GO Application (Application) both within the Application and when accessing services online, through iCrypto’s websites. This Privacy Policy is provided by iCrypto (“us,” “we,” or “our”).

We collect and process information about you as described in this Privacy Policy (“Policy”). We are committed to protecting the privacy of those with whom we interact. This Policy contains details about how we collect, use, and share Personal Information that we obtain from and about you when you interact with us through your use of the CLEAR2GO Application. Please read this Policy carefully.

Whenever you interact with us on behalf of another individual or entity, such as by providing or accessing Personal Information about another individual, you represent that your interactions and exchanges comply with applicable data protection laws. You shall have sole responsibility for any violation of privacy laws as a result of a failure to inform the other individual about how their Personal Information will be processed or to obtain any necessary consent from such individual.
We may update this Policy from time to time. The current Policy will be effective when posted. Please check this Policy periodically for updates. If any of the changes are unacceptable to you, you should cease interacting with us. When required under applicable law, we will notify you of any changes to this Policy by posting an update on our website. When required under applicable law, we will seek affirmative consent from you before making material changes to the way we handle Personal Information previously collected from you. If you do not provide such consent, Personal Information will continue to be used in a manner that is consistent with the version of this Policy under which it was collected.

4. Sources of Personal Information

Personal Information refers to any information relating to an identified or identifiable natural person or household.
We collect information about you and how you interact with us in several ways, including:

  • Information you provide to us directly. We collect the information you provide to us directly, including to our service providers acting on our behalf.
  • Information you provide to us indirectly. We collect the information from sources, such as healthcare providers, you authorize us to provide information on your behalf.
  • Information automatically collected or inferred from your interaction with us. We automatically collect technical information about your interactions with us (such as IP address, mobile device ID, and browsing preferences).
  • Information from public sources, including government entities from which public records are obtained and information you submit in public forums.
  • Information from third parties. We receive information about you and your interactions with us from third parties, such as from entities that use the CLEAR2GO Application to read credentials. In some cases that may include your employer, school, or other location where the CLEAR2GO Application is used.

 

We may combine information that we receive from the various sources described in this Policy, including third party sources and public sources, and use or disclose it for the purposes identified below.

Some of our partners – such as healthcare providers and medical records aggregators – are subject to laws and regulations governing the use and disclosure of health information they create or receive, including the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, together with the regulations adopted thereunder (“HIPAA”). When we store, process, or transmit “individually identifiable health information” (as defined by HIPAA) on behalf of a healthcare provider who has entered into a Healthcare Provider User Agreement, we do so as its “business associate” (as also defined by HIPAA). Under this agreement, we cannot use or disclose individually identifiable health information in a way that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of the individually identifiable health information we store and process on behalf of such providers. For the purpose of this Policy, the term “healthcare provider” means any user who is a “health care provider” (as defined by HIPAA) or any user who is a member of such health care provider’s “workforce” (as also defined by HIPAA).

5. Types of Personal Information We Collect

The types of information that we may collect about you are: 

  • Identifiers, such as your unique personal identifier, online identifier, identifier for mobile notification services, internet protocol address, or other similar identifiers. These identifiers will be used by us to confirm your identity and to communicate with CLEAR2GO Application.
  • Personal Biometrics such as a video selfie of your face. These identifiers will be used to match your data with that on the ID document you have provided and then will be discarded. Face images will not be stored on our servers. You will be asked for your specific consent to collect a visual image of your face via the phone CAMERA for face match purposes. You can refuse to provide this, but it means that we will be unable to register you and provide you with the Services. All Face image data will be discarded after onboarding and will not be stored on our servers and will not be shared with any other entity.
  • Personal information protected by Cal. Civ. Code 1798.80(e), such as passport number, driver’s license or state identification card number. This information will be used by us to confirm your identity. These identifiers will be used to confirm your identity and then will be discarded and not stored on our servers.
  • Personal Healthcare Information protected by Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), such as medical information regarding vaccine records and medical tests. This information will be used to self-report your test and vaccination status and will then be discarded and not stored on our servers.
  • Internet or other electronic network activity information, information regarding your interactions with us (including interacting with us online, by the mobile application, and through advertisements). This information will be stored in a de-identified manner and will not be associated with your identity. We will use this data to improve application experience and usability.
  • Mobile phone Geolocation can be collected from the device for reporting purposes but only with your explicit consent via the CLEAR2GO Application. Your exact location will never be stored or reported. Your country, city, state, and zip code of access will be reported in a de-identified format.
  • Audio, electronic, visual, thermal, olfactory, or similar information, such as video or photograph recordings of your interactions with our devices and related technologies, call center recordings, and customer support chat logs. This information will be stored in a de-identified manner and will not be associated with your identity. We will use this data to improve application experience and usability.

 

6. How We Use Your Personal Information
We may use each category of your information described above in the following ways:

  • To enable interactions between you and us, such as to process account creation and registrations; register and administer your account; provide you with services and support your interactions with us; diagnose, repair and track service and quality issues; provide requested product information; communicate with you about your account or our data practices; install and configure changes and updates to programs and technologies related to interactions with us; authenticate those who interact with us; or to respond to your requests, complaints, and inquiries.
  • To confirm your health status. Information you provide via your Electronic Health Record or that you otherwise share may be used to confirm your health status.
  • For our own internal business purposes, such as to evaluate or audit the usage and performance of programs and technologies related to interactions with us; evaluate and improve the quality of your interactions with us and programs and technologies related to interactions with us; design new services; process and catalogue your responses to surveys or questionnaires; perform internal research for technological development and demonstration; conduct data analysis and testing; maintain proper business records and other relevant records.
  • For legal, safety, or security reasons, such as to comply with legal requirements; protect our safety, our property, or rights of those who interact with us, or others; and detect, prevent, and respond to security incidents or other malicious, deceptive, fraudulent, or illegal activity.
  • In a de-identified, anonymized, or aggregated format. When converted to a de-identified, anonymized, or aggregated format, data no longer constitutes Personal Information in certain jurisdictions, and we may use this information for any purpose as legally permissible.
    As part of using the Clear2Go Application, we will put your data in a large database for broad sharing with the research community.
    These databases are commonly called data repositories. The information in this database will include but is not limited to extracts from the electronic health records that you have shared.
    If your individual data are placed in one of these repositories, they will be labelled with an alphanumeric code (de-identified) and not with your name or other information that could be used to easily identify you.
    Prior to accessing the data, researchers will be required to agree that they will make no effort to contact or identify individuals who are or may be the subjects of the data.
    We do not retain (store) any Personally Identifiable Information (PII). All other information is stored in a de-identified (anonymised) format.
  • For any other purposes for which you provide consent.

 

7. With Whom We Share Your Personal Information
By design our service does not store any identifiable information regarding your person, and hence it is not possible to disclose any personal identity and health information advertently or inadvertently.

We may de-identify, anonymize, or aggregate Personal Information to share with third parties, such as National Institutes of Health (NIH) data hubs, for any purpose as legally permissible.

8. Security and Retention
We maintain reasonable security procedures and technical and organizational measures to protect your Personal Information against accidental or unlawful destruction, loss, disclosure, alteration, or use.

We will retain your personal information, for no longer than is necessary to enable you to use the Application, unless we need to keep your information to comply with applicable legal, regulatory, or other obligations, or the information is required for business reasons (such as to resolve disputes, provide service and enforce agreements). In any event, we will retain your information for the period stated in our retention schedule, at which point iCrypto will take steps to securely and permanently dispose of your personal information, according to applicable laws and regulations.

9. Children’s Privacy
Interactions with us are intended for individuals 16 years of age and older. Our interactions are not directed at, marketed to, nor intended for, children under 16 years of age. We may collect information, including Personal Information and Health Information, for children under 16 years of age that may be attached to your account as head of household (the term is as applied in TITLE 1.81.5. California Consumer Privacy Act of 2018). All such collections and display of information are under authorization from you and will only be shared with third parties with your consent.

If you believe that we have inadvertently collected Personal Information from a child under the age of 16, please contact us at the address below and we will use reasonable efforts to delete the child’s information from our databases. In all cases where we may be provided with personal information relating to children, with your authorization, the information in the relevant parts of this Policy applies to children, as well as adults.

10. Terms of Use

The End User License Agreement for interactions with us is incorporated by reference into this Policy and can be found here.

11. Contact Info/Your Choices
If you have questions regarding this Policy, please contact us at:

  • Attention: CLEAR2GO Application
  • EMAIL: support@clear2go.io
  • U.S. MAIL: 4701 Patrick Henry Drive, Bldg. 16, Suite 1M, Santa Clara, CA 95054 U.S.A.

To opt-out of receiving promotional email messages from us, please click on the “Unsubscribe” link contained at the bottom of each email or by contacting us using the information above.

12. Your California Privacy Rights

Pursuant to the California Consumer Privacy Act of 2018, below is a summary of the Personal Information we collect from consumers, the sources from which we collect the Personal Information, the business or commercial purpose for which the Personal Information is collected and the categories of third parties with whom we share consumer Personal Information. The section references relate to the sections above in this Policy.

Sources of Personal Information
The categories of sources of Personal Information are detailed in the Section 4 above and are summarized as follows: (a) directly from you, (b) through automated technologies or interactions, (c) public sources, and (d) from third parties.

Uses of Personal Information
The business and/or commercial purposes for which we collect personal information are detailed in the Section 6 and are part of the following general purposes: (a) performing services, (b) auditing, (c) legal and compliance, (d) quality assurance, (e) security, (f) debugging, (g) short term, transient use, (h) internal research, and (i) corporate transactions.

Sharing Personal Information
The categories of third parties to whom we disclose personal information for a business purpose are detailed in the Section 7 and are summarized as follows: (a) third party service providers, (b) legal, safety, and security, (c) corporate transactions, (d) with third parties from whom you seek credentials, and (e) otherwise with your consent.
Our data sharing practices are detailed in the chart below and align with the categories described in Section 5 (Personal Information) and Section 7 (Sharing).

Categories of Personal Information Categories of Third Parties to Which We Disclose Personal Information for a Business Purpose
Identifiers
  • Third party service providers
  • Third parties from whom you seek credentials
  • For legal, security, and safety purposes
  • In connection with a corporate transaction
  • Entities to which you have consented to the disclosure
Personal information protected by Cal. Civ. Code 1798.80(e)
  • Third party service providers
  • Third parties from whom you seek credentials
  • For legal, security, and safety purposes
  • In connection with a corporate transaction
  • Entities to which you have consented to the disclosure
Internet or other electronic network activity information
  • Third party service providers
  • For legal, security, and safety purposes
  • In connection with a corporate transaction
  • Entities to which you have consented to the disclosure
Audio, electronic, visual, thermal, olfactory, or similar information
  • Third party service providers
  • For legal, security, and safety purposes
  • In connection with a corporate transaction
  • Entities to which you have consented to the disclosure

California Consumer Privacy Act Rights
Subject to legal limitations, certain California residents may exercise the following rights by emailing us at support@clear2go.io or by writing us at 4701 Patrick Henry Drive, Bldg. 16, Suite 1M, Santa Clara, CA 95054 U.S.A.

  • Right to Know. You have the right to request information about the categories of Personal Information we have collected about you, the categories of sources from which we collected the Personal Information, the purposes for collecting the Personal Information, the categories of third parties with whom we have shared your Personal Information, and the purpose for which we shared your Personal Information (“Categories Report”). You may also request information about the specific pieces of Personal Information we have collected about you (“Specific Pieces Report”).
  • Right to Delete. You have the right to request that we delete Personal Information that we have collected from you.
  • Right to Opt Out. You have the right to opt out of the sale of your Personal Information. However, we do not currently sell your Personal Information (including the Personal Information of anyone under 16 years of age). Should this change at any point in future we will update this Policy, notify you of any changes, and provide you with the appropriate mechanism to exercise your right to opt-out from the sale of your personal information.

You may submit a request to exercise your Californian privacy rights to us by using any of the contact methods at Section 11 as might apply to you. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.

When making a request, please provide the following information:

  • First and Last Name
  • Email Address
  • Type of request you are making

 

Verification: In order to exercise your rights, we will need to obtain information to locate you in our records or verify your identity depending on the nature of the request. If you are submitting a request on behalf of a household, we will need to independently verify each member of the household. For a Specific Pieces Report, we will request Personal Information sufficient to verify your identity to a reasonably high degree of certainty and will seek a signed declaration, under penalty of perjury, that you are who you say you are. In most cases, we will seek to match at least two data points to information we already have about you for this verification process. For a Categories Report or a Request to Delete, we will request Personal Information sufficient to verify your identity to a reasonable degree of certainty. In most cases, we will seek to match at least two data points to information we already have about you for this verification process.
In certain circumstances, we may require additional or different data in order to verify your identity. If you make a request (1) for a Specific Pieces Report, (2) as an authorized agent, or (3) on behalf of a household, we will contact you via email following your initial request to obtain information specifically needed for your type of request.

Authorized Agents: Authorized agents may exercise rights on behalf of consumers. If you are an Authorized Agent, we will request written and signed authorization from the consumer and will seek to verify the consumer as described above, or we will accept a legal Power of Attorney under the California Probate Code. We will also require evidence of your (the agent’s) identity and proof of registration with the California Secretary of State.

Timing: We will respond to Requests to Delete and Requests to Know within 45 calendar days, unless we need more time in which case, we will notify you and may take up to 90 calendar days total to respond to your request.

California Shine the Light: If you are a California resident, you may opt out of sharing your Personal Information with third parties for the third parties’ direct marketing purposes. Please contact us at support@clear2go.io if you would like to do so.

13. Your EU Privacy Rights

For the purposes of the EU General Data Protection Regulation (GDPR) iCrypto is the controller for the personal information we process, unless otherwise stated. For all data protection enquiries and/or concerns in connection with your EU privacy rights please contact our Data Protection Officer at support@clear2go.io or any of the other ways to contact us at Section 11 as might apply to you.
Pursuant to the GDPR below is specific information which relates to the processing of personal information of data subjects who are in the EU. The section references relate to the sections above in this Policy.

Purpose of Processing
The business and/or commercial purposes for which we process personal information are detailed in the Section 6 and are part of the following general purposes: (a) performing services, (b) auditing, (c) legal and compliance, (d) quality assurance, (e) security, (f) debugging, (g) short term, transient use, (h) internal research, and (i) corporate transactions.
If we intend to process your personal information for any additional purpose(s), we will provide you with information on the other purpose(s) and seek your prior consent.

Legal Basis
The legal basis for the processing of your personal data is one of the following:

  • consent, or
  • to provide the service for which you entered into a contract with us when you accepted the terms and conditions of the EULA when you downloaded the Application or
  • to comply with a legal obligation to which we are subject.
    Please note that the provision of personal information is a requirement of the contract you entered into with us when downloading the Application and is necessary to enable us to provide our services to you through the Application. Where you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time.

Sharing Personal Information
The categories of third parties to whom we disclose personal information for a business purpose are detailed in the Section 7 and are summarized as follows: (a) affiliates and subsidiaries, (b) third party service providers, (c) legal, safety, and security, (d) corporate transactions, (e) with third parties from whom you seek credentials, and (f) otherwise with your consent.

Transfer of Personal Information
Personal information from inside the EU may be processed by iCrypto in the U.S., for the purpose of providing customer service and support. Appropriate safeguards are in place via standard data protection clauses adopted by the EU Commission which are available on request. If we share your personal data with external third parties outside of the E.E.A. we use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under the GDPR.

Data Retention
We will retain your personal information for no longer than is necessary to enable you to use the Application, and to comply with our legal obligations, resolve disputes, and enforce our agreements but in any event, no longer than 1 year after the last time you interacted with or used the Application.

Data Subject Rights
If you wish to access, correct, delete or update your personal information, restrict or object to processing or exercise a right to data portability (where technically feasible) please refer to the functionality available within the Application on the user profile page or email us at support@clear2go.io. We will respond to reasonable requests in accordance with relevant data protection laws.

Compliance
We work to high standards when it comes to processing your personal information. If you have any queries or concerns about our approach to protecting your information, we welcome the opportunity to make things right for you and encourage you to contact us by one of the methods at Section 11.
If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.