Privacy Policy.
Last Revised: August 31, 2021
We want you to understand how and why The Commons Project Foundation (“TCP,” “we,” “us”) collects, uses, and shares information about you when you use CommonPass mobile application (the “App”). Before using the App, please read the following carefully to understand how we will treat your personal data.
1. Applicability of this Privacy Policy
For the purposes of applicable data protection laws, TCP is the “controller” or “data user” of your personal data provided to, collected by, or processed in connection with the App. If you don’t agree with this Privacy Policy, do not access or use the App. This means that TCP is responsible for determining how and why your personal data is processed.
This Privacy Policy does not apply to TCP’s products, websites, or applications that do not incorporate this Privacy Policy by reference or that expressly refer to a separate privacy policy.
2. Personal data We Collect About You
When you use the App, we collect the following personal data:
From You. The App allows you to access your Health Record (as defined below), and consent to sharing that Health Record with TCP for purposes of providing the App. We will collect pass-thru information described in the “From the Third Parties You Approve” section below. If you correspond with us via email, we will collect your email address.
From Your Device. The App will also collect limited information about how you access and use the App if you experience a crash or another bug within the application. We may also collect statistics on how many times you use the App, your IP address, device type and its unique device identifier, the type of mobile browser, the mobile operating system that you are using, and other log data. Finally, with your permission, we may also access the Camera on your device solely for the purpose of scanning QR codes that contain Health Records.
From Health Providers You Approve. In order for the App to function, we must interface with the health providers you chose for purposes of collecting your digital health records related to your Covid-19 status. This additional information will include information such as the time of test, vaccination history, lab or facility where the test was taken, the type of test and identifiers linking the record to you (together, your “Health Record”).
3. Use of Your Data
We use your data for the following purposes only:
To provide and maintain the App. We use the personal data we collect to enable the App to function and to maintain and improve the App. This includes our efforts to keep the App and our users, safe and secure, enforcing the Terms of Use, ensuring our records are accurate and up to date; and otherwise administer the App, including through troubleshooting and testing.
To provide a CommonPass certificate to you. Your health provider may collect personal data that may be connected to your Health Record. Prior to sharing, you will be asked to consent to the health provider to share this information. This personal data is used only for the purposes of providing you with a CommonPass certificate. The CommonPass certificate generated does include cryptographic metadata linking it to you.
To communicate with you. We may also use your personal data to directly communicate with you about your use of the App or to respond to an email or submission from you.
To comply with the law. We may in some cases need to process your personal data in order to comply with applicable law, including requests from governmental authorities.
To establish, exercise, or defend legal claims and for related purposes such as the prevention or detection of fraud where necessary.
Unless otherwise indicated, there is typically no contractual or legal requirement to provide your personal data, however, if you do not provide it, then we may not be able to provide the App to you.
4. Sharing Your Data
Except in the instances listed below, we will not disclose your personal data to others unless you consent to it, nor will we ever sell your personal data to advertisers. However, we share your personal data in the following ways:
We may disclose your personal data to border control officials and other third-party travel partners such as airlines and airport personnel when instructed to do so by you through your use of the App.
We may share information with vendors, consultants, and other service providers who need access to such information to carry out work for us. Their use of personal data will be subject to appropriate confidentiality and security measures (e.g. cloud providers who host our App).
We may disclose personal data to law enforcement, regulators or others if we believe in good faith that it’s necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on us; (c) to protect or defend our rights or property or users of our Services or others; and/or (d) to investigate or assist in preventing any violation of the law;
We may share information if we believe your actions are inconsistent with the Terms of Service or the Code of Conduct, or to protect the rights, property, and safety of ourselves and others;
We may share personal data we collect about you in connection with a merger or reorganization of all or a portion of our organization or assets related to TCP.
5. Choices and Rights over your Personal Data
You have a number of rights with respect to the personal data we have about you, which may be restricted by law. One key right is the right to ‘object’ to the processing of your personal data in certain circumstances (e.g., if we have no legal right to keep using it). You also have the right:
To delete personal data. You can ask us to erase or delete all or some of your personal data. We will comply with this request unless there is a legal right for us to deny this request (for example, if we need to retain your data to comply with a legal obligation to which we are subject).
To change or correct personal data. You can also ask us to change, update or fix your data in certain cases, particularly if it’s inaccurate.
To limit, or restrict use of personal data. You can ask us to limit our use of your personal data (e.g., if your personal data is inaccurate or unlawfully held).
To access and/or take your personal data away (data portability). You can ask us for a copy of your personal data. For your own privacy and security, we may sometimes ask you to prove your identity before providing the requested information. In some cases, you also have a right to receive your personal data or have it transmitted to others in an interoperable, machine-readable format.
To withdraw consent which you have given. If you have given consent to process your personal data, you may withdraw it at any time by deleting the App and/or submitting a request to delete your personal data. This does not affect the lawfulness of our processing based on your consent prior to such withdrawal.
To not be discriminated against. TCP will not discriminate against you in any manner for exercising any of the above rights with respect to your personal data. However, TCP cannot control the actions of third parties with whom you choose to share information through the App.
Contact us at [email protected] if you would like to exercise any rights you have to control your personal data.
If you are based in the European Economic Area (“EEA”) or the UK, you also have the right to lodge a complaint with your local data protection authority if you believe that we have not yet complied with our data protection obligations. If you are based in, or the issue relates to, the UK, the Information Commissioner’s Office can be contacted as follows:
Email:[email protected]
Webform: www.ico.org.uk/concerns/
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
If you are based or the issue you would like to complain about took place in the EEA, please click here for a list of local data protection authorities in the countries within the EEA in which we operate.
Note that the rights outlined above only extend to personal information.
6. Retention and Deletion
We will keep your personal data only for as long as is reasonably necessary to provide the App to you and to fulfill the purposes described in this policy. When your personal data is no longer needed, we will destroy or irreversibly de-identify it.
7. Data Transfer
When you use our App, you may be sending personal data into countries that have different data protection rules than those of your country. As an example, the cloud service which we use to process personal data may be hosted in Switzerland or the data may be viewed from the United States by authorized TCP personnel. We take appropriate steps to protect your personal data when it is transferred across borders, and certain laws may require us to implement particular safeguards including ensuring there is adequate level of protection for the data transferred.
8. Our Legal Bases
We will collect, use and share your personal data only where we have a legal basis for doing so. This section explains the legal bases we rely on for processing personal data:
Consent. When you use the App to request your Health Records, we rely on your (explicit) consent in order to process and transfer your personal data. In the context of this App, you have been asked to review this policy and provide specific consent for the App to access your Health Records. If you consent, you may also withdraw your consent at any time – see Section 5 (Rights) above.
Legitimate Interests. We also process your personal data where it is necessary based on our legitimate interest in providing our App, understanding how our App is being used, improving the performance of our App, and protecting our App against illegal or fraudulent activity (ie. cyberattacks).
Legal Obligations. In some circumstances, we may need to process personal data where necessary to comply with applicable laws.
Contract Necessity. In some circumstances, we may need to process personal data for the performance of an agreement we have with you or in order to take steps at your request prior to entering into an agreement with you.
When processing sensitive personal data about you (such as personal data about your health), we may also rely on the fact that it is necessary for the establishment, exercise or defense of legal claims.
9. California Residents
The California Consumer Protection Act (“CCPA”) gives consumers who are residents of California the right to request certain information from businesses about their data collection practices. The CCPA does not apply to TCP because TCP is a non-profit organization. However, as part of TCP’s commitment to advancing the public good, it has voluntarily committed to CCPA compliance. In order to submit a CCPA request, please contact us at [email protected]. Please include in your request sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information. Please note that we do not sell your personal data and that TCP will not discriminate against you in any way based on your exercise of these rights.
10. Other Important Information
10.1 Security of Your Personal Data. Security of personal data is important to us. We implement security safeguards designed to protect your personal data. This includes safeguards to protect against anticipated threats or hazards to the security or integrity of the data, and to protect against unauthorized access, acquisition, leak, destruction, alteration, loss, disclosure or destruction. Despite these efforts, we cannot guarantee that your data may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or administrative safeguards. Please notify us immediately at [email protected] if you become aware of any security issues relating to our App.
10.2 Changes to This Privacy Policy. We evaluate our privacy policies and procedures to implement improvements and refinements from time to time. If we make any material changes to how we process your data, we’ll provide you notice through this Privacy Policy and by publishing a notice in the App. If you object to any changes, you may stop accessing the App or exercise other opt-outs or rights that we provide.
10.3 Children. The App is not designed or intended to be directly used by children (as defined by applicable law). However, a guardian or parent of a child may choose to use a health provider to consent to the use of the App to create a CommonPass certificate for their child. If we become aware that we have the personal data of such children collected through the App without parental consent, we will promptly delete it.
10.4 Contact Information. For any questions regarding this policy, please contact us at our US headquarters:
The Commons Project Foundation
420 Fifth Avenue, 19th Floor
New York, NY 10018
Our representative in the EU and the UK may be contacted at:
First European Data Rep BV
Schiphol Boulevard 195
1118 BG Schiphol