What information do we collect from Visitors to our Site?
You may visit our Site and not use our Services. We do not collect any of your personal information when you visit our Site. We track visitor information, such as total number of visits to our Site, number of visits to each page of our Site, browser type, and IP addresses (we remove identifying information from IP addresses). We study this data for trends and statistics.
What information do we collect from Customers?
If you are a Customer, we collect and use your information and content you add to our Services to provide and improve the Services you signed up for under the applicable agreement. Specifically, we collect the following categories of information from Customers:
- Personal identifiers (e.g., name, address, email address)
- Credit card and bank account numbers
- Site Activity (e.g., keystrokes, activity pattern, browsing history, consumer interaction)
- Cookies (e.g, browser cookies, flash cookies, web beacons, session cookies, and persistent cookies)
This information is collected directly from the Site Customer. When the Customer creates an account on the Site, we request access to above data. Additionally, after the Customer creates an account, we request read and write access to their primary database.
We may use Customer information to give you Service-related updates and verify your authority to use our Services. If you want us to delete personal information, you can make a request by emailing us at email@example.com
In addition, we may collect other types of information for user businesses including the above mentioned information and the business name.
How do we use Anonymized Data?
We may use certain De-Identified Data to identify trends, statistics, security, research, or for other reasons. “De-Identified Data” is data we create by removing all direct and indirect personal identifiers from data we collect. We do not re-identify De-Identified Data and we do not transfer De-Identified Data.
How do we collect and use your information?
All data that enters our system is encrypted, using an unshared key. We gain information about the Customer's role before the data can be unlocked. This restricts information from being shared with users who do not fall under an authorized role. This prevents us and any unauthorized individuals from accessing your data.
We only collect the information we need to provide the Services (see Question #3 for more details on the particular Services we offer and what data we use to offer those Services). All records that Institutions send us are owned by the Institution.
“PII” means personally identifiable information that can identify you, such as your name, email address, or phone number. We will not give your PII to anyone outside of your Institution.
Subscription: To register this subscription, you must create an account and provide PII along with information regarding the Institution’s Platform.
Marketing: We send marketing notification to Customers. Institutions have the right to opt-out of marketing communications we send at any time. You can do this by clicking the “unsubscribe” link in the marketing e-mails we sent you. Please note that such marketing opt-out does not impact any transaction or operation notices that we may need to send you.
Notifications: We offer notification updates to Customers regarding shared information. Customers can tailor their notifications, allowing them to opt-in or opt-out. Additionally, Customers can change their subscription preferences through prompts provided in e-mails.
Payment: We use a third-party merchant provider, Stripe, to process payments. This company is compliant with the Payment Card Industry Data Security Standard. All card information is saved within Stripe’s system to which we have access.
Are we a controller or a processor?
The Site is the “data controller” responsible for your information, whereas we are the data processor for any information that you submit to us.
What is the Legal Basis for processing your information?
Our legal basis for collecting and using your information depends on the information and the context in which we collect it. We collect your personal information if (i) we have your consent to do so, (ii) we need the personal information to perform a contract with you, or (iii) the processing is in our legitimate business interests. We may have a legal obligation to collect personal information from you. If you have questions concerning the legal basis for how we collect and use your personal information, please contact us at firstname.lastname@example.org.
What are the Legal Purposes for processing your information?
legal purposes for collecting and using your information include:
Identification and account administration: Your PII will be used to analyze account trends and manage and administrate your account.
Quality management and customer care: We process information to improve the quality of our Services.
Law and harm: We may process PII as needed to comply with legal obligations, conduct security, and to defend and prosecute legal claims.
What Third Party Services receive your information?
Third parties help us provide our Services, such as hosting our Site, help center, and knowledge bases. Although we do not give your personal information to third parties for any use, we do not control third parties’ ability to collect information your web browser sends to them through their own tracking technologies. If you have any questions about these third-party technologies, you should contact the responsible provider directly.
When do we destroy and delete your information?
We store Customer data for up to 30 days after the end of an applicable agreement, unless the agreement says otherwise. We may be able to keep the data for a longer period of time if an Institution pays an additional fee and we both agree.
Additionally, Customers can make their own alterations to their billing information, shipping information, and credit card information.
Upon termination of an agreement between an Institution and us, the Institution can tell us whether we either: 1) destroy the data, or 2) deliver it to the Institution. Any questions regarding data storage, recovery, and deletion should be directed to:
Phone Number: +1 (312) 728-7316
How do we protect the rights of minors?
We do not have specific Services for minors. Our Services are intended for adults, age 18 and over. Children age 13 and younger should not create an account on the Site. If you use our Services, you are telling us that you are legally able to form a binding contract with us.
If we learn that we collected personal information from an individual ineligible to access or use the Services, we will remove that information. Please contact us if you think we have any ineligible user information: email@example.com.
When can we disclose your personal information?
As mentioned above, we do not collect any student user PII. To the extent we have any Institution PII, We may disclose your Institution PII in the following circumstances:
Law and Harm: We may disclose your information if we believe that it is needed to comply with a law, regulation or legal request; to protect a person’s; to address fraud, security, or technical issues; or to protect APFusion's rights or property.
Business Transfers: If we are involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be sold or transferred as part of that transaction. This Privacy Statement applies to your information as transferred to the new entity.
How will we notify you in the event of a Data Breach?
We have an information security plan to protect the security, confidentiality, and integrity of your PII. As part of our information security plan, we will notify affected individuals and Institutions of a data security breach without unreasonable delay and in no event later than 72 hours after we discover the breach. We will notify you by the contact information that you provide to us on record for the individual or Institution. Written notification will contain:
- A brief description of the breach, including, if known, the date of the breach and the date the breach was discovered;
- A description of the types of PII involved in the breach;
- A description of the steps the affected individual or Institution should take to protect against potential harm from the breach;
- A description of what APFusion is doing to investigate and ease the breach and to prevent future breaches; and
- Contact information for people who can answer questions, which will include a toll-free telephone number, an email address, website or postal address.
- If there is a serious breach where unsecured PII may be misused, we may also contact the individual or Institution by other means, as appropriate.
What special considerations are there for California users?
We do not provide your PII to any third parties for direct marketing purposes as defined in California Civil Code Section § 1798.83. Please contact us at firstname.lastname@example.org for any questions regarding your PII.
AB 1584 is a California law that defines student and educational agencies rights regarding student records. We comply with AB 1584 as described in this Privacy Statement and as applicable, any agreements with California Institution(s).
What special considerations are there for users outside of the United States?
General:By using the Services you acknowledge and agree that: (i) we will process your information as described in this Privacy Statement; and (ii) you consent to us transferring your information to us and our facilities in the United States or elsewhere, including those of third parties as described in this Privacy Statement. If you are a user outside of the United States, your PII is stored in Germany, while all non-PII (e.g., aggregated data) is stored and processed outside of Germany. In the event we are required to transfer data outside of the specified regions, we are Privacy Shield certified as further described below.
European Economic Area (EEA) or Switzerland:If you are based in the EEA or Switzerland, you acknowledge and agree that we may transfer your information (including personal information) to us and our facilities in the United States or elsewhere, including those of third parties as described in this Privacy Statement. Please review our Terms of Service and the applicable Institution agreement for more information regarding any data protections that may apply.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.APFusion adheres to EU General Data Protection Regulation (“GDPR”). If you have questions, refer to our GDPR page.
APFusion participates in and has certified that it complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We subject all personal data received from European Union (EU) member countries, the United Kingdom, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework's applicable principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce's Privacy Shield site or download this PDF of a Privacy Shield overview.
Under the Privacy Shield frameworks, APFusion is responsible for processing the personal data it receives, under each Privacy Shield Framework, as well as transfers to a third party acting as an agent on its behalf. APFusion complies with the Privacy Shield principles for all onward transfers of personal data from the EU, the United Kingdom, and Switzerland, including the onward transfer liability provisions.
For personal data we receive or have transferred under the Privacy Shield frameworks, APFusion is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (for issues pertaining to Privacy Shield). If public authorities make lawful requests for information, such as to meet national security or law enforcement requirements, we may be required to disclose personal data.
If you have concerns about an unresolved privacy or data use that we have not addressed satisfactorily, please contact our U.S.-based, third-party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. As described on the Privacy Shield website, you may be able to invoke binding arbitration when you have exhausted other dispute resolution procedures.
What other information do users in the European Economic Area (EEA) or Switzerland need to know?
If you are based in the EEA or Switzerland you have other rights:
Right of Access: You can access your collected personal information by contacting us at email@example.com.
Right to correct, update, or delete: You can correct, update or request deletion of your personal information through the Service interface, or by contacting us at firstname.lastname@example.org.
Right to restriction of processing: You can ask us to restrict processing your personal information.
Right to take your data: You can ask to take your personal information that you provided to us, in a structured format, from us.
Right to object: You may object on to the processing of your personal information by us and your Institution at any time. This right does not exist if we have already processed your personal information.
Data Protection Authority: You have a right to raise questions or complaints with your local data protection authority at any time.
Effective: October 23, 2023