Aquifer Privacy Policy

Policy last reviewed: March 15, 2023

  1. Transparency.  This Privacy Policy is effective on July 1, 2020. Aquifer may update this Privacy Notice at any time without prior notice, but Aquifer will generally provide thirty (30) days’ notice via this page.  This Privacy Policy covers use of any aquifer.org or med-u.org domain Websites and Software means the Aqueduct learning management system Software.   If you have questions concerning this Policy, you may contact Aquifer’s data protection officer at privacy@aquifer.org.

    As a medical education nonprofit corporation, our business model is fundamentally different from that of commercial companies that collect your Personal Information to monetize such data. We do not and will not sell or rent your data to third parties.  Our Privacy Policy provides important information about how Aquifer, Inc. collects, uses, processes, protects and discloses your Personal Information when you use Aquifer Websites or Aquifer Software.  It also details the kinds of Personal Information we collect when you visit our Websites, and the kinds of Personal Information that are collected when you use or interact with the Aquifer Software through your school’s Institutional Subscription.

    Your school or institution decides how your personal information is used. We provide services to end-users of a school or institution as a so-called ‘data processor’ on behalf of our Institutional Subscribers. In those instances, this means that the main responsibility for data privacy compliance lies with your school or institution as the ‘data controller.’ It also means that your institution’s privacy statement governs many uses of your personal information (instead of ours).  If you subscribe to our services directly and not through a school or institution, Aquifer acts as a ‘data processor.’

    Aquifer Websites and Aquifer Software are not intended for children and we do not permit anyone under the age of 17 to register on Aquifer Websites or use Aquifer Software.  If we become aware that we have inadvertently collected Personal Information pertaining to anyone under the age of 17 we will delete such information from our records.
  2. Data Collection.  Aquifer collects Personal Information you voluntarily provide when you use Aquifer Websites or use Aquifer Software, when you sign up to receive email newsletters or other communications from Aquifer, when you apply for a job with Aquifer via the Aquifer Website, when you register to use Aquifer Software, or when you are rostered for use of the Aquifer Software by authorized faculty and administrators who provide your institutional email.  A valid name and email are required for you to use the Aquifer Software.  If you are an Individual Subscriber, our payment processor will collect your contact and billing information.

“Personal Information” is information about you that can be used either directly or indirectly, alone or in combination, to identify you, and may include personal identifiers such as your name, e-mail address, institution and expected graduation year, professional title and affiliation, or IP address.  Aquifer does not collect information about ethnicity, gender, age, national origin, cultural, religious, or other sensitive personal information.

Aquifer automatically collects and records information from a variety of sources, such as information about your browser and device, through Aquifer and third-party cookies, web beacons, VAST tags, pixel tags, social media buttons, URL links, and other methods. We collect data including, but not limited to, the pages viewed on Aquifer Websites and Aquifer Software, the amount of time on each page, what you clicked, including any answers you click or type, unique identifiers such as your IP address and device ID, and the time and date of your access.

Aquifer limits the data we collect to what is  operationally necessary to use the Aquifer Websites and Aquifer Software.  We use necessary cookies for providing you the information and services you request through our Websites or Software, preference cookies for remembering information you previously entered to personalize, or otherwise improve your experience on our Websites or Software, provide reporting to authorized faculty and administrators on behalf of and under the instruction of your institution, and analytics cookies to conduct research with anonymized data to better understand medical education learners generally.  We do not use marketing cookies or web beacons. We also use third party cookies and web beacons in emails to notify us when you click on a link in the email and are directed to an Aquifer Website or Software.

Aquifer may collect information about performance compared to that of your peers, project your future performance, and we provide this information to authorized faculty and administrators of your institution so they can support your learning.

If you use social media buttons on the Aquifer Websites, cookies may be set by the respective social media networks to track your online activity. Aquifer has no direct control over the information that is collected by third party social media. You should review the privacy policies on those websites to understand the details about collection and use of your personal information and rights you may have with regard thereto.

3. Data Sharing.  Aquifer shares Personal Information about you with third parties only under the following circumstances and for the following purposes, including but not limited to:

    • When we have your permission to provide you with the services you requested and to carry out your instructions, or as requested on your behalf by authorized faculty and administrators via your school’s Institutional Subscription.
    • When required by authorized faculty and administrators via your school’s Institutional Subscription.
    • When required by law to respond to subpoenas, court orders, or legal process by public authorities or law enforcement, or to investigate, prevent, or take action regarding illegal activities or suspected data breaches.  
    • When you download an Aquifer application from sites like the Apple App Store and Google Play.
    • We may share your Personal Information with the following third-party service providers or vendors that we engage to support Aquifer Websites or Software.  Examples include providers of website hosting services, website analytics services, payment processors, and email communication services. These third parties are authorized to process your Personal Information solely for the purposes of providing the relevant services to Aquifer. 

      Vendor; Related Policies

Heroku; https://www.salesforce.com/company/privacy/

Amazon Web;  https://aws.amazon.com/privacy/

Breakthrough; https://www.breaktech.com/privacy-policy

Walkme; https://www.walkme.com/privacy-policy/

NYU WISE; https://lms.wisemed.org/local/staticpage/privacy_policy.html

Bluehosts; https://www.endurance.com/privacy/privacy

Stripe; https://stripe.com/privacy

Google; https://policies.google.com/privacy

    • In anonymous format, your data may be provided to authorized faculty conducting research in medical education.

Aquifer Websites and Software include links to other websites owned or operated by third parties, such as educational materials.  Aquifer is not responsible for the privacy or security practices of any third-party websites, which are governed by their own privacy policies.  You should review the privacy policies on those websites to understand the details about collection and use of your personal information and rights you may have with regard thereto.

Aquifer does not sell or share data with third parties for advertising or marketing purposes. 

4. Data Context.  Data is collected for providing medical education to users, and to permit research to improve medical education.  Research data is used in both pseudo-anonymized and anonymous format.  All personally identifiable information is fully anonymized, while institutional affiliation is pseudo-anonymized.  Institutional data may only be re-identified with permission and subject to approval by the researcher’s Institutional Review Board.  The data index available to researchers may be requested by emailing privacy@aqufier.org.

5. Data Control.  Your use of the Aquifer Websites and Aquifer Software creates data which becomes the property of Aquifer, Inc. and may be provided to your school.  Via your school or institution, you may opt-out of using Aquifer Websites and Software, but this may impact your medical education.  After you opt-out, we will delete or anonymize relevant information concerning you, unless otherwise provided by applicable law.  You may not opt-out of providing anonymized data for medical education research, even if your operational data and access to Aquifer Websites and Software is deleted.  While we will try to comply with any request pertaining to your Personal Information in accordance with applicable law, please be aware that we may not be able to fulfill requests pertaining to information already shared with third parties including your school or institution. Some information may be retained on our systems for archival or recordkeeping purposes, and some residual digital information cannot be removed or changed.  And requests to review your data must be submitted via your school or institution.

Aquifer may retain your information (including Personal Information) for any lawfully permitted period of time, and as necessary to comply with our legal and contractual obligations, enforce our agreements, and enable us to investigate events and resolve disputes.  In addition, in an anonymized format for research purposes Aquifer may retain your data indefinitely. If Aquifer were acquired or enters bankruptcy, your information described in this Privacy Policy would be among the assets that are likely to be transferred or acquired by a third party.

6. Data Protection.  We take reasonable administrative/organizational, physical, and technical measures to protect the confidentiality and integrity of your Personal Information. However, no data transmission over the Internet can be guaranteed to be 100% secure. While we strive to protect information transmitted on or through our Websites and Software, we cannot and do not guarantee the security of any information you transmit.

Aquifer uses reasonable security methods to protect Personal Information and prevent unauthorized access, disclosure, use, modification, damage to or loss of data. For example, when exchanged between your browser and Aquifer Websites and Software we protect your data via SSL/TLS encryption; we provide an https secure method for browsing Aquifer Software; we use database encryption for personal data protection; we conduct vulnerability scans to help prevent malicious data attacks; we use access controls to ensure that only authorized persons can access personal information; and we conduct periodic training on security and privacy protection to enhance our employees’ awareness of the importance of protecting personal information.

If we discover that a personal information security incident (“data breach”) has occurred, we will, where required by law and pursuant to legal requirements, inform you in a timely manner about the incident and possible impacts, the response measures we have taken or will take, and any remedial measures taken.  We will notify impacted users in a reasonable way.

If you connect with Aquifer through social media, such as liking us on Facebook or tweeting about us on Twitter, those social networks will record that you have done so.  If you wish to opt-out of any of these social interactions please refer to the specific social media platform for instructions on how to do so.

7. Users Located in California.  Aquifer is not bound by the California Consumer Privacy Act of 2018 (CCPA).    California Civil Code Section 1798.83 permits users that are California residents to request certain information regarding our disclosure of personal information to third parties for such third parties’ direct marketing purposes. If you are a California resident and would like to make such a request, please contact us at privacy@aqufier.org

8. Users Outside the United States.  If you are in one of the EU/EEA countries, you are entitled to certain rights under the General Data Protection Regulation (GDPR) EU Regulation 2016/679 and applicable national data protection regulations.  We provide most of our products and services to end-users of a school or institution as a so-called ‘data processor’ on behalf of subscribers who are Data Controller(s) of the Personal Information of Users on that account. Aquifer is the Data Processor carrying out data processing activities and instructions on behalf of each Data Controller.  In those circumstances, Aquifer has certain obligations as a data processor regarding your Personal Information under the GDPR, and your school as a data controller will also be responsible for protecting your rights under the GDPR.  If you contact us regarding information controlled by your school, we may forward your requests or inquiries to the relevant authorized administrator at the school.

By visiting the Aquifer Websites or using Aquifer Software, you acknowledge that we may process your Personal Information for the purposes described in this policy, either on the basis of your consent or if we have other lawful grounds to do so; that Aquifer operates and processes Personal Information primarily within the United States; and you understand that Aquifer may transfer data outside of the EU/EEA.

If you are in one of the EU/EEA countries and have subscribed to and use Aquifer’s services directly and not through a school or institution, with respect to your Personal Information:

    • You have the right to withdraw consent to processing, where consent is the basis of processing. This means you may withdraw your consent to processing by requesting we remove your access to Aquifer Websites and Software, and requesting that we delete your Personal Information by contacting us at privacy@aquifer.org.  
    • You have the right to access your Personal Information that we hold and request further details about how we process it, under certain conditions.  
    • You have the right to demand rectification of inaccurate Personal Information about you. We will promptly correct any information found to be incorrect.
    • Please note that we may need to verify your identity before processing removal, access or correction requests.
    • You have the right to object to unlawful data processing under certain conditions.
    • You have the right to erasure of past personally identifiable data about you (your “right to be forgotten”) under certain conditions.
    • You have the right to demand that we restrict processing of your Personal Information, under certain conditions, if you believe we have exceeded the legitimate basis for processing, processing is no longer necessary, or if you believe your Personal Information is inaccurate.
    • You have the right to data portability of Personal Information concerning you that you provided us in a structured, commonly used, and machine-readable format, subject to certain conditions.
    • You have a right to complain to the applicable data protection supervisory authority if you believe that Aquifer is processing your Personal Information in violation of applicable laws.

9. Family Educational Rights and Privacy Act.  Aquifer provides educational products and services to educational institutions, and some data may be subject to limitations by the Family Educational Rights and Privacy Act (FERPA). Through the Aquifer Websites and Software, we collect personally identifiable information from or about students (“Student Data”). We consider such Student Data to be strictly confidential and in general do not use such data for any purpose other than improving and providing our products and services to the educational institution or on the educational institution’s behalf. Our collection, use, and sharing of Student Data is governed by our contracts with the educational institutions, the provisions of FERPA, the Children’s Online Privacy Protection Act (“COPPA”), and other applicable laws that relate to the collection and use of personal information of students.

Some personal information disclosed may be considered “Directory Information”  (§ 99.32(d)(4)) and may be used without restriction in conformity with the Family Educational Rights and Privacy Act.  Aquifer generally considers name, email and institutional affiliation to be Directory Information.  In addition, while not disclosing Personal Information, Aquifer may disclose in anonymized format student data for medical education research (§ 99.31(a)(6), and subject to a proposal approved by the researcher’s Institutional Review Board) to develop predictive tests and improve medical education instruction.  Aquifer enters into written agreements with researchers covering any disclosure of personal information and requires that disclosed anonymized data be destroyed when no longer needed for study purposes.

Eligible students have the right to have access to and inspect his or her education records, the right to seek to have the records amended or add a written statement to the records, the right to have control over the disclosure of personally identifiable information from the records (absent prior consent and except in certain circumstances specified in the FERPA regulations), and the right to file a complaint with the Department of Education.  If you have any questions about reviewing, modifying, or deleting your personal information, please contact your educational institution directly.