Privacy and Security Policy
Introduction
PhysednHealth (“we”, “us”, “our”) is committed to protecting the privacy and security of all our users, with special emphasis on safeguarding children’s privacy rights. This policy describes our practices for collecting, using, protecting, and sharing information.
1. Regulatory Compliance
Global Compliance Framework
We maintain compliance with major privacy regulations worldwide:
- Family Educational Rights and Privacy Act (FERPA)
- Children’s Online Privacy Protection Act (COPPA)
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Digital Personal Data Protection Act (DPDP)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Section 508 Accessibility Standards
State-Specific Compliance
We comply with state-specific privacy requirements including:
- New York SHIELD Act
- Illinois School Student Records Act (ISSRA)
- Illinois Student Online Personal Protection Act (SOPPA)
- Illinois Identity Protection Act (IPA)
- Illinois Personal Information Protection Act (PIPA)
2. Information Collection and Processing
Types of Information We Collect
- Registration Information: Name, date of birth, email address, postal address
- Account Credentials: Username and password
- Demographic Information: Gender, preferred language
- Contact Information: Phone numbers, email addresses
- Health and Fitness Data: Height, weight, physical condition
- Technical Data: Device information, IP address, cookies
- Usage Data: Activity logs, preferences, interaction data
Legal Basis for Processing
Under GDPR and similar regulations, we process personal data based on:
- Explicit consent
- Contractual necessity
- Legal obligations
- Legitimate interests
- Public interest
- Vital interests of the data subject
Automated Decision Making
We employ automated processing for:
- Exercise program customization
- Performance analytics
- Health recommendations
You have the right to:
- Obtain human intervention
- Express your point of view
- Contest automated decisions
3. Data Protection Measures
Technical Safeguards
- Bank-level encryption (AES-256) for data at rest and in transit
- Multi-factor authentication
- Regular security audits and penetration testing
- Continuous monitoring and threat detection
- Regular backup and disaster recovery procedures
Administrative Controls
- Role-based access control
- Regular employee privacy training
- Background checks for employees
- Confidentiality agreements
- Incident response procedures
Physical Security
- Secured data centers
- Access control systems
- Environmental controls
- Surveillance systems
- Asset management
4. Cookie Policy
Cookie Categories
- Essential Cookies
- Required for basic site functionality
- Cannot be disabled
- Functional Cookies
- Remember preferences
- Improve user experience
- Can be disabled but may limit functionality
- Analytics Cookies
- Track site usage
- Help improve performance
- Can be disabled
- Marketing Cookies
- Support personalized content
- Track across websites
- Can be disabled
Cookie Management
- Browser settings can be adjusted to manage cookies
- Cookie consent can be modified at any time
- “Do Not Track” signals are respected
5. Student Data Privacy Protection
Educational Institution Data Access
- We receive student data exclusively through authorized educational institutions
- All data collection and processing is governed by our agreements with educational institutions
- We act as a School Official with legitimate educational interest as defined by FERPA
- We do not collect student personal information directly from students or parents
Compliance Framework for Student Data
- All data handling complies with FERPA requirements
- Processing adheres to state-specific student privacy laws including ISSRA and SOPPA
- Special protections applied for students under 13 (COPPA compliance)
- Educational institution agreements specify authorized data uses
Data Use Limitations
- Student data used solely for authorized educational purposes
- No commercial use of student personal information
- No creation of student profiles except for educational purposes
- No sale or unauthorized sharing of student information
Parent and Student Rights
- Parents retain FERPA rights through their educational institutions
- Access and correction requests should be directed to the relevant school
- Schools maintain control over student data sharing and deletion
- We assist educational institutions in fulfilling parent/student privacy requests
6. User Rights
Access Rights
- Right to access personal data
- Right to data portability
- Right to correct inaccurate data
- Right to delete personal data
Control Rights
- Right to withdraw consent
- Right to restrict processing
- Right to object to processing
- Right to opt-out of data sales
Response Timeframes
- Initial response within 48 hours
- Complete response within 30 days
- Extension possible up to 60 days with notice
7. Data Sharing and International Transfers
Third-Party Sharing
- Limited to necessary service providers
- Subject to strict data processing agreements
- No sale of personal information
- Regular audit of third-party compliance
International Transfers
- EU-US Data Privacy Framework compliance
- Standard Contractual Clauses (SCCs)
- Privacy Shield Framework principles
- Regular transfer impact assessments
8. Data Security Incident Management
Breach Notification
- Affected users notified within 72 hours
- Regulatory authorities notified as required
- Detailed incident reports maintained
- Regular testing of response procedures
9. Accountability and Governance
Privacy Leadership
- Designated Data Protection Officer (DPO)
- Privacy steering committee
- Regular privacy impact assessments
- Annual policy reviews
Documentation and Records
- Processing activities register
- Consent records
- Impact assessments
- Audit trails
10. Contact Information
Privacy Inquiries
Email: awesome@physednhealth.com Phone: 202-579-9172 Mail: Privacy Officer, PhysednHealth 7722 Fishing Creek Way, Clinton, MD 20735
Regulatory Contacts
For unresolved privacy concerns:
- EU: European Data Protection Board
- US: Federal Trade Commission
- California: Attorney General’s Office
Changes to This Policy
We reserve the right to update this policy at any time. Material changes will be notified to users via email or site notification. Continued use of our services after changes constitutes acceptance of the updated policy.
Effective Date
This policy is effective as of January 17, 2025, and supersedes all previous versions.