Privacy Notice

Effective date of this Privacy Notice – January 31st, 2020.

Summary of Changes:
This revision contains non-material changes such as new company address, EU representative and minor editorial and formatting.

This Privacy Notice (the "Notice") describes how ImPACT Applications, Inc. (the “Company”, “we”, “us”) collects, stores, transmits, and protects any information that you give when you use any of the Company’s products and services (each a “Service” and collectively, the “Services”). This Notice applies to all of your use of the Services and describes how your Personal Information* will be treated as you use the Services.

*”Personal Information” is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

The Company is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using the Services, then you can be assured that it will only be used in accordance with this Notice.

This Notice applies to the information collected by the Company on behalf of Health Care Providers or Institutions (e.g., physician, school, sports club, etc.) through Concussion Management Products and supporting applications including:

  • Test Applications: ImPACT, ImPACT Pediatric (available through ImPACT Toolkit), and ImPACT Quick Test (available through ImPACT Toolkit);
  • Mobile Applications including ImPACT Toolkit that permit users to perform cognitive tests on mobile devices, and ImPACT Passport that allows the test takers to store their unique ID and record symptoms; and
  • ImPACT Customer Center web service that enables test results and information collected through Test Applications and Mobile Applications and uploaded to the Company servers to be managed by healthcare providers.

This Notice also describes how we collect and use information that customers provide to us in connection with:

  • Creation or administration of ImPACT Applications accounts, which we refer to as “Account Information”. For example, Account Information includes names, usernames, phone numbers, email addresses, and billing information associated with a customer’s account;
  • Training and Education products and services; and
  • Information about all Services provided via periodic notifications or requested by visiting the Company sites.

What Information We Collect?

We collect only the minimum necessary information to provide the Services. Depending on the Service, we may collect one or more the following types of information:

  • Contact information, such as name, email, and phone number.
  • Payment and billing information, such as address, credit card, or bank account details (this information will be encrypted and processed by accredited third party providers and will not be retained upon successful completion of the transaction).
  • Demographic information, such as age, gender, language preference, schools or sports clubs, and education.
  • Health related information, such as symptoms, concussion history, and medical history related to concussions, and test results.
  • Training and education related data, such as session results, and times/dates of sessions.
  • Company website related data, such as browser type and IP address.

How do we use your personal information?

We use your personal information to help us, and any organization that you choose to sign-up through, to deliver a service optimized for your needs. This includes:

  • Providing updates regarding your account, such as details of reoccurring payments.
  • Providing educational information to guide your use of the Services.
  • Internal record keeping.
  • To improve our Services.
  • We may periodically send promotional emails about new products, special offers or other information, which we think you may find interesting using the email address which you have provided.
  • We may also send you promotional materials or offers via email, such as discounts on Services. These will always include an option to opt out of future such emails.

Disclosure and Sharing of Personal Information.

The Company will not disclose, move, access, or use Personal Information except as provided in the customer’s agreement with the Company, or without your explicit consent, or when the Company believes it is required to do so by law. However, we may collect and use aggregate, de-identified (anonymized), or other information that does not identify you (“De-identified Information”) for research or scientific purposes. For the purposes of research, we may include some of your data in scientific studies. For example, to show how test scores generally relate to demographic information, such as age, gender, or sport. If so, this data will be used anonymously, and not directly associated with you in any way.

Choices You Have About Collection, Use, Correction, and Erasure of Your Personal Information

You have a right to be told what Personal Information we hold about you and any third parties we have disclosed it with (with certain exceptions). You also have a right to provide us with corrections if you believe any of your personal information is inaccurate. However, if personal information was collected through an organization such as school, sports team, a medical provider, etc., requests for access, amendments, or erasure should be directed to the organization through which the data was originally collected.

Because the data generated by the Concussion Management Products can only be used by licensed healthcare professional, the test takers will not be granted access to this data by the Company. Requests to view these data should be directed to the healthcare professional.

All institutions and organizations using the Services to administer cognitive tests or collect related data from test takers, are required, as a condition of use or purchase Service, to agree in writing to adhere to the Terms of Use, including this Notice, and to obtain appropriate consent.


The Company will retain Personal Information for at least 7 years or in accordance with any federal or state requirements, unless requested otherwise through a written request sent to the Company’s Data Protection Officer (see contact information at the end of this Notice).

Use of the Site by Children

Our Services are not intended to attract children under the age of 18. In accordance with local regulations (such as the Children’s Online Privacy Protection Act “COPPA”), the Company will not knowingly collect or accept personally identifiable information from a child under the age of 18 without a parent’s or guardian’s prior consent.

The information collected from children under 18 through the Concussion Management Products or Mobile Applications are intended only with the consent and under the supervision of a parent or guardian, or, in the case of use through an institutional user, with the consent and supervision of such institutional user acting with authority and consent from the parent or guardian.

Compliance with Law Enforcement

The Company will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your electronically stored personal data.

The Company cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of the Company or a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.

Cross-Border Processing and Transfer of Information

All Personal Information and health related data collected through Concussion Management Products and Mobile Applications are stored in secure location in compliance with local regulations governing cross-border data transfer.

Information collected through all other services or provided during customer support interactions will be stored in the United States. When you provide personal information, you fully understand and unambiguously consent to the transfer of your personal information to, and the collection and processing of such personal information in the United States. For Services users who are residents of the United Kingdom, European Union, and other European Economic Area nations, please be advised that while there is some uncertainty as to the scope of the EU General Data Protection Regulation (GDPR) as applied to US-hosted Services such as ours, our practices in handling personal information collected through the Services relating to residents of your jurisdictions are designed to conform to the GDPR.


We do not use or share personal information for any marketing purposes unrelated to the Services.

Data Security

We are committed to ensuring that our customers are accessing applications securely. In order to prevent unauthorized access or disclosure, we have put in place technical and organizational measures appropriate to the risks to the information we collect. The following technical controls have been put in place to help protect customers and meet compliance requirements.

Data Protection

Secure Transmission and Storage of Data

  • Connection to the company applications and environment is via TLS cryptographic protocols ensuring that users have a secure encrypted connection
  • All data is further encrypted while in transit and also when persisted “at rest”

Network Protection

  • Perimeter firewalls and edge routers block unused protocols
  • Internal firewalls segregate traffic between the application and database tiers
  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports
  • A third-party service provider periodically scans the network externally and alerts changes in baseline configuration
  • Managed intrusion detection monitors suspicious network traffic, sending alerts to the Company’s security team while blocking the traffic

Disaster Recovery

  • The system replicates customer data to a second datacenter on an hourly basis
  • Data is transmitted across a secure connection
  • Data Recovery Time Objective: 24/48 hours (standard / extended)


  • All data is backed up at each data center on an hourly basis

Internal and Third-party Testing and Assessments

  • All Company Services are validated prior to public launch using documented software validation procedures to comply with medical device regulations and standards for software quality. Validation is built into the software development processes.
  • The Company tests its applications for security vulnerabilities, and regularly scans the Company’s network and systems for vulnerabilities. Third-party tools are used to assess software and infrastructure vulnerabilities regularly, including:
  • Application vulnerability assessments
  • Network vulnerability assessments
  • Penetration testing and source code vulnerability review
  • Security control framework

Security Monitoring

The Company’s Information Security team monitors notifications from various sources and alerts from internal systems to identify and manage threats.


The Company partners with top tier, ISO 27001 and/or SOC 2 Type II compliant data centers to ensure the availability and security of the Company system and to protect customer data from theft, corruption, or mishandling.

Company Personnel

All Company employees must abide by this Notice and internal privacy policies and those who violate them are subject to disciplinary action, up to and including termination. All Company employees are required to sign non-disclosure agreements and are required to complete ongoing security training throughout the year.

Physical Security

The Company’s system is hosted with trusted data center partners who maintain ISO 27001 and/or SOC 2 Type II compliance. Physical access is strictly controlled both at the perimeter and at building access points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic systems. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Additionally, these data center facilities provide: automatic fire detection and suppression equipment, redundant data center electrical power systems, climate control to maintain a constant operating temperature for servers and other hardware; continuous monitoring of electrical, mechanical, and life support systems and equipment, and secure storage device decommissioning.

Use of Cookies and Tracking Technology

The Company uses cookies to track your activity on the Company Websites.

A cookie is a small file which asks permission to be placed on your computer's hard drive. The file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

The Company uses traffic log cookies to identify which pages are being used. This helps the Company analyze data about web page traffic and improve the Company Websites in order to tailor it to customer needs. The Company only uses this information for statistical analysis purposes. Overall, cookies help the Company provide you with a better website, by enabling the Company to monitor which pages you find useful and which you do not. A cookie in no way gives the Company access to your computer or any information about you.

By visiting Company Websites, you are giving your consent to the use of cookies, but you can modify your browser settings to decline cookies if you prefer.

You can learn more about cookies, and how to control or delete cookies at

Social Media

When you participate in various social media forums like Facebook and Twitter, you should be familiar with and understand the tools provided by those sites that allow you to make choices about how you share the personal data in your social media profile(s). The Company bound by the privacy policies of these third parties, so we encourage you to read the applicable privacy notices, terms of use and related information about how your personal data is used in these social media platforms.

Additionally, depending on the choices you have made regarding your settings on these social media sites, certain personal data may be shared with the Company about your online activities and social media profiles, which the Company may use to contact you or advertise Company's Services.

California Privacy Disclosures

The Company does not permit third parties to collect personal information about an individual’s online activities over time and across different Websites when an individual uses Company Services or visits Company Websites; and therefore, does not respond to Do Not Track (“DNT”) signals.

If you are a California resident and would like to make a request, the identity of any third parties to whom the Company has disclosed personal information for the third parties' direct marketing purposes, within the previous calendar year, along with the type of personal information disclosed please submit your request in writing to

European Residents

When you use the Services, we will inform you what personal information are necessary to receive the Services. You may withdraw consent for future processing or communications at any time, and you may lodge a complaint with the data protection supervisory authority in your country of residence if you believe that our processing has violated the law. You may contact our Data Protection Officer at the address listed in Contact below, or our European Representative.
We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921.

Privacy Policy Updates

We may occasionally update this Notice. When we do, we will also revise the "Effective Date" at the top of this page. For material changes to this Notice, we will notify you either by placing a prominent notice on the Company Websites or the Customer Center, or by sending you a notification directly. Your continued use of the Services constitutes your agreement to this Notice and any updates.


If you have any questions about this Notice, your rights or any other aspects of your privacy and how we are collecting, using, protecting, and/or disclosing the personal information we collect, or need assistance submitting a complaint to a data protection supervisory authority (regional government agency) please contact us at:

Attn: Data Protection Officer
ImPACT Applications, Inc.
2140 Norcor Avenue, Suite 115
Coralville, IA 52241