Community-based Primary Healthcare Privacy Policy The Community of Practice Effective July 26, 2021 Welcome, and thank you for your interest in the Community-Based Primary Healthcare Community of Practice, a combined offering by The International Institute for Primary Health Care in Ethiopia (IPHC-E) and Last Mile Health (LMH; “The Community of Practice,” “we,” “us,” or “our”). Together these two non-profits operate the platform, related application programming interfaces ("APIs"), and services including, but not limited to any other products and services that we may provide now or in the future (collectively, the "Services"). This privacy policy (the “Privacy Policy”) describes how we gather and use information about visitors to and users of our Community of Practice (“Users”). This Privacy Policy applies solely to the information that we collect through the Community of Practice Platform. This Privacy Policy does not address personal information that you provide to us in other contexts (e.g., through a business relationship not handled through the Community of Practice). The following Terms of Service are a legal contract between you ("you" and "your") and The Community of Practice regarding your use of the Services. Visitors and users of the Services are referred to individually as "User" and collectively as "Users". The Community of Practice is a collaboration with the following partners: ● Hivebrite is a service offered by KIT United SAS. KIT United SAS is a company with capital of € 234,000, headquartered at 44, rue la Fayette - 75009 Paris, France and registered in the Paris Trade and Companies Register under number 753 391 713. Acceptance of Privacy Policy By using the Community of Practice, you signify your acceptance of this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use the Community of Practice. Your continued use of the Community of Practice following the posting of changes to these terms will mean that you accept those changes. How Do We Collect Your Information? Personal Information You may use some of our Community of Practice features without telling us anything about yourself. If you contact us, donate to us, or register for an account via the Community of Practice, we may ask you to provide Personal Information (as defined below), such as your name, address, telephone number or e-mail address. We may also receive Personal Information about you from third parties, such as our affiliates, business partners, or vendors who we engage to help administer the Community of Practice. “Personal Information” for purposes of this Privacy Policy is any information relating to you as an identified or identifiable natural person. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. From time to time, our Community of Practice may be configured to collect domain, usage, and Google Analytics information. This data enables us to become more familiar with which users use our services, how often they visit and what parts of the services they utilize most often. The Community of Practice uses this information to improve our Offerings and access. No personally identifiable information is gathered in this process. This information is collected automatically and requires no action on your part. Other Information “Other Information” is any information that is not Personal Information, such as browser information, app usage data (including quiz attempts, scores and course completion), information collected through cookies and other technologies, demographic information, and aggregated information. We collect Other Information when you submit it to us. It may include your zip code, education, occupation, and interests. We may also receive Other Information about you from third-parties, including, for example, demographic data, information about your interests, and information about your activities through the Community of Practice. Each time a User utilizes the Community of Practice, The Community of Practice collects some information to improve the overall quality of the User’s online experience. ● Aggregated Data: The Community of Practice collects aggregate queries for internal reporting and also counts, tracks, and aggregates the User’s activity (including quiz attempts, scores and course completion) into The Community of Practice’s analysis of general traffic flow to the platform and Users’ utilization of and performance within the Online Services. To these ends, The Community of Practice may merge information about you into aggregated group data. In some cases, The Community of Practice may remove personal identifiers from Personal Information and maintain it in aggregate form that may later be combined with other information to generate anonymous, aggregated statistical information. Such anonymous, group data may be shared on an aggregated basis with The Community of Practice’s affiliates, business partners, service providers and/or vendors; if it does so, The Community of Practice will not disclose your individual identity. ● Web Server Logs and IP Addresses: An Internet Protocol (“IP”) address is a number that automatically identifies the computer or device you have used to access the Internet. The IP address enables our server to send you the web pages that you want to visit, and it may disclose the server owned by your Internet Service Provider. The Community of Practice may use IP addresses to conduct analyses and performance reviews and to administer the Online Services. ● Cookies and Web Beacons: Periodically, some pages or screens on the Online Services may use “cookies,” which are small files that the site places on your hard drive for identification purposes. These files are used for site registration and customization the next time you visit us. You should note that cookies cannot read data off of your hard drive. Your web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. You can also refuse all cookies by turning them off in your browser. By not accepting cookies, some pages may not fully function and you may not be able to access certain information on the Online Services. Information that we collect through cookies includes (i) the name and version of the operating system on the User’s computer or mobile device, (ii) the name and version of the User’s browser, (iii) which aspects or pages of the Online Services the User is currently reading, as well as clicks and time spent on a particular page or screen, (iv) if the User was sent to the current page by some other page on the web, the universal resource locator (“URL”) of the referring web page, and (v) geolocation of the User’s computer or device. Some of the Site’s web pages may use web beacons in conjunction with cookies to compile aggregate statistics about Site usage. A web beacon is an electronic image (also referred to as an “action tag,” “single-pixel,” or “clear GIF”) that is commonly used to track the traffic patterns of users from one web page to another in order to maximize web traffic flow and to otherwise analyze the effectiveness of the User. Some web beacons may be unusable if you elect to reject their associated cookies. By accessing and using the Community of Practice, you expressly consent to the storage of cookies, other local storage technologies, beacons or other information on your computer or devices. You also consent to the access of such cookies, local storage technologies, beacons and information by us. Sensitive Personal Information Unless specifically requested (for example, in connection with a particular survey), we ask that you not send us, and you not disclose, any sensitive personal information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Services or otherwise to us. Any requested information that includes sensitive information about health, political opinions, ethnicity, race, religion, sex life or sexual orientation can be left unanswered. How Do We Use Your Information? If you choose to provide us with Personal Information by completing a form through the Community of Practice, including, if applicable, account registration, or emailing us, we will use that Personal Information to (i) respond to your question or request, (ii) communicate with you about our organization via email, (iii) send information to you, and (iv) notify you of changes to this Privacy Policy. If you do not wish to receive unsolicited emails or other communications from us, you may contact us at [email protected] and request that your Personal Information be removed from our list. We will only use your Personal Information when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances: ● Where you have requested information from The Community of Practice about its services. ● Where we need to perform the contract we are about to enter into or have entered into with you. ● Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. “Legitimate interest” is a technical term under applicable regulations. It means that there are good reasons for the processing of your personal information and measures are taken to minimize the impact on your privacy rights and interests. “Legitimate interest” also references our use of your data in ways you would reasonably expect and that have a minimal privacy impact. We have a legitimate interest in collecting and processing personal information, for example: (1) to ensure that our networks and information are secure; (2) to administer and generally conduct business within The Community of Practice; and (3) to prevent fraud. ● Where we need to comply with a legal obligation. Note that we may process your Personal Information for more than one lawful ground depending on the specific purpose for which we are using your data. Please note that we may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, then we may use and disclose it for all the purposes for which we use and disclose Personal Information. We may combine Other Information with your Personal Information, and when we do, we treat the combined information as Personal Information. Do We Disclose Any Personal Information to Outside Parties? Unless you expressly give us permission in writing to do so, The Community of Practice will not sell, rent, license, or trade your Personal Information other than as specified in this Privacy Policy. ● Disclosures to Third Parties Assisting In Our Operations: The Community of Practice may share your Personal Information under confidentiality agreements with other companies that work with, or on behalf of, The Community of Practice to provide services. These companies may use your Personal Information to assist The Community of Practice in its operations and impact. However, these companies do not have any independent right to share this information. ● Disclosures Under Special Circumstances: We may provide information about you to respond to subpoenas, court orders, legal process or governmental regulations, or to establish or exercise our legal rights or defend against legal claims. We believe it is necessary to share information in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law. In such circumstances, we will take appropriate measures to ensure that the requester understands the sensitive nature of the Personal Information that they may receive. ● Business Transfers: We may share your Personal Information with other business entities in connection with the sale, assignment, merger or other transfer of all or a portion of The Community of Practice’s business to such business entity. We will require any such successor business entity to honor the terms of this Privacy Policy. Security The security of your data is very important to The Community of Practice. We have implemented appropriate security measures preventing your Personal Information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. However, you should know that no web site operator, including The Community of Practice, can fully eliminate security risks associated with Personal Information. While The Community of Practice has endeavored to create a secure and reliable website for users, the confidentiality of any communication or material transmitted to/from the User or via e-mail cannot be guaranteed. We have put in place procedures to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Children’s Privacy Protection ● Under Age 13: The Community of Practice understands the importance of protecting children’s privacy in the interactive online world. The Community of Practice is not designed for, or intentionally targeted at, children under 13 years of age. It is not our policy to intentionally collect or maintain information about anyone under the age of 13. No one under the age of 13 should submit any Personal Information to The Community of Practice. ● Under Age 18: Minors under 18 years of age may have the Personal Information that they have provided to The Community of Practice deleted by sending an email to [email protected] deletion. Please note that, while we make reasonable efforts to comply with such requests, deletion of your personal information does not ensure complete and comprehensive removal of that data from all systems. Response to “Do Not Track” Signals Some Internet browsers include the ability to transmit “Do Not Track” signals. Since uniform standards for “Do Not Track” signals have not yet been adopted, The Community of Practice does not process or respond to “Do Not Track” signals. Updating Your Information If you wish to stop receiving emails or other communications from us, or if you have submitted Personal Information through any of our Online Services and would like that information deleted from our records, please notify us at [email protected]. Links to Third Party Websites As a convenience to our Users the Community of Practice may contain links to other sites. The terms of usage and other conditions of use posted on those sites, and not the policies and procedures we described here, apply to those sites. Your linking to any other websites is at your own risk, and you are responsible for learning about and complying with the terms of usage and other conditions posted on those websites. European Data Privacy Laws If you reside or are located in the European Economic Area, you have certain rights in relation to your Personal Information under the applicable European data privacy laws under the General Data Protection Regulation and any other applicable data protection laws which may be amended from time to time (“European Data Privacy Laws”). This section only applies to such users. Under applicable European Data Privacy Laws, The Community of Practice is the data controller. Under the applicable European Data Privacy Laws, you have the right to ensure your Personal Information is accurate. You have the right to request that we correct any inaccurate Personal Information. You also have the right to request that we delete or restrict the processing of your Personal Information, although we are permitted to retain it where we still have an ongoing purpose to retain it or as otherwise permitted under the European Data Privacy Laws. This may compromise our ability to provide you with our services. You also have the right to transfer your personal information to another service provider subject to the European Data Privacy Laws. We will, following your written request to us, provide you with your relevant Personal Information in a machine-readable format to transfer to another service provider. We will aim to respond to your request within one calendar month of receipt of the request. Where we are unable to do so within the calendar month, we will notify you of our need to extend this timeline. There are certain exemptions and restrictions applicable to the exercise of these rights under the European Data Privacy Laws that enable personal information to be retained, processed or withheld from access and we will inform you of these, if applicable. To make any of these requests or to opt out of receiving marketing communications, please contact us at [email protected] You have the right to raise a complaint with a supervisory authority in your country of residence if applicable under European Data Privacy Laws. Data Retention We retain personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include: ● The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or continue to use the Services); ● Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or ● Whether retention is advisable in light of our legal position (for example, in light of applicable statutes of limitations, litigation or regulatory investigations). International Transfers The Community of Practice is headquartered in the United States. The information you provide to us or that we obtain as a result of your use of the Services is collected in your country and subsequently transferred to the United States or to another country in which we have facilities or our affiliates operate or in which we engage service providers. Some countries that are not members of the European Economic Area (EEA) are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here). For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, including by ensuring that the recipient is either Privacy Shield certified (for US-based providers), or bound by EU Standard Contractual Clauses, to protect your personal data. To obtain a copy of the EU Standard Contractual Clauses click here. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your personal information. Changes to this Privacy Policy This Privacy Policy may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display an effective date on the policy in the upper right corner of this Privacy Policy so that it will be easier for you to know when there has been a change. If we make any change to this Privacy Policy regarding use or disclosure of Personal Information, we will provide advance notice via the Community of Practice. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice. For Additional Information If you have any questions about this Privacy Policy, the practices of the Community of Practice, or your dealings with the platform, please contact [email protected].