Last Updated: November 28, 2023
Privacy is the right of individuals to be free from unwarranted intrusions into their personal lives. At Winterlight, your privacy is important to us and we aim to be totally transparent so you can understand how we collect, use and disclose your information.
We have policies and procedures in place to ensure your privacy is maintained. Those policies set out how we collect your information, how we protect your information, and how it is transmitted, stored, used, and disclosed. We adopt the CSA Model Code for the Protection of Personal Information as a guiding principle when developing our Privacy Governance Framework.
Personal Information (PI) refers to information which can be used to identify you, such as your name, email address, or a recording of your voice.
Personal Health Information (PHI) is a subset of PI, which identifies your health history and use of health services. This is also known as “protected health information” in the United States.
In the European Economic Area and the United Kingdom, “personal data” refers to both PI and PHI.
You directly provide us with most of the data we collect. We collect data and process data when you:
Use our website or contact us:
Apply for a job at Winterlight:
Participate in Clinical Research involving Winterlight technology:
Our company may also receive your data indirectly from the following sources:
Winterlight may collect one or more of the following types of PI/PHI:
Winterlight may collect and use PI/PHI for one or more of the following purposes:
We only give access to your information to those company employees, employees of our affiliates, and contractors who require it as part of their job responsibilities. Staff are only allowed to access your information for authorized purposes. Here are some examples:
To ensure compliance with our policies, we have access logging and other technical controls in place to allow us to monitor for unauthorized access or unacceptable use of the data.
We do not disclose your information to any third parties, unless you consent to it (e.g., if you are participating in a research study at a retirement home you may consent to disclosing information to a staff physician if we uncover information that suggests you may have an undiagnosed condition), or as may otherwise be permitted or required by law (e.g., if the data was collected as part of a research study, it may be reviewed for quality assurance by representatives of an Institutional Review Board to make sure that the required laws and guidelines are followed).
We store your data on infrastructure provided by our cloud service providers, Amazon Web Services ("AWS") and, in some cases, on Google Workspace ("Google"), Box.com ("Box") or Microsoft 365 ("Microsoft"). We have executed business associate agreements (BAA) and Data Processing Agreements (including the Standard Contractual Clauses) in place with them. These agreements require these providers to appropriately safeguard the data with the same or comparable level of protection as we do.
If we collect any paper-based data, such as cognitive assessments, we store the papers in locked cabinets. We require our employees to maintain a “clean desk” policy, which means storing all confidential materials in locked cabinets, as well as locking their workstations, laptops and other devices each time they leave their work area.
For participants in clinical or academic research:
We retain your data per the terms of the agreement, study protocol (if applicable), and applicable legislation, or for a minimum of 25 years if no other policy applies. At the end of the data retention period, we will remove your data from the relevant records in our live databases and delete your audio files from file storage. Since we maintain backups of our databases, the data will temporarily persist in an inaccessible way as part of our automated backups to prevent unintentional data loss; backups are deleted over time (for example, if we keep 24 months of database backups, it would take 24 months for your data to be fully removed from all of our systems).
For job applicants and other individuals:
We retain your data for as long as is necessary to carry out the purpose for which the data was collected.
We adopt the ISO/IEC 27002:2013 (Code of Practice for Information Security Controls) as our guide to developing and deploying our information security management program.
We use only HIPAA-eligible AWS services, and we have an executed BAA and DPA with AWS. We use a variety of technical controls following best practices for network security, such as blocking of unnecessary ports on our servers through AWS security groups and performing regular scans of our servers to detect network vulnerabilities (e.g., insecure data transmission protocols and expired digital certificates).
We use the latest recommended secure cipher suites and protocols for data encryption in transit. Data is encrypted at rest.
Where applicable, based on regulatory and client requirements, we store collected data in the appropriate country or region.
Unless indicated otherwise in a client agreement or data consenting process, aggregated and non-personally identifying data derivatives, such as variables we calculate from the raw data samples (e.g., number of nouns or duration of pauses), may be used to train cross-dataset statistical models. Such statistical models are trained and stored in the US data region on our cloud infrastructure, and may be used to provide services in any region.
We maintain extensive logs with respect to every component of our services, including applications, application programming interfaces (APIs), cloud services, servers, and management consoles. The logs contain information pertaining to security, monitoring, access, and other operational metrics. The logs are reviewed for privacy and security events on a periodic basis.
Our mobile applications are protected with user credentials. User passwords must meet our password policy, which has requirements for password strength, length, and regular password rotation.
Company devices (e.g., workstations and laptops used by employees and contractors) have enabled firewall, up-to-date antivirus software with regularly scheduled scans, automatic OS security updates, disk encryption, and auto-locking after a period of inactivity.
Unless otherwise specified, Winterlight provides the services and accesses data from its headquarters in Cambridge, United Kingdom; Toronto, Ontario, Canada; and other parts of Canada. Winterlight hosts customers’ data in production databases in either the United Kingdom, Canada or the United States. Notwithstanding where the data is hosted, Winterlight accesses data from Canada for purposes of, for example: responding to support requests; fixing software issues; or, providing services to a customer on the back end of the platform (e.g., correcting errors in a participant record, providing custom statistical analysis services, or performing simulation testing of our disaster recovery plan).
If you join one of our mailing lists, or otherwise opt-in to marketing communications from us, from time to time, we will send you information about products and services that we think you might like. You can always opt out of these communications at any time by following the unsubscribe instructions on the communication you have received.
We would like to make sure you are fully aware of your data protection rights. Every user is entitled to the following:
If you would like to exercise any of these rights, follow the case that applies to you:
Some of our products have user-accessible dashboards that use “technical cookies”, which allow us to recognize you as a user with each access. This data is not passed on to third parties.
On the Winterlight public website (https://winterlightlabs.com), we use Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
At Winterlight we do our best to practice the “principle of least privilege”. Meaning we restrict access to data on a “need to know” basis, even when it comes to our internal teams.
As an added layer of protection, all of our employees and contractors who have access to your information meet the following requirements:
We use production databases with replication across multiple availability zones to ensure redundancy and smooth failover in the case of infrastructure failure in one zone. We use versioning and replication across multiple regions for our file storage solution to ensure high availability. This means that in the event of an infrastructure failure in one zone or region, our services should continue working with minimal downtime.
We have an Privacy Incident Management Protocol in place to prevent, detect, respond to, and contain privacy/security incidents or breaches. In the event of a detected and confirmed privacy or security breach (e.g., your information was subject to unauthorized collection, access, use or disclosure), we will promptly notify either you directly, or your healthcare provider or other organization that provided your information to Winterlight (in which case it is their responsibility to notify you).
As part of our policy for prevention of privacy/security breaches, we engage an independent third-party firm to conduct regular penetration testing of our services.
As our company is based in Canada and processes personal data of data subjects who are in the European Economic Area and the United Kingdom, the General Data Protection Regulation and the UK GDPR (collectively the “GDPRs”) apply to our processing of personal data. Accordingly, this Privacy Notice also provides you with the additional information as set out in the GDPRs. Our handling of personal data of data subjects who are in the UK or the EEA is in compliance with the GDPR.
As we are based outside of the EU, we have appointed the following EU Representative to act on our behalf when we undertake data processing activities to which the GDPR applies:
If you are in the European Union or the UK, you can still get in touch with our Chief Privacy and Security Officer at firstname.lastname@example.org with any questions you have. You can in addition or instead get in touch with our GDPR representative in the EU at WinterlightLabsGDPRrepresentative@mhc.ie or:
MHC GDPR Representative
Mason Hayes and Curran Professional Services Limited South Bank House
Tel: +353 (1) 614 5000
We will only use your personal data where we have a valid lawful basis to do so in accordance with the GDPRs. Where we mention our “legitimate interests”, this is the lawful basis we rely on when we feel that it is necessary to use your personal data for a reason which is in our and/or your interests and which does not unfairly affect your rights over your personal data.
The processing of personal data is based on Art. 6. (1) (a) GDPR your consent and Art. 6. (1) (b) GDPR the necessity of the processing for the performance of the contract. The legal basis for the processing of sensitive data (health data) is the Art. 9 (2) (a) GDPR, i.e. your explicit consent.
The processing of personal data is based on our legitimate interest in developing/improving, ensuring the technical functionality and the security of our services (art. 6 (1) (f) GDPR). Special categories of personal data (sensitive personal data) may be processed for statistical and research purposes focused on analysing, developing and improving technical functionalities, and ensuring the security of our services (art. 9 (2) (j) GDPR in accordance with the appropriate safeguards (such as: pseudonymization or anonymization – art. 89 GDPR).
The processing of personal data collected on the website for "direct marketing, commercial communications" is based on your consent (Art. 6. (1) (a) GDPR).
All personal data of European data subjects is stored in cloud service providers located in Canada or the United States. We have put adequate measures in place in order to protect your personal data to an equivalent data protection standard as in the EEA.
If you are in the EEA, as a data subject, you have a right to lodge a complaint with the competent supervisory authority under the conditions provided in Article 77 GDPR or seek a remedy in the national courts if you think that your rights in relation to your personal data have been breached. However, we would be grateful if you could give us the opportunity to address your complaint in the first instance by using the contact details provided at the end of this Privacy Notice.
At Winterlight, we regularly review and update our privacy and security program - the policies and procedures we have in place – to keep it current. We place any updates on this web page. This Privacy Notice was last updated in November 2023.
If you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, we hope you’ll reach out to us first to give us a chance to make it right.
However, you may also contact the Information Commissioner of Canada:
Address: 30 Victoria Street, Gatineau QC, K1A 1H3