VerityStream Privacy Statement

VerityStream Privacy Notice

Last Updated April 26, 2022

Welcome to VerityStream! This Privacy Notice explains how we collect and treat information when you use the VerityStream application provided by HealthStream, Inc. along with its subsidiaries and affiliates (collectively, “ HealthStream,” “us” or “we”). This Privacy Notice is part of and governed by the VerityStream Terms of Service. Any additional notices we may provide about our privacy practices will be considered to form part of this Privacy Notice. If you have questions about our privacy practices or would like to make a complaint, please contact us at provider.solutions@healthstream.com or toll free at 1-800-521-0574 opt. 2.

VerityStream’s Privacy Promise

We value you and your privacy and we want you to understand how we treat and protect your information. Here is a summary of our promise to you, as detailed in this Privacy Notice:

• VerityStream is available to individual users for free at a limited service level or at a paid premium SaaS service level when subscribed to by a nursing facility or other nursing employer (“Business Subscriber”) that provides VerityStream to its nursing staff.
• Any Personal Information that is necessary to use VerityStream’s core features is only accessible by you, your employer, and any colleagues with whom you choose to share it.
• Private messages to other users are only viewable by the message recipient.
• Posts to public areas of VerityStream may be visible to, copied, or stored by other VerityStream users. You decide whether and what to post in those parts of the application.
• You can always control your data, either directly through your account, through your Business Subscriber, or by contacting VerityStream for help.
• We do not sell your Personal Information or share it with others for cross-contextual behavioral advertising.
• We will always notify you if this promise changes in any way.

We encourage you to read this Privacy Notice to understand in detail how we collect and use your information.

Your Consent

This Privacy Notice describes how we collect and treat information through your use of VerityStream and your interactions with us as a VerityStream user by any means (our “Services”). This Privacy Notice DOES NOT apply to information collected while using a website or platform owned or operated by a third party, or other services offered by HealthStream. By using or accessing our Services in any manner, you consent to the privacy practices described in this Privacy Notice. If you do not agree with this Privacy Notice, do not use the Services.

Personal Information

When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. Personal Information falls within these categories:

• Identifiers (e.g., name, email address, address, telephone number, username);
• Sensitive Personal Information (e.g., state identification number, financial information, health information, precise geolocation);
• Protected classification information (e.g., race, citizenship, marital status, medical condition, sex, sexual orientation, veteran or military status);
• Biometric information (e.g., image, keystrokes, behavioral or biological characteristics);
• Internet or other similar activity (e.g., general location, browsing history, content interactions);
• Employment-related information (e.g., current or past employment);
• Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99); and
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies).

Not everything about you is your Personal Information. Specifically, Personal Information does not include (i) publicly available information (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot be easily linked back to the individual.

How VerityStream Collects and Uses Personal Information

Like most applications, VerityStream uses Personal Information to give you a great experience. We only collect, use, retain, and disclose your Personal Information as reasonable and necessary for you to use VerityStream and only with your consent or another lawful basis. The Personal Information we collect will depend on how you use VerityStream, whether as an individual user or a Business Subscriber offering VerityStream to your nursing staff. We only collect your Personal Information for VerityStream with your consent, as a service provider to a Business Subscriber, or as authorized or required by law. During the last 12 months, we have collected Personal Information like identifiers, employment information, biometric information, commercial history, and internet activity. We have collected this information from a variety of sources including:

• From you, with your consent. To use VerityStream, you must register and provide identifiers like your name, address, email, and telephone number, your employment information like your professional credentials, worksite, and department, and you will need to upload a photo to create your VerityStream profile. We may also request permissions from your device to access your calendar, camera, microphone, or other device applications. You will be given the choice to opt-in or opt-out of receiving push notifications on your device. When you use certain features, VerityStream may prompt you to provide additional Personal Information for those features to function. For example, the credentials tracking feature requires you to input your professional credentials and other employment information, and the shift comparison or shift swap features require you to enter your shift schedule (either manually, automated from your Business Subscriber, or synced from another app on your device). Your colleagues who use VerityStream will be able to see your shift schedule.
• Any Personal Information you include in a private message will be visible to the message recipient, and possibly to others if the recipient shares or copies the message. If you post User Content to public areas of VerityStream, those posts may be visible to, copied, or stored by other VerityStream users. Your use of VerityStream features is entirely optional, and any Personal Information you submit is provided by you voluntarily and with your consent.
• From your Business Subscriber in our role as a service provider. If a Business Subscriber provides you with VerityStream, your Business Subscriber may submit your identifiers, employment information, or other Personal Information to create your VerityStream profile and to automate shift swap requests and other features. We collect and use this information as a service provider to the Business Subscriber at the direction of the Business Subscriber as governed by the services contract and the Business Subscriber’s privacy practices, or as permitted or required by law.
• From your communications with VerityStream, with your consent. If you contact us by email, online form or other means to request information or support, we will collect your name and email address in order to respond to your inquiry. If you complete one of our surveys, report a problem or interact with our support team, we will collect any Personal Information you submit to us through those channels. If you use our SaaS services, we may also collect your employment information to confirm your account details. We may keep records of our interactions with you. We use this information for the purposes stated at the time of collection.
• From other VerityStream users and third parties, with a legitimate interest. If a VerityStream user invites you to VerityStream, we will collect your email address and use it to send you an invitation on behalf of that user. You can unsubscribe from these emails at any time. Analytics companies, advertisers, and other third parties may provide us with Personal Information about you that is publicly available or related to your internet activities on online services. We collect and use this information for our legitimate interests of marketing VerityStream and developing new features.
• Automatically from your use of VerityStream, with a legitimate interest. When you interact with our Services, we automatically collect data about your internet activity such as your IP address, internet service provider, browser, information, device data, date and time of access, and the content with which you interact. Like most online services, the Services use cookies as described in our Cookie Declaration. We collect this information to achieve our legitimate interest of managing and improving our Services. We use this information to administer the website, provide and improve the Services, analyze usage, protect the Services and its content from inappropriate use, and improve the nature and marketing of the Services.

Other Uses of Your Personal Information

In addition to the uses described above, we might also use your Personal Information to: (i) provide, maintain, and improve the Services; (ii) personalize the user experience and provide customer service; (iii) send you support and administrative messages; (iv) monitor your compliance with any of your agreements with us; (v) detect, investigate, and prevent fraudulent transactions and other illegal activities and protect our or others’ rights and property; (vi) protect your privacy, enforce this Privacy Notice, and comply with applicable laws, regulations, legal processes or court orders; (vii) if we believe it is necessary, to identify, contact, or bring legal action against persons who may be causing injury to you, to us, or to others; or (viii) fulfill any other purpose to which you consent.

Children’s Privacy

VerityStream is designed for users aged 18 and older. We do not knowingly collect Personal Information from children under 18. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our systems. If you believe we might have any information collected online from a child under 18, or if you become aware of any unauthorized submission of information to us, please contact us at provider.solutions@healthstream.comor 1-800-521-0574 opt. 2.

Retention of Personal Information

VerityStream only retains Personal Information as necessary to provide you with the Services you request. For example, if you contact us for information or support, we will retain the information you provide for the necessary length of time to respond to your inquiry. We will retain your account information, such as your identifiers and employment information, as long as your account remains active. We regularly review and deidentify unnecessary Personal Information, and we periodically delete data associated with inactive accounts.

Disclosure of Personal Information

We only disclose your Personal Information in limited circumstances and for specific purposes. In the last 12 months, we have disclosed all categories of Personal Information that we collected for a business purpose to these recipients:

• Business Subscribers. If you use VerityStream through a Business Subscriber, we may disclose Personal Information collected from your use of certain features to your Business Subscriber so those features can function. For example, if you request a shift swap, your Business Subscriber will see your request so that your supervisor or other users can review and approve the request. VerityStream is committed to keeping your private information private, even from your Business Subscriber. We will never share your private messages sent via VerityStream with your Business Subscriber. VerityStream is designed to only share private messages with the selected message recipient.
• Service Providers. Service providers like data analyst companies, payment processors, and email and data hosting providers may have access to your Personal Information in order to perform their contractual obligations to us. Our service providers are subject to contractual agreements that protect your Personal Information, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information. The type of information that we provide to a Service Provider will depend on the service that they provide to us.
• Affiliates. We disclose the information we collect from you to our affiliates or subsidiaries. If we do disclose your Personal Information to our affiliates or subsidiaries, their use and disclosure of your Personal Information will be subject to this Privacy Notice.
• Law enforcement or other government agencies as permitted or required by law.
• Cookie information recipients, subject to their respective privacy notices.
• Other Third Parties, as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.

Aggregated and Deidentified Information

We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with nonaffiliated entities for business development, marketing, advertising, research or other purposes, without restriction.

Your Privacy Choices and Controls

We believe you should have the ability to readily control the Personal Information we collect and hold about you. If you have questions or need help, please contact your Business Subscriber, send us a Consumer Privacy Request or email us at provider.solutions@healthstream.com.

Your Account Profile and Device Settings

You can sign into your account to access, change, or delete your Personal Information at any time. If you require assistance to access or make certain changes, please contact provider.solutions@healthstream.com. You can also control the data we collect about you by adjusting your device settings.

Emails from VerityStream

If you provide us with your email address, we may send you informational or support emails. If you opt-in to receive VerityStream marketing communications, we may send you emails, push notifications or in-app messages related to your VerityStream activity, to inform you about VerityStream features, or for direct marketing purposes. We will only send you these communications in ways that are compatible with your privacy choices. To opt-out, change your preferences via the links provided in the emails or email provider.solutions@healthstream.com.

Texting Consent

If you provide us with your wireless number, you consent to VerityStream sending you text messages for informational or authentication purposes. The number of texts that we send to you will be based on your circumstances and requests. You can unsubscribe from text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.

Do Not Track Requests

Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Notice.

Consumer Privacy Requests

If you wish to exercise your rights beyond the methods provided, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please contact your Business Subscriber. Alternatively, you can send us a Consumer Privacy Request or email us at provider.solutions@healthstream.com.

We will relay your request to your Business Subscriber or fulfill it directly if we can. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. In that case, we will tell you the cost estimate and why we are charging the fee before completing your request. We may be unable to fulfill some or all of your request, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.

Residents of California and Certain Other U.S. States

This section provides the disclosures and notices required under the California Consumer Privacy Act of 2018 (“CCPA”) and offers informational notices to residents of Virginia, Colorado, Utah, Nevada, and other U.S. states with laws providing similar protections. The following paragraphs apply solely to residents of the State of California and other states to the extent the same legal protections apply (each a “Consumer”). Consumers may exercise the following rights over their Personal Information, subject to our receipt of a verifiable request and any exceptions and limitations that may apply:

Right to Disclosure.

You have the right to request that we disclose information to you about our collection and use of your Personal Information over the past 12 months, such as (i) the categories of Personal Information we have collected about you; (ii) the categories of sources for the Personal Information we have collected about you; (iii) our business purpose for collecting or selling that Personal Information; (iv) the categories of third parties with whom we share that Personal Information; and (v) if we sold or disclosed your Personal Information for a business purpose, two separate lists stating (a) sales, identifying the Personal Information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. Depending on the laws that apply to you, we may only be required to respond to a certain number of disclosure requests within a 12-month period.

Right to Correct.

You have the right to request that we correct inaccurate Personal Information about you on our systems. If you become aware that the Personal Information that we hold about you is incorrect, or if your situation changes (e.g., you change address), please inform us and we will update our records.

Right to Access.

You have the right to request that we provide you with access to specific pieces of Personal Information we have collected about you over the past 12 months (also called a data portability request). If you submit a right to access request, we will provide you with copies of the requested pieces of Personal Information in a portable and readily usable format. Please note that VerityStream is prohibited by law from disclosing copies of certain pieces of Personal Information (e.g., government identification numbers, financial account information, and passwords or security questions and answers) because the disclosure would create a substantial, articulable, and unreasonable risk to the security of the information, our business systems, or your account. If you are a resident of the State of California, your request is limited to specific pieces of Personal Information we have collected about you over the past 12 months, and we are only required to respond to two such requests within a 12-month period.

Right to Deletion.

You have the right to request that we delete any of your Personal Information that we collected from you and retained, with certain exceptions. VerityStream may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete.

No Selling or Sharing Personal Information.

We do not, and will not, sell the Personal Information we collect about you from your use of VerityStream or share your Personal Information with third parties for cross-contextual behavioral advertising purposes. If our practices change, we will update this posting and provide you with opt-out methods.

Limited Use and Disclosure of Sensitive Personal Information.

VerityStream does not require you to provide any Sensitive Personal Information. If you choose to input Sensitive Personal Information, such as your union or other organizational memberships, we will only use this information to complete your user profile, to facilitate your choice to use certain VerityStream features, or for our internal business purposes. VerityStream does not use or disclose Sensitive Personal Information for the purpose of inferring characteristics about you. If this ever changes in the future, we will update this Privacy Notice and provide you with methods to limit use and disclosure of Sensitive Personal Information.

Right to Opt-Out of Profiling.

We do not use any form of automated processing of Personal Information to evaluate, analyze, or predict your performance, preferences, choices, or behavior. If this changes in the future, we will update this posting to describe our use of profiling and your options to opt-out.

Right to Nondiscrimination.

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not (i) deny you goods or services, (ii) charge you different prices or rates for goods or services, (iii) provide you a different level or quality of goods or services, (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under the CCPA.

Right to Disclosure of Marketing Information.

California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.

To exercise these rights or inquire further, please contact your Business Subscriber, send us a Consumer Privacy Request or email us at provider.solutions@healthstream.com. Please note that Personal Information we collect about you is often in a business-to-business context when you are acting as an employee to a current or potential Business Subscriber in the performance of your job duties is not protected Personal Information under the CCPA.

Canadian Privacy Rights

• This section provides supplemental information to residents of Canada (“Canadian Consumers”) in compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applies solely to Canadian Consumers where PIPEDA applies. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.
• Right to know why we collect, use and distribute the Personal Information we process. We have set the required notices in this Privacy Notice. We may provide you with additional notices about other ways we process your Personal Information, such as by sending you a notice via email or by other means of communication.
• Right to expect us to collect, use or disclose Personal Information responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Notice and collect express or implied consent at various stages of collection or processing. If we collect or use your Personal Information based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any time with reasonable notice by submitting a Consumer Privacy Request or contacting us at provider.solutions@healthstream.com.
• Right to accuracy of your Personal Information. We take steps to reasonably ensure that your Personal Information we are using is accurate. In most cases, we rely on you to ensure that your information is current, complete, and accurate. We provide methods for you to correct, update, and delete inaccurate Personal Information in your account, and we will provide you with reasonable assistance to ensure that your Personal Information is accurate in our systems and with our service providers.
• Right to access your Personal Information. Upon written request and identity authentication, we will provide you with your Personal Information under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. If limited by law or potential infringement on another’s privacy rights, we may not be able to provide access to some or all of the Personal Information you request. If we must refuse an access request, we will notify you in writing, document the reasons for refusal and outline further steps that are available to you.

To exercise these rights or inquire further, please contact your Business Subscriber, send us a Consumer Privacy Request, email us at provider.solutions@healthstream.com, or call us toll free at 1-800-521-0574 opt. 2.

Offered in the U.S. and Canada

VerityStream is owned and operated in the United States and is designed to serve Business Subscribers and their users located in the United States and Canada. We do not market the Services to residents of the European Union or any other jurisdiction outside of the United States and Canada. If you are an EU resident, please do not submit any Personal Information to VerityStream. If you are a VerityStream user who is a non-US resident or if you visit the website from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about you, you consent to this Privacy Notice and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.

Data Security

VerityStream implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. VerityStream employees responsible for handling user inquiries are informed of applicable privacy law requirements. All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions are processed on a PCI-compliant third-party application. Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your account secure from unauthorized access. We are not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over any Business Subscriber or other third party’s security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.

Third Party Websites

The Services may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully review the privacy policy of any website you visit.

Updates

We may periodically update this Privacy Notice. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Notice was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Notice. You are responsible for periodically checking this Privacy Notice for changes.