Respecting User Privacy
Updated: April 30, 2019
CoughDrop is a powerful, flexible communication app and system that enables communicators and the teams around them to develop a personalized language learning strategy and to communicate effectively. Because CoughDrop is used in medical and educational settings for different ages of user, we are sensitive to state and federal regulations like FERPA, HIPAA, COPPA, etc. and work hard to track policies related to those regulations. Compliance with privacy and security regulations requires collaboration between CoughDrop and the institutions that use our software. As such, we have compiled this set of assertions and best practices to prevent exposing personal information to anyone who shouldn't have access to it.
CoughDrop uses the cloud to back up, synchronize, and report on a communicator's vocabulary and activities. We do this to provide convenience for users (backup and multi-device support), insights on communicator progress, collaboration across support teams, accountability for organizations, and general trends across the site. Because of the potentially sensitive nature of the information related to an individual's communication, we take user privacy very seriously. Below are some of our protection strategies, and best practices that you can follow to ensure the privacy and rights of the communicator are respected. The information is provided to help organizations in their decision-making and training processes, and may change over time.
By default CoughDrop tries to collect as little personal information as possible about our users. At registration we ask for a username and email address, and we record the initial IP address for location tracking purposes. Any additional information provided by the user is optional and opt-in. Some features of CoughDrop, if enabled, will result in additional levels of tracking and information storage. For example, logging records additional data as the user uses the system, and the personalization of boards results in the storage of additional images and data fields based on the user-entered information. We encourage therapy and educational teams to discuss together what information is appropriate to be added for an individual user.
By default CoughDrop doesn't collect personal or academic information about our users. Access to CoughDrop is login-based, and every user must have a user name, email address, and password. However, the email address can be reused or even be invalid if needed. We encourage therapy and educational teams who create logins on behalf of their users to use anonymized user names, and many programs already have anonymized identifiers in place for the users they work with.
The CoughDrop application communicates with remote servers to download and update user-generated information such as board content, logs, etc. This communication is always done over a secure, encrypted (SSL) channel. In addition, user-generated content such as buttons, email address, profile information and log data is encrypted before being stored to prevent unauthorized access. Within the system users can specify that their account is "public", in which case basic user-entered information like summary, public boards, etc. will be available to any CoughDrop users, but this is an opt-in behavior. We discourage communicator accounts from being set to public. The user name tied to each account is not encrypted, and without authorization another CoughDrop user can check on the existence of a specific user name, but will not be able to retrieve any additional non-public information about that user name. This is another reason why we encourage teams to use anonymized user names when creating accounts for their communicators.
All CoughDrop employees with potential access to personal data are trained on user privacy best practices and are instructed to only access information needed for supporting communicators and teams. Within the app, access to user information is based on strict access controls, and any access to a communicator's information must be authorized by the communicator account. The only exception to this is if an organization creates communicator accounts and assigns them to communicators, in which case we encourage organizations to make sure communicators are aware of and comfortable with the organization's access to their information before proceeding.
Because communication is personal and individualized, many communicators add buttons representing personal information, such as family members, medical details, addresses, etc. The system does not prevent this type of information from being added, but it is not required. Such user-generated data will be encrypted, but is still available once logged in. Support teams should talk with communicators before adding potentially sensitive information to their boards, and should remember that this information could technically be discovered by anyone with physical access to the communicator's device.
It is important to note that user-uploaded files including images (including photographs), audio records and videos uploaded to the CoughDrop system are encrypted in transit via SSL, but are not encrypted at rest (although they are protected from unintentional access using long randomly-generated identifiers), and we suggest only uploading anonymized images and videos that do not disclose private information.
Logs, Reports and Tracking
In addition, communicators can add "supervisors" to their account. Supervisors are additional logins that are used to a different person, possibly a therapist, parent, teacher, grandparent, aide, etc. Supervisors can be added as read-only or with permission to edit a communicator's boards. All supervisors have access to a communicator's full vocabulary set and any logs that have been recorded. As such, we encourage support teams to check with communicators before adding anyone as a supervisor to their account on their behalf.
CoughDrop has a built-in logging and reporting mechanism that can provide valuable insights and summaries of communication usage and progress over time. Data can be a powerful tool as support teams try to assess a communicator's progress across multiple environments and times of day. However, logging every button a communicator selects is a highly invasive action, and support teams should get explicit permission from a communicator before enabling logging on their behalf. There are two levels of logging in CoughDrop, general logging which records every action in a user's communication session, and an additional level which also tracks GPS locations to be used for filtering data based on physical location. Both levels are opt-in, and CoughDrop includes a user-controlled mechanism which can permanently delete all previous logs generated in the system (this purge can take up to 24 hours). You can see what information is recorded via logging in our data and services tracker.
CoughDrop incorporates anonymized data from all user-generated logs to share usage trends such as most common words, core vs. fringe breakdown, etc. These public trends are always strictly anonymized and not gathered without enough different user sources to ensure individual user information is protected. When users enable logging they can opt-in to allowing their usage log information to be anonymized and shared with third-party research groups. Personally-identifiable information, including email addresses, personalized phrases or location information, will not be shared with outside research parties without explicit user consent.
Some components of CoughDrop take advantage of third-party services to improve the user experience. CoughDrop reports send anonymized data to the Google Charts service to generate visualizations of usage over time. CoughDrop uses Google Analytics to track user trends and to help evaluate the effectiveness of new features. These third-party services are opt-in, and the actions that enable these services are clearly delineated within the system.
Additionally, CoughDrop "launches" players for third party content including YouTube, Tarheel Reader and OpenAAC. By default these launches do not send any CoughDrop-stored information unless clearly specified when setting up the tool for a user. These third-party services may include their own tracking mechanisms, and can be included as button launches on user boards. CoughDrop also allows for "launches" from arbitrary web sites based on user-entered URLs. Control over whether to allow third-party launches is available in a user's preferences, and we encourage teams concerned about external tracking to disable third-party launches for their users.
We use the server-based troubleshooting and logging services listed in our data and services tracker to aid in application troubleshooting and information security, which send limited user metadata such as IP Address and User Agent, but this data is deleted after 7-14 days. Organization-created communicator accounts have error tracking disabled by default for everything other than IP address (which we keep to use to combat fraud and maintain information security), so we encourage organizations to create user accounts through the organization interface, or to manually disable error tracking in a user's preferences if there are concerns about user metadata being stored outside the system.
In addition, CoughDrop collects contact information when users sign up or purchase the app. This information is used for support and marketing purposes and is stored in third-party systems that CoughDrop uses for communication and support. The information shared includes name, email address and IP address. However, organization-created communicator accounts are not shared with third-party communication services, so we encourage organizations to create user accounts through the organization interface to prevent email addresses from being shared with these third-party services. If your users are not created this way, you can disable this setting in your user preferences and we will remove your information from our marketing tools.
CoughDrop can optionally send out notifications to communicators and supervisors. These notifications include things like weekly usage summaries, notifications of badges earned, or messages sent by the communicator from within the app. It is possible that information sent in these notifications will contain user-generated information such as buttons pressed or goals set. These notifications can be sent via email, SMS, or as alerts on the user's dashboard. Email is the default notification policy. If private information has been added to boards or used in creating goals or other such systems, we encourage communicators and supervisors to set their notification preferences to remain within the app so as to prevent the unwanted exposure of user information.
CoughDrop is accessible from mobile and Windows apps, or from any modern web browser. Access requires entering the user's user name and password before being granted access to the user's interface, which will include their own content and the content of any users who have added them as a supervisor. When accessing from a web browser, the user session will expire by default after 24 hours of inactivity. The user can opt-in to a longer timeout which will expire after multiple days of inactivity. To help protect user information, we encourage browser-based logins to use the shorter timeout, and to manually log out after each session. App-based logins use the longer timeout by default, so we encourage app-based logins to set up a device-level PIN or password to prevent unauthorized access through the physical device.
Removing Old Data
CoughDrop logs and board provide ongoing value, so for active users this information is not deleted. Users may choose to delete their usage logs in their entirety at any time, or delete their full account including boards and logs, from within their profile. When an account deletion is requested we delay the deletion for up to 18 days to allow for cancellations or mistakes. Some users take advantage of CoughDrop's features only seasonally, so we wait a full year of inactivity before initiating the process of automatically deleting a user's profile, but users can always request the account to be removed sooner if they would like. When an account is deleted, boards and logs are removed as well, but historical aggregate data generated using those data sources will not be updated, as this aggregate data does not expose user-specific information.
We have many security measures in place to protect against unauthorized access to user information, including training our employees on privacy and encrypting and obfuscating data sources. However, as we have seen in recent years even strict security measures are at times compromised. In the event that personal user information is exposed to unapproved parties, or CoughDrop becomes aware of unauthorized access to our internal system resources, we will notify affected users via email within 72 hours. If comprehensive information is not available at the time of the report we will include a schedule of updates, not less often than one update per week, until the issue has been resolved or concluded.
At CoughDrop we work hard to ensure communicators are respected and given the privacy that everyone deserves. If you have questions about these policies please don't hesitate to reach out to us.
© 2018 CoughDrop, Inc. All rights reserved.