Privacy Policy

1. Introduction

This Privacy Notice (“Notice”) describes how the Rethink Autism, Inc. (“Rethink”) collects, uses, discloses, secures, and eventually disposes of (collectively “processes”) your personal information. Personal information is any information that does, or could, identify you.

This Notice applies to personal information collected on our websites (rethinkfirst.com), mobile apps, their associated technologies and communications media, and in the course of any offline contact with you (collectively the “services”). Our websites have public and subscription-only sections. Our mobile apps are part of our subscription-only services.

Our services may contain links to external websites. This Notice does not cover those sites.

In this Notice, “you” refers to anyone about whom we process personal information. You will usually be an employee of a corporate customer of Rethink or of a corporate customer of a channel partner of Rethink; a parent of a child in whose interests the services are used; a member of a child’s “support team” (for example, a family member or teacher) who is invited to participate in the services; or a visitor to our public websites. For parents and legal guardians, “your personal information” includes your child’s personal information. In this Notice, “primary user account holder” means the employee of a corporate customer of Rethink, or of a corporate customer of a channel partner of Rethink, who enrolls for the services.

Rethink channel partners are intermediaries, selected and/or approved by your organization, through which you may access our services. This Notice does not cover the personal information processing of our channel partners. If you are uncertain whether you access our services through a channel partner, please consult your organization.

Rethink is the data controller in relation to the services.

Rethink is part of the Rethink group of businesses. This Privacy Notice applies only to Rethinkfirst.com.

2. Changes to this Notice

We will update this Notice from time to time and will communicate material changes to you through an appropriate channel (for example, via a notice in our services). The Notice was last updated on June 23rd, 2021.

3. Personal information we collect

3.1 Categories collected

We collect the following categories of personal information:

Identifiers such as your name, e-mail address, username, and IP address.
Additional personal information defined by certain applicable US state laws: address, telephone number.
Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.
Commercial information, such as your purchases from us.
Internet activity/usage on our websites and applications.
Employment-related information, such as your job role or title.

3.2 Categories of sources

We collect the categories of personal information listed above from the following categories of sources:

Directly from you, for example when you complete an online form or provide information about your child during a Rethink consultation video call.
From other users of the subscription-only parts of the services, for example if an invited caregiver mentions your child’s progress in acquiring a skill during a consultation.
We may receive information about you from your employer or our channel partner, for example your work e-mail address or other identifiers so that we can give you access to the service.
From observing your activity on our services, for example via cookies, other standard online technologies, and our routine monitoring and recording of your service usage.

3.3 Items of personal information collected

When we collect personal information directly from you, you will know the details of that information.

For Rethink Benefits At Home, it may include:

Login credentials (username and password).
Name, job role, e-mail address, telephone number; country, state, and city of location.
Your schedule of appointments with Rethink behavioral consultants.
Information you choose to provide if you create a profile for your child, for example your child’s: name, date of birth, school grade, photo, and developmental disabilities and concerns. Providing such information is completely optional and is not essential for you to use the services.
Information you choose to provide about your child to Rethink behavioral consultants in the course of a written, phone, or video consultation.
Any details about yourself that you reveal as you use free-form features of the services, for example you might mention your favorite activity with your child during a consultation video call with a Rethink behavioral consultant or include your family in a photograph you upload to the My Files area of the services.

For Rethink Benefits At Work, it may include:

Login credentials (username and password).
Name, job role, e-mail address, telephone number; country, state, and city of location.
Your schedule of consultations with Rethink neurodiversity consultants.
Any details about yourself that you might reveal during a neurodiversity consultation with a Rethink consultant, for example you could refer to your strengths and challenges as an employee or manager.
Information from training modules you take, for example your quiz score after taking a neurodiversity inclusion training module.

For Whil, it may include:

Login credentials (e-mail and password).
Name and country of residence.
The sessions and courses that you “like”.
Ratings and feedback that you give us about the service.

On our public websites, you may provide personal information in “Contact Us” or other forms and via our Chat, “Email Us” or similar features.

We collect personal information from other users of the subscription-only parts of the services only in Rethink Benefits At Home. For example, a support team member may, during a consultation with a Rethink consultant, volunteer information about how you interact with your child. Note that which support team members (for example, a spouse or therapist) are invited to access the services is entirely under the control of the primary user account holder. The primary user account holder also determines their level of access to the services (for example, whether or not they can view consultation session notes).

When we receive information about you from your employer or our channel partner, it may include:

Your name and e-mail address.
Other information items selected by your employer to assist in the segmentation of service usage reports, for example your work location and department.
Your employee number or similar unique identifier.

We collect personal information from observing your activity on our services:

We track how you use our subscription-only content, for example how much time you spend interacting with it and which sessions and courses you complete.
We routinely monitor and record your usage of our subscription-only services for the purpose of providing service security and effective user support.
We use cookies and other standard online technologies in our public and subscription-only services. Cookies allow us to recognize your device. We use them to collect information about your device and how you use our services, for example which pages you visit and how long you stay on them. Cookies also facilitate, for example, logging into and navigating our services.

4. How we use your personal information

Rethink Benefits will never sell your personal information.

Rethink Benefits may use your personal information for the following purposes:

To provide our services, for example to manage log-ins and maintain the security and confidentiality of data contained in the services; to schedule and hold consultations with our consultants; to communicate essential service information to you; to recommend content to you based on your child’s needs as reported by you; to provide customer support; and to monitor compliance with our Terms of Use.
Where permitted by applicable law, we may send you marketing messages for Rethink products that we think may interest you (see Section 9 for information about opting out of such messages).
To help us improve our services and user experience, for example by identifying which parts of our services you find useful or difficult to use. Usually, the information used for this purpose does not directly identify you as an individual.
To respond to your requests or questions, including through forms and chat features.

EU General Data Protection Regulation (GDPR) lawfulness of processing

The GDPR requires that we provide individuals in the European Union, European Economic Area, and UK (”UK GDPR”) with our legal bases for processing their personal data. Our legal basis depends on the purpose of processing:

Purpose of processing	Legal basis
To provide our services	GDPR Article 6,1(a) – your consent.
To respond to your requests or questions (on our public services)	GDPR Article 6,1(b) – in order to take steps at your request prior to entering into a contract.
Market our services to you	GDPR Article 6,1(a) – your consent.
To help us improve our services	GDPR Article 6,1(f) – our legitimate interests in improving our services and online media.

5. Disclosure of your personal information

Who we disclose your personal information to depends on the specific items of information and the purposes we use them for. Your personal information may be disclosed to the following categories of recipients:

Employees and contractors of Rethink: These personnel have roles that require access to your information (a “need to know”). They are bound by employment terms that cover their obligation to keep personal information confidential and secure and have been trained in US law governing confidentiality of personal health information.
Service providers (“processors”): We use service providers to perform certain tasks for us, for example hosting our services on a Cloud computing platform or providing secure video calling functionality. Service providers process your data on our behalf and according to our instructions. They are contractually bound to protect your data and are prohibited from using it for their own purposes.
Other third parties: We may disclose de-identified information to third parties, for example business partners or research organizations. “De-identified” information is stripped of attributes that tie it to a particular individual and which cannot reasonably be reconnected to that individual.
Services usage reports:
- Our channel partners: We disclose content usage information (for example, courses you begin or complete, and how often you log in to the services) to our channel partners so that they can provide services to your employer (for example, administer use-based incentives programs). For Rethink Benefits At Home, such information does not specify the content you interacted with, for example that you viewed a video about how to teach skills to an autistic child. Further, to be clear, we do not disclose to our channel partners your child profile or information related to your interactions with our behavioral or neurodiversity consultants.
- Your employer: We may provide aggregate data on utilization of our services to your employer. Such data is non-personal and does not identify you.
Disclosure information applicable only to specific services:
- Rethink Benefits At Home: (1) Personal information collected in our Rethink Benefits at Home environment may be disclosed to other authorized users of the services. Authorized users and their level of access to the services are determined by the primary user account holder. (2) Note that the employer who provides Rethink Benefits at Home to you as a benefit is not a user of the services and your personal information is not disclosed to them except as described in the immediately preceding section.
- Rethink Benefits At Work: Note that Rethink Benefits at Work is not designed for the disclosure to Rethink consultants of identifying information about individuals who are the subject of a consultation, and primary user account holders are actively discouraged from making such disclosures.

We have in the preceding 12 months disclosed the following categories of personal information to “service providers” (defined above):

Identifiers such as your name, email address, username, and IP address.
Additional personal information defined by certain applicable US state laws: address, telephone number.
Internet activity/usage on our websites and applications.
Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.

We will also disclose your personal information in the following exceptional circumstances:

Corporate event: Your data may be transferred to third parties as a result of a merger, acquisition, or similar corporate event involving Rethink.
Legal necessity:We will disclose your information to government agencies, law enforcement, courts, and other authorities and parties if required to by applicable law. Note that information you provide to Rethink, including to our behavioral consultants in the course of a consultation, may not be protected by physician-patient privilege.
Individual’s vital interests: If we reasonably believe based on information posted on or provided in relation to our services that the safety or vital interests of an individual are at risk, we will disclose personal information to relevant parties as necessary to assist the individual.
Protection of Rethink’s interests: Where permitted by applicable law, we may disclose personal information to our professional advisors and other qualified parties when we reasonably believe it to be necessary to protect our essential business interests.

6. Information security

We employ technical, physical, and administrative security measures appropriate to the categories of personal information processed in our services. These measures include, for example: encryption at rest and in transit, roles-based access, firewalls, and anti-virus software. For more details of our practices, please consult our Information Security Standards statement.

We protect information about individual’s diagnoses, treatments, and outcomes with particular care. Rethink is HITRUST CSF certified. HITRUST CSF is a security and privacy framework that covers, among others, HIPAA and National Institute for Standards and Technology (NIST) standards.

No matter how carefully we safeguard your information, it is unfortunately not possible to guarantee that it will never be accidentally or illegally breached.

7. Data retention

We will retain your personal information as long as necessary to fulfil the purposes for which it was collected, and to satisfy legal, accounting, and reporting obligations, or to resolve disputes or enforce our Terms of Use.

Section 9 of this Notice below describes your rights to request deletion of your data outside of our normal data retention schedule and to withdraw your previously given consent to our processing of your data.

8. International transfer

Rethink is based in the United States. Your personal information is stored on our systems in the US and is not transferred onward to other jurisdictions.

If you live in the European Union, European Economic Area, or UK, note that the European Commission has not issued an unlimited adequacy decision for the US. We obtain your explicit consent to transfer your information to the US, and cannot provide our services without that consent.

9. Your rights

US and international laws give you various rights over your personal information and that of your child. These may include the right to:

Access personal information held about you
Correct inaccurate or out-of-date personal information
Request deletion of your personal information
Restrict processing of your personal information
Data portability: Receive your personal information in a readily useable format
Object to processing for which the legal basis is our legitimate interests

When our processing of your data is based on your consent, you may withdraw that consent at any time.

Notice of withdrawal of consent and other requests to exercise privacy rights should be addressed to us using the contact information in Section 10 below.

If you believe that we have infringed your privacy rights, please contact us so that we can try to resolve the issue. However, if you are an EU/EEA/UK resident, you have the right to lodge a complaint with your EU/ EEA local supervisory authority or, in the UK, with the ICO.

9.1 Marketing

You can opt out of our marketing communications at any time using, for example, the “unsubscribe” in an e-mail message or “STOP” reply in a text message.

When required by local law, we will obtain your prior consent for marketing communications. You may withdraw that consent at any time using the “unsubscribe” or similar functionality in a marketing message. Alternatively, please contact us using the contact information in Section 10 below.

Please note that, if you are a user of our subscription-only services, you may continue to receive service communications even after you have opted out of marketing communications. “Service” communications contain important information about the service for which you are a current user.

10. Contact us

Data Protection Officer: privacy@rethinkfirst.com or +1 646 257 2919 ext. 800

Rethink Benefits
49 West 27th Street, 8th Floor
New York, NY 10001
USA

EU Representative:

MyEDPO Ltd,
Unit 3d North Point House,
North Point Business Park,
New Mallow Road,
Cork, Ireland
info@myedpo.com or +44 203 870 3376.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_40561067_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	1 year	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_group_id	never	This cookie is set by Segment to track visitor usage and events within the website.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
debug	never	No description available.
loglevel	never	No description available.
loom_anon_comment	session	No description available.
loom_referral_video	session	No description
mkjs_group_id	never	No description available.
mkjs_user_id	never	No description available.
vooplayerVideo233476	session	No description
vooplayerVideo262605	session	No description
vooplayerVideo299272	session	No description