CVKey Privacy Policy

Last Updated: June 3, 2020


CVKey is a non-profit initiative operated by SafePassCV, Inc., a Kansas based 501(c)(3) non-profit corporation (“CVKey”). CVKey provides a suite of privacy-first software applications to help public health officials, business owners, and community members respond to public health incidents. This Privacy Policy explains our practices regarding the collection, use, and disclosure of information that we receive through our websites located at www.cvkey.org and www.cvkeyproject.org (the “Sites”), and our mobile applications (the “App” or “Apps”). The Sites and Apps and associated features and offerings are referred to here, collectively, as the “Services.” This Privacy Policy applies to everyone who interacts with our Services including without limitation, visitors, registered users, account holders, Community Members, Community Managers, and Community Administrators. (Community roles defined below.) All such users of the Services including Account holders and non-Account holders are referred to here, collectively, as “Users.”


Data Ownership  We don’t own your Personal Data. You do.


Personal Data  “Personal Data” means  any information about you that could be used to uniquely identify you. This includes, for example, your name, address, email, phone number, location, health information, date of birth, and age, amongst many other things.


Information Collected and Purpose  We only collect the Personal Data that we need in order for the Services to work for our Users. In fact, much of the information that we request from Users is not actually “collected” by CVKey, because it does not leave the User’s device. More on this below, but suffice to say we’re proud of that.  This section explains more about the data we request and collect.


Community Member Info “Community Members” (or “Members”) are the largest group of our Users. They ultimately use the App as a type of entry pass that gets them admission into different locations in their community, or communities. If you choose to create a profile as a Community Member, the App requests the following types of information from you: first and last name, your zip code, date of birth, a profile photo, the communities you’d like to join, and potentially an ID number (like a student ID) if your community requests that users provide one. Once you’ve joined a community, you’ll be prompted to answer a short symptom survey that your community has selected or approved, and so those answers are also information the App requests of you. The answers generate a health status for you (blue, yellow, orange, etc.). You may also update that health status later through a number of different means. Here’s the important part: all of that information stays on your phone. It is not sent to CVKey’s servers or anywhere else. 


Purpose We request information about Members in order to create your Member profile on your device, to help you verify your identity to Community Managers (where required by the community), to generate the health status that is stored on your device, and to help you verify that health status to Managers in your community that oversee access to physical locations. We may additionally use the data to prevent misuse of our Services, for instance creation of duplicate accounts.

Community Manager Info  "Community Managers" (or "Managers") are individuals appointed by the Community Administrators to perform certain roles across the community. For instance, some Managers will help Community Members get their health status updated by verifying the Member's test result. Other Managers will help Community Members with in person verification of their IDs, where the community requires it. If you are selected to be a Manager and choose to create a profile as a Manager, the App requests the following types of information from you: the name of your location(s) where you act as Manager, the phone number at that location, the address and zip code for that location, and the location hours. In addition, prior to your creating your Manager profile, an Admin user in your community will have provided us with the following information through the Admin console: your full name and email address, your function or role as Manager, and the community you are associated with. Unlike Member information, Manager information is necessarily stored centrally on CVKey servers.

Purpose  We collect information about Managers in order to create your profile on your device, to associate you with the correct community, to allow CVKey and your Community Administrators to contact you, to assign you the appropriate permissions that you need for your role as Manager, and to allow other Members of your community to locate, contact, and identify you when they need to reach out to you.

Community Administrator Info "Community Administrators" (or "Admins") are generally employees or staff of a community and are responsible for appointing Managers, establishing community policies, and generally overseeing the implementation of our Services for your Community.  If you are designated as an Admin, we will request and collect the following types of information about you from either yourself or another Admin in your community: your first and last name, email address, and your role and permissions as an Admin.  Admins may also be asked to provide a range of information about the community itself, for instance, the name and location of the community, name and location of places within the community, community health policy information, community access policy guidelines, and other information and instructions specific to your community. As with Manager information, Admin information is necessarily stored centrally on CVKey servers.

Purpose We collect information about Admins in order to create your community Admin account, to allow you to access the Admin console on the Site, to associate you with the correct community, to assign you the appropriate Admin role and permission, and to contact you about the Services. We use the information about the community itself in order to customize our Services for community Members and Managers, to communicate important information about the community (such as health policies, access policies) to Community Members and Managers, and generally to share information with your community on your behalf and make sure the Services work as best they can.

App Log Data  When you use the Apps and your mobile device connects to our server, we may collect certain information that your device sends as part of the network connection process, including not limited to IP address, user agent information, host information, connection type, content length, and language setting.

Purpose  App log data is standard information that most devices send when installed apps connect to a server. We may use app log data to monitor and improve the functioning of our Services, and to prevent fraud or abuse of the Services. CVKey does not use this data to try to determine your identity.

Site Log Data  When you access the Sites, either as a visitor or as an Admin accessing the Admin console, we collect certain information that your device sends as part of the network connection process, including but not limited to IP address, language preferences, user settings, operating system information, browser and user agent information, hardware information.

Purpose  Site log data is standard information that most websites obtain when you visit them. We may use app log data to monitor and improve the functioning of our Services, and to prevent fraud or abuse of the Services. CVKey does not use this data to try to determine your identity.

Feedback  We may reach out to some Users to request feedback or survey responses about our Services.  These will always be voluntary. Responses you provide will be collected and stored by CVKey. We may request your name or contact information in order to follow up with you, but it will be your choice whether to provide that information.  Feedback that Community Members provide to us will not be connected to their User accounts. Feedback from Managers and Admins may be connected to your account.

Purpose We request and obtain feedback from Users in order to help us better understand our Users and improve our Services. If you choose to provide contact information, we may use that to reach out about your feedback.

Support Interactions  If you reach out to CVKey through a support channel - for example email or in-app support - to request help with using the Sites or Apps, we (or our support service provider) may obtain or request contact information from you, so that we can provide the support you need. CVKey will obtain and store the contents of any communications you might send through support channels.

Purpose We obtain information from Users through support requests in order to respond to those requests, resolve any issues that may exist for the User, and to generally better understand and improve our Services.

Information Your Community May Provide In some cases - for example, where the community is a university or employer - the Community Administrators may initially provide information to CVKey, including without limitation, the name and contact information of Admin, Managers, and Members

Purpose  We obtain information about you from your community for a variety of reasons, including, to invite you to join the community or download the Apps, to initiate the account creation for Managers and Admins, to associate you with the correct community, to assign you the appropriate role and permissions as Admin or Manager, to contact you about the Services, to customize and implement our Services for Community Members and Managers and Admins, and to communicate important information (such as health policies, access policies).

Information Collected Using Cookies and Similar Technology  We utilize some automated data collection tools such as cookies and beacons on the Sites to collect information from Site visitors and users. Cookies are small text files that are placed on your device by a web server when you access the Sites. Web beacons are tiny graphics with a unique identifier that may be included on our Sites or in emails from us. Although most browsers automatically accept cookies, you can change your browser options to stop automatically accepting cookies or to prompt you before accepting cookies.

Purpose  We obtain information through these technologies in order to authenticate users, analyze Site traffic, understand the impact of marketing channels, improve account security,  and prevent fraud and other misuse of the Services.

Information Usage  Our overarching purpose in collecting information is simply to provide a service that helps communities respond to public health incidents, and to do so as best we can. The previous section addressed specific purposes for which CVKey obtains information about Users and the communities. This section addresses a number of more general ways in which that information may be used.  We may use the information we obtain to:


There may be other purposes for which your information might be used by CVKey, but only if those are disclosed to you at the time we request or receive the information, or if you have otherwise consented to the use.

Information We Share with Third Parties We will not share any information that we have collected from you or regarding you except as described below, or as otherwise described in other parts of this Privacy Policy. Keep in mind as you review this section that CVKey does not collect or retain names, contact info, or health data from our Community Members.


Within Your Community Information about Community Managers will be shared widely within a community, in order to allow Community Members to find, contact, and identify them. Information about Community Admins may also be shared within the community, so that they can be reached by Members.

Services Providers and Business Partners  We may engage third-party services providers to work with us to administer and provide the Services, including but not limited to our vendors (e.g. fraud detection services, web hosting providers, resellers). These third-party services providers may have access to the same information about Members, Managers, and Admins that CVKey possess, but only for the purpose of performing services on our behalf.

Other Third Parties We may share anonymized or aggregated data we collect from the use of the Services, such as non-identifying aggregate statistics about the Service that we create based on the information we receive from you and other users.

Information Shared with Web Analytics Services Providers We use an open source analytics service provided by Matomo on our Sites to gather information about how users engage with the  Sites. This entails their collection of Site log data, like IP address, user agent, page visits, time stamps, etc. For more information about Matomo and why we choose to use them, please visit their site.

Information Disclosed in Connection with Business Transactions In the event we are acquired by a third party as a result of a transaction such as a merger, acquisition, or asset sale, or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, it is possible that information about Users may be disclosed or transferred to a third party acquirer in connection with the transaction. Even in this event, however, because CVKey does not own your Personal Data, the acquirer will not obtain ownership rights over your Personal Data.  

Information Disclosed for Our Protection and the Protection of Others We cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal process (including subpoenas); (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general; and (iii) to stop any activity that we consider illegal, unethical or legally actionable activity.

Your Data Rights  In accordance with applicable law, you may have the right to: (1) Access personal information about you consistent with legal requirements. In addition, you may have the right in some cases to receive or have your electronic personal information transferred to another party. (2) Request correction of your personal information where it is inaccurate or incomplete.  In some cases, we may provide self-service tools that enable you to update your personal information or we may refer you to the controller of your personal information who is able to make the correction. (3) Request deletion of your personal information, subject to certain exceptions prescribed by law. (4) Request restriction of or object to processing of your personal information, where such requests are permitted by law. (5) Obtain categories of personal information we have either disclosed or sold for a business purpose in the past 12 months.

If you would like to exercise any of these rights, please contact us at support@cvkeyproject.org. We will process such requests in accordance with applicable law.

Responding to Do Not Track Signals  Our Sites do not have the capability to respond to "Do Not Track" signals received from various web browsers.

The Security of Your Information We take reasonable administrative, physical, and electronic measures designed to protect the information that we collect from or about you (including your Personal Data) from unauthorized access, use or disclosure. Please be aware, however, that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information.

Data Retention We store the Personal Data we receive as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.  Because we do not obtain any identifying information or health information from Community Members, if you are a Member and want your account and data to be deleted, you can simply delete the App from you phone.

International Transfer  Your Personal Data may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you're located outside the United States and choose to provide your Personal Data to us, we may transfer your Personal Data to the United States and process it there.

Our Policy Toward Children  Our Services are not directed to children under 13, and we do not knowingly collect Personal Data from children under 13. If we learn that we have collected Personal Data of a child under 13, we will take steps to delete such information from our files as soon as possible.

Your California Privacy Rights If you're a California resident, you have certain privacy rights under California law, including the California Consumer Privacy Act of 2018 ("CCPA"). Our California Privacy Notice addresses these rights.

Revisions to this Privacy Policy Any information that is collected via our Services is covered by the Privacy Policy in effect at the time such information is collected. We may revise this Privacy Policy from time to time. If we make any material changes to this Privacy Policy, we'll notify you of those changes by posting them on the Sites or in the Apps or by sending you an email or other notification. We'll also  update the "Last Updated Date" above to indicate when those changes become effective.

Sovereign Authority  If you are located in the European Economic Area or the UK and required by applicable law, you may have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.

Questions Please contact us at support@cvkeyproject.org if you have any questions about our Privacy Policy or wish to exercise any of the rights enumerated here.