Close
  • There are no suggestions because the search field is empty.
Get Started
Sign in

Privacy policy

Last updated: November 15, 2025

BrightOutcome Inc. ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Activity Card Sort 3: Participation in Daily Life (ACS3) digital assessment platform ("Service").

1. Information We Collect

Professional Users

We collect the following information from Professional Users who create accounts:

  • Account Information: Name, email address

  • Billing Information: Credit card information, billing country, and zip code (for paying subscribers)

  • Usage Data: Information about how you use our Service

Participants

We collect assessment data from Participants who complete ACS3 sessions:

  • Assessment Data: Activity participation responses, activity priorities, barriers, responses to PROMIS or other similar questionnaires, and related assessment information

  • Authentication Data: Birthdate and zip code (only when using mobile or remote assessment modes)

  • Contact Information: Email address (only when using remote assessment mode)

  • Demographic Information: When enabled by Professional Users, we may collect birthdate, gender, race, marital status, home ownership status, city/zip code, income range, employment status, education level, and chronic conditions based on census questionnaire format

Important Note: Participants do not create user accounts. All Participant data is associated with and controlled by the Professional User who initiated the assessment session.

2. How We Collect Information

We collect information through:

  • Direct Input: Information you provide when using our Service

  • Website Tracking: Our public website uses HubSpot cookies and tracking technologies for marketing purposes for professional organizations

  • Application Usage: Our secure application (post-login) does not use cookies or tracking technologies

Marketing Communications

When you submit forms on our website, you may have the option to consent to receive marketing communications from us by checking the consent box. This consent is optional and not required to submit your inquiry. If you provide consent, we will send you information about our products, services, research updates, and upcoming programs. You may withdraw your consent at any time by clicking the unsubscribe link in any email.

3. How We Use Information

Personal User Data

  • Provide and maintain your account and Service access

  • Process payments and billing

  • Communicate with you about your account and our Service

  • Provide customer support

  • Improve our Service

Participant Data

  • Deliver assessment results and reports to Professional Users

  • Enable assessment completion across multiple sessions and devices

  • Generate relevant activity participation information to facilitate goal setting and action planning for Professional Users

Internal Research

We may retain and use properly de-identified, aggregated data for internal research purposes to improve our services and advance occupational therapy research. This research use helps us enhance the effectiveness of our assessment tools and contribute to the field of occupational therapy.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share information in the following circumstances:

Service Providers

We work with trusted third-party service providers who assist us in operating our Service:

  • Lightedge: Cloud hosting services (US-based servers)

  • Stripe: Payment processing

  • HubSpot: Website hosting and marketing services (for professional organizations)

These providers are contractually obligated to protect your information and use it only for the services they provide to us.

Legal Requirements

We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of BrightOutcome, our users, or others.

EMR Integration

When integrated with Electronic Medical Record (EMR) systems using FHIR/SMART protocols, we use single sign-on (SSO) authentication but do not share participant data with the EMR system beyond what is necessary for the integration to function.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: AES-256 encryption for data at rest and in transit

  • Access Control: Role-based access control and auto-logout features

  • Infrastructure Security: 24/7/365 secure hosting with intrusion prevention, antivirus protection, server integrity monitoring, managed security patches, and encrypted offsite backups

  • Compliance: Our hosting environment complies with HIPAA/HITECH, HITRUST, SOC 1 Type 2, SOC 2 Type 2, PCI/DSS, ISO 27001, FISMA, and FERPA requirements

  • Regular Assessments: Annual third-party NIST CSF, HIPAA/HITECH, and FERPA risk assessments

6. Data Retention and Account Termination

Active Accounts

Participant data is retained as long as the associated Professional User maintains an active subscription and chooses to retain the data.

Account Termination

When a Professional User's subscription ends:

  • Professional Users have 30 days to download their participant data in CSV format

  • After the 30-day period, we may retain de-identified, aggregated data for internal research purposes as described in Section 3

  • Individual-identifiable participant records are deleted after the grace period unless the Professional User renews their subscription

7. Your Rights and Choices

Professional Users

  • Access: You can access and update your account information through your account dashboard

  • Data Export: Project Administrators can download participant data in CSV format

  • Account Deletion: Contact us to delete your account and associated data

Participants

Since Participants do not have direct accounts with us, all data access, correction, or deletion requests must be made through the Professional User who initiated your assessment session.

8. International Users

For Canadian Users (PIPEDA Compliance)

Canadian users have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) including access to personal information and the ability to challenge the accuracy of data.

Participants may correct their responses during an active assessment session. Once an assessment is completed, corrections are not permitted to maintain clinical validity and assessment integrity. If significant corrections are needed, a new assessment may be conducted.

For Other International Users

Users outside the United States should be aware that information collected through our Service may be transferred to and processed in the United States, where privacy laws may differ from those in your jurisdiction.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age unless the Professional User has obtained appropriate approval for such use in an approved research study with verified parental consent. We do not knowingly collect personal information from children under 18 outside of such approved contexts. If we become aware that we have collected personal information from a child under 18 without proper authorization, we will take steps to delete such information.

10. Accessibility

We are committed to making our Service accessible to individuals with disabilities. We use accessWidget from accessiBe to support Revised Section 508 standards and Web Content Accessibility Guidelines (WCAG) 2.1 Success Criteria (Levels A and AA).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the "Last Updated" date. Your continued use of our Service after such changes constitutes acceptance of the updated Privacy Policy.

12. Contact Information

For Participants: If you have questions about your assessment data or privacy rights, please contact the Professional User (healthcare provider, researcher, or organization) who administered your ACS3 assessment. They are best positioned to address your concerns and can contact us on your behalf if needed.

For Professional Users: If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

BrightOutcome Inc.
Attention: Privacy Officer
1110 Lake Cook Road, Suite 167
Buffalo Grove, IL 60089
Email: privacy@brightoutcome.com

For technical support or general inquiries, please use our standard support channels through your Professional User account or our website contact form.

Note: This Privacy Policy applies to the ACS3 Service provided by BrightOutcome Inc. It does not apply to third-party websites or services that may be linked to or integrated with our Service.