Capsim Privacy Policy

In order for us to provide you with our services or for correspondence purposes we need to collect your personal data. We ensure that the information we collect and use is confined to this purpose. We always process your personal data for specific purposes, with the nature of the data collected depending on your interaction with us. We are committed to transparency in this.

Our legal bases for controlling or processing personal data are:

• Article 6.1(a) GDPR (Consent): You provide informed consent to us or have a reasonable expectation that we will use your information in a certain way – for example, to engage in our community discussions, or to hear about new services or offers. You can withdraw your consent at any time by request to privacy@capsim.com
• Article 6.1(b) GDPR (Contract): Providing our services and fulfilling our obligations to you, usually relating to a terms of service or partnership agreement;
• Article 6.1(c) GDPR (Legal Obligation): The necessity to meet compliance with our legal obligations; and/or
• Article 6.1(f) GDPR (Legitimate Interest): Where it is in our legitimate interests to do so. We only rely on ‘legitimate interests’ as the legal basis for processing by us, or third parties we use, for these purposes:
  • business development; or
  • providing login systems to users via their existing accounts.

Where we rely on a specific basis for processing your information and you wish to object to that processing, you must be aware that it might not be possible for you to continue using our services.

Capsim collects information from you whenever you visit or use the website, some of which you provide voluntarily and some of which is collected automatically. In addition, Capsim may receive information about you from Other Business Parties. This can be information that you provide through our websites, over the phone, through email, including when you:

• create an individual or corporate user account;
• request support;
• register for or participate in an online class, exam, certification, training, webcast or other event;
• request information or materials;
• when you interact with our services.
• participate in surveys or evaluations;
• participate in promotions, contests or giveaways;
• make a purchase through our shopping cart or register products;
• apply for employment;
• submit questions or comments; or
• submit content or posts on our forums or other interactive webpages.
• when you fill a registration form or otherwise submit your personal information.

We may need to pass your personal data on to third-party service providers contracted to Capsim in the course of providing you services. We do this because there are services, such as our videos and chat features, which will not work unless we are able to make these transfers. Any third parties we share your data with are obliged to keep your personal data secure and use it only for necessary service delivery.

https://www.capsim.com/ may use your information for the following purposes:

• Providing and maintaining our Service, as well as monitoring the usage of our Service.
• For data analysis to identify usage trends and to evaluate and improve our Service, products, services, and marketing efforts.
• Managing your account. Your Personal Data can enable access to multiple functions of our Service that are available to registered users.
• Determine your eligibility for Capsim products and services and to provide you requested Capsim products and services.
• Respond to your inquiries and provide you customer support and to foster communication and collaboration among you, Capsim and Other Business Parties including informing you about opportunities to participate in Capsim’s Challenges.
• Analyze how Capsim’s website, products and services are being accessed and used to improve Capsim’s website performance and delivery and to improve Capsim’s products and services, including training and quality assurance.
• To prevent misuse of Capsim’s websites and apps by you or others.
• Record and analyze your academic performance, results, outcomes and preferences.
• Obtain and process payment for Capsim products and services and to maintain business records.
• For the performance of a contract. Your Personal Data will assist with the development, undertaking, and compliance of a purchase contract for products or services you have purchased through our Service.
• To contact you. Capsim will contact you by email, phone, SMS, or another form of electronic communication related to the functions, products, services, or security updates when necessary or reasonable.
• To update you with news, general information, special offers, new services, and events.
• Testimonials and customer feedback collection. If you share a testimonial or review about your experience using our Service, it will be shared or otherwise used on the website.
• Dispute resolution and site protection. Your information will be used in the instance of a legal dispute to resolve issues related to our Service.
• Enforce Capsim’s Terms of Use and Terms and Conditions as may be required or permitted by legal, regulatory, industry self-regulatory, insurance, audit, or security requirements applicable to you, Capsim or any Other Business Party

Your Financial Information will be used to provide requested products and services, to analyze operational and business results, to analyze risk, and to conclude a transaction between you and either Capsim or an Other Business Party. It will not be sold, rented, or otherwise transferred to anyone for any other purpose. Capsim uses the services of a third-party service provider to process credit card payments. Therefore, Capsim itself will not have access to you credit card information. In addition, the third-party service provider has agreed that it only uses your [personally identifiable] credit card information to process your payments.

If you are using Capsim products or services in your capacity as a student of an Other Business Party that is subject to the U.S. federal Family Educational Rights and Privacy Act (FERPA) (“Covered Educational Institution”), to the extent that your Personal Information is an “education record” under FERPA, it will be subject to FERPA. If you want to assert your rights under FERPA, you should contact your Covered Educational Institution.

Capsim will share your information only with your explicit consent. Your information may be shared to a third-party for reasons including:

• Analytics information. Your information might be shared with online analytics tools in order to track and analyze website traffic.
• Improving our Service. Your information might be shared with third-party service providers in order to improve our Service and/or interactions with providers.
• Payment processing and recovery services. Your information will be used in order to process payments in the event of a purchase, refund, or other similar request.
• Marketing initiatives. Your information will be used for generating and sending newsletters, email marketing efforts, advertisements, and more.
• Corporate transactions. Any other entity which buys us, or part of our business will have the right to continue to use your Personal Data, but subject to the terms of this Privacy Policy.
• Compliance and harm prevention: (i) to comply with applicable law; (ii) to enforce our contractual rights; (iii) to protect the Services, rights, privacy, safety, and property of Capsim, you, or others; and (iv) to respond to legal requests which may include authorities outside your country.

Any third party we share your information with must disclose the purpose for which they intend to use your information. They must retain your information only for the duration disclosed when requesting or receiving said information. The third-party service provider must not further collect, sell, or use your personal information except as necessary to perform the specified purpose. We seek to enter into Data Processing Agreements with our third party service providers to ensure they only process your data as instructed by us. If you obtain products or services directly from us on behalf of others we will ensure those third party service providers have a Data Processing Agreement (DPA) with us.

If you choose to provide such information during registration or otherwise, you are giving Capsim permission to use, share, and store that information in a manner consistent with this Privacy Policy.

Your information may be disclosed for additional legal reasons, including:

• Complying with applicable laws, regulations, or court orders.
• Responding to claims that your use of our Service violates third-party rights.
• Enforcing agreements you make with us, including this Privacy Policy.

We will process (collect, store and use) the information you provide in a manner compatible with GDPR. We maintain physical, organizational and technical safeguards for all personal data we hold. We will endeavor to keep your information accurate and up to date, and not keep it for longer than is necessary. We are required to retain certain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept are governed by specific business sector requirements and agreed practices. Personal data can be held in addition to these periods depending on individual business needs.

We will process different forms of personal data for as long as it is necessary and proportionate for the purpose for which it has been supplied and we will store the personal data for the shortest amount of time possible, taking into account legal and service requirements.

All data is stored on servers that are located in the US. Production servers and data are hosted in Amazon Web Services (AWS) Cloud. Capsim products are web application platforms, therefore all the data is separated logically, rather than physically. Retained data can be deleted upon client’s request. At the 7-year mark, data will be either deleted or archived. All stored passwords and email addresses are encrypted. Please note that user passwords are not provided during LTI integration.

Authorization of data is done via SSL protocol with validated private keys and secrets. Data is accessed by authorized personnel only: Capsim Employees and Third-Party certified secure AWS contractors have all signed Privacy and Non-Disclosure Agreements.

The personal information which is accessed is First Name, Last Name, Student ID, Student Email. This information is stored for the convenience of the Professor and Students for teamwork and grading. Upon request, this information can be made anonymous by using randomly generated placeholder info. Students can only see their own personal information and grading data. Professors can see data for all students and courses which they are teaching.

All stored personal information is used only for the purpose of the client/user. Capsim does not sell, rent, or lease any personal information.

Amazon Web Services (AWS) Cloud

As mentioned, all production servers and data are hosted in Amazon Web Services (AWS) Cloud. The IT infrastructure that AWS provides is in alignment with security best practices and IT security standards, including: SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018, ITAR, FIPS 140-2, MTCS Level 3

As well as several industry-specific standards, including:

• Criminal Justice Information Services (CJIS)
• Cloud Security Alliance (CSA)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)

AWS Physical Security

All physical access to AWS facilities is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors are required to present identification and are signed in and continually escorted by authorized staff.

All physical access to data centers by AWS employees is logged and audited routinely.

We have no interest in collecting any data beyond that needed to ensure our services work for you. If you are going to be contacted by us for marketing purposes, we will not rely solely on this privacy notice. We will endeavour to seek your consent appropriately. Capsim does not sell data, and has no intentions in doing so in the future.

All marketing activities must comply with our Privacy & Marketing Policy, its related procedure, and all applicable laws at all times.

At Capsim we understand the importance of protecting the personal data of children under the age of 16. It is not our intention to collect personal data from a child. If you believe that a child has disclosed personal data or that we hold personal information about a child, please email us at privacy@capsim.com.

At any point while we are in possession of or we process your personal data, you have the following rights:

• (GDPR) right of access – you have the right to request a copy of the information that we hold about you;
• (GDPR) right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete;
• (GDPR) right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records;
• (GDPR) right to restriction of processing – where certain conditions apply to have a right to restrict the processing;
• (GDPR) right of portability – you have the right to have the data we hold about you transferred to another organisation;
• (GDPR) right to object – you have the right to object to certain types of processing such as direct marketing;
• (GDPR) right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling;
• (GDPR) right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below;

To exercise your data protection rights please contact our DPO at Privacy@Capsim.com.

We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your Personal Data. If you feel that you have not received a satisfactory response from us, you may have the right under applicable laws to consult with the data protection authority in your country.

For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches the email address that we have on file. If we no longer need to process Personal Data about you in order to provide our Services or our Sites, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

Cookies are defined as ‘small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.’ You can find out all about cookies, how to manage them and delete them, and how to manage your browser settings, at the UK ICO and www.aboutcookies.org.

You can change or withdraw your consent to the cookies we use at any time contacting the Privacy Team at Privacy@Capsim.com You can also opt out of being tracked by Google Analytics across all websites.

Please note that if you manage your consent or your browser and third party settings to block cookies, some or all of the Website and Services may not have full functionality and your user experience may be impacted.

If we provide social media links or interactions on our website, such as like or share buttons, and you interact with them, the social media organization may drop cookies and they will be covered by the Privacy Policy of that organization. We typically do not receive any personal data collected as a result of such interaction, although we may receive aggregated reports.

• Strictly necessary cookies. Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.
• Performance cookies. Performance cookies are used to see how visitors use the website, eg. analytics cookies. Those cookies cannot be used to directly identify a certain visitor.
• Targeting cookies. Targeting cookies are used to identify visitors between different websites, eg. content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.
• Functionality cookies. Functionality cookies are used to remember visitor information on the website, eg. language, timezone, enhanced content

Your information’s security is important to us.

Capsim utilizes a range of security measures to prevent the misuse, loss, or alteration of the information you have given us. However, because no security can ever be 100% guaranteed, Capsim cannot guarantee you against the loss, misuse, or alteration of your Personal Information and you must access our service at your own risk.

Capsim is additionally strongly committed to security and privacy of the personal data that is entrusted to us. Data at rest and in transit is encrypted using Advanced AES 256 Encryption. User data is only used for the necessary purposes of the simulation.

Capsim does not sell, rent, or lease any Personal Information. Our EU representative under the GDPR is Kimura Limited d/b/a Apex Privacy - Main Street, Portarlington, Co. Laois, Ireland. All production servers and data are hosted in Amazon Web Services (AWS) Cloud within the US.

Capsim is not responsible for the performance of websites operated by third parties or your interactions with them. When you leave this website, we recommend you review the privacy practices of other websites you interact with and determine the adequacy of those practices.

Our servers are being continuously monitored for uptime with immediate escalation to the authorized system administrators for any downtime. In the event that a security incident is suspected to have resulted in a breach of personal information, notification of the affected entities will occur within 48 hours of the breach. Upon discovering a possible security breach, system administrators focus on investigating and containing the breach as well as addressing appropriate gaps to prevent the incident from reoccurring. Client will be continuously updated on the status of the investigation, containment, and follow-up actions.

Public Status Page: https://status.capsim.com/

When developing any software through our agile methodology, the project is divided into iterations. Our secure design standards are applied to each iteration which will be implemented as part of the product requirements.

Our secure design strategy focuses on three main areas for every iteration. Confidentiality - data is protected from unauthorized individuals/systems. Integrity - data remains complete and uncorrupted. Availability - data is accessible only by authorized users without interference. Additionally, we incorporate server-side session checks prior to allowing access to software updates in order to verify the authenticity of the user. Finally, we also verify security guards that are in place combined with automated testing and version control prior to any release.

Capsim’s website may contain links to other websites. Some of them may collect your Personal Information and may apply their own policies on how your Personal Information is used. Please read all applicable policies of all websites you visit. Capsim is not responsible for the privacy practices of anyone else’s website(s).

Personal Data may be stored and processed in any country where we do business, or our service providers do business. We may transfer your Personal Data to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data accross borders, we take measure to comply with applicable data protections law related to such transfer. Official (such as law enforcement or security authorities in those countries may be entitled to access your Personal Data.

We comply with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be.

Capsim’s international transfer of personal data collected in the European Economic Area, the United Kingdom, and Switzerland is governed by Standard Contractual Clauses.

Capsim updates our privacy notice when necessary or in response to:

• Feedback from our community, customers, relevant authority, industry or other stakeholders;
• Changes in our products or services; and/or
• Data processing or policy changes.

If you have any questions about our privacy policy, please contact us by email at privacy@capsim.com