R-PAS Privacy Policy

January 24, 2019



  1. Applicability
  2. Purpose
  3. Your Information
  4. Information From or About Children
  5. Data Encryption, Storage, Retention, and Portability
  6. Administrator Account Access
  7. HIPAA, HITECH, and GDPR
  8. Contact Information
  1. Applicability

    This online Privacy Policy describes how Rorschach Performance Assessment System®, LLC (“R-PAS®” or “we”) maintain and disclose information collected from each user (“you”) at the r-pas.org website. This Privacy Policy applies to the website and to any information collected through the website. It does not apply to other websites that may be linked to our website, for which users will have to refer to those websites’ privacy policies.

    We may update this policy from time to time. When we do, we will change the date at the top of the Privacy Policy text. Revisions are effective upon posting and continued use of the website following posting will indicate your acceptance of these changes. We encourage you to reread our Privacy Policy periodically to check how we are using your information.

  2. Purpose

    The purpose of the website is to provide information about R-PAS and R-PAS products and services, to permit users to contact us about our products and services, to share research and educational materials about psychological assessment, to permit users who choose to do so to interact with each other using community forum software, and to allow qualified users who choose to become account holders to purchase and download R-PAS products and services online. Use of this website is subject to your acceptance of this Privacy Policy and to the Terms of Use at www.r-pas.org and of any updates to them.

  3. Your Information

    1. Personally Identifiable Information

      Personally Identifiable Information means any kind of information we collect from you that could be used to identify, contact, or find an individual, such as name, password, organization name, e-mail address, postal address, telephone number, or fax number.

      Except as otherwise stated in this Policy, we will not sell, rent, or lend your personal information to any third party. If a user sends us e-mails or fills out a contact form on the website, we may use personal information from these sources to respond to inquiries, market our products and services in a general or personalized manner, or request feedback.

      1. Account Application and Marketing

        If you apply to become an account holder, we may use personal information from your application to confirm your qualifications, authenticate your identity, and to contact you. We may collect personal information from you and our affiliates to fulfill orders for products and services, keep track of transactions, respond to requests for assistance, and to assure compliance of the account holder with applicable contracts and terms. Upon account approval we add your email addresses to a third-party platform that we use to send notifications, updates, and a newsletter. You can opt-out of receiving all notifications by using the unsubscribe feature that is located at the bottom of every emailed message. Opting-out will remove your email address from that platform completely. This means that you cannot selectively receive certain kinds of notifications (e.g., the newsletter) but not others (e.g., notices concerning system updates).

      2. Community Forum

        If you choose to participate in the community forum, you will be using software that we have linked to the website. We share essential contact information (e.g., your username and e-mail address) with our contracted forum software provider, Website Toolbox. The Privacy Policy of the community forum software provider will apply to all user communications to and from the software provider’s website. Please review their privacy policy before using this service.

      3. Ordering and Fulfillment

        We do not collect personal financial information from any visitors to our website, including account holders. Account holders who wish to place orders for R-PAS products and services from the website are directed to the webpage of our affiliate, PayPro Global (PPG), a Canadian company, in order to place the order, select shipping options, and make payment. In contrast, account holders who wish to place orders directly from us are handled differently. Checks and ACH or wire transfers are bank to bank transactions. Credit card orders placed by phone or by email are processed by us either through Square, Inc. or PayPal. Please review the specific privacy policies of these vendors before using these services. Links to each can be accessed here: PPG,Square, Inc., and PayPal. These e-commerce providers do not share your personal payment information with us but they do provide us with relevant data concerning what you purchased and the transaction amount.

        We may share your Personally Identifiable Information, including your name, organization name, phone number, e-mail address, and shipping information, with affiliated third parties under contract with us in order to fulfill the orders you placed for our products and services. We will do this without limitation, which means you cannot tell us not to share this information if you wish to receive what you ordered. We also may share your Personally Identifiable Information in order to provide services or other features offered to our website users. For instance, as described more fully in the previous paragraph (3-a-ii), we will share your username and email address with the third party vendor that hosts our community forum and we will share all of your Personally Identifiable Information if you select an alternative broker to manage your account (see next paragraph).

        If you live in one of several countries (e.g., Brazil, Israel, Italy) you will have the option to select a local psychological test publisher to serve as the broker for your account. They will review your account application and provide you with electronic products, in addition to any print products they may offer. When available, such a testing company is a contracted affiliate of R-PAS. We provide them with access to your basic account information, as stored on the R-PAS site, so they can make allocations to your account. This information consists of the information obtained at the time of your application for an account (e.g., name, username), except for your password, which is not shared. These vendors cannot see and do not have access to any of the specific protocols in your account. They can, however, see and modify the electronic resources connected to your account, including the type of account you have, protocol allocations, Interpretive Guides, and the electronic version of the manual. These account brokers may collect payment information from you. That information is never shared with us. However, please be sure to review their privacy policies if you choose to have them manage your account.

      4. Website Hosting, Programming, and Maintenance

        We work with third party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, and other services. Our contracts with any affiliated third party with whom we share user information requires the third party to keep all information concerning account holders acquired during the contract confidential and secure.

      5. Transferable Assets

        Although we have no plan to do so, in the course of developing our business, we might sell or transfer all or part of our business assets to a third party. In the event of such a sale or transfer, customer information, including Personally Identifiable Information, will be one of the transferable assets to the extent permitted under law.

    2. Non-personally Identifiable Information

      1. Cookies

        Like most commercial websites, our website uses “cookies,” which are small text files that our website transmits to your browser. These files provide our website with non-personally identifiable information but do identify your device and its internet access point, your browser, and information about your use of the site. Cookies allow you to remain logged in to the site, help ensure smooth transitions between web pages, and ensure your browser is correctly linked to the data you request, such as results output for a case. We will not link your IP information to Personal Data unless we deem it necessary in order to protect the integrity and security of the website or to monitor compliance with the Terms of Use. You may choose to adjust the security settings on your device to refuse cookies, but this likely will result in a loss of functionality in some parts of the website, particularly the scoring program.

      2. Web Analytics

        We may use third party web analytic services, including Google Analytics, to collect visitor information, including web browser, IP address, referring pages, and time spent on the website, on an anonymous basis to gather web trend information. We may use this information for marketing and system administration purposes and to identify problems and improve service. For further information about Google’s Privacy Policy, go to https://policies.google.com/privacy.

      3. Research and System Enhancement and Functioning

        From time to time, we may collect anonymous aggregate information from Rorschach protocols entered by account holders in the scoring system on the website to enhance the system, ensure its functionality, or facilitate the ability of users to administer, code, score, or interpret protocols. If we deem such steps to be necessary, we will not ask for your permission to use the information that is present on the site. On occasion, we may wish to conduct research for publication using protocol data that has been entered into the website by account holders who are credentialed as proficient. Prior to doing so, we will contact the user to gain their permission for us to use their protocols in this manner. We will not collect any information from protocols for publication-oriented research purposes unless the user has affirmatively granted permission.

  4. Information From or About Children

    1. This website is not intended for use by children, including anyone under the age of 13. R-PAS will not knowingly collect or process any Personally Identifiable Information from anyone under the age of 13 on this site.

    2. R-PAS Account holders may choose to use the scoring system on the website to score Rorschach protocols obtained from children and adolescents, including children under the age of 13. However, as specified in the Terms of Use, no Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1993, a/k/a HIPAA) concerning test takers, including their names, birthdates, addresses, or identification numbers that can be correlated with a list of names may be entered by users when uploading protocols or scoring information, including any children under the age of 13.

  5. Data Encryption, Storage, Retention, and Portability

    We make commercially reasonable efforts to protect all personally identifiable information from misuse, unauthorized access, or accidental loss. However, even though every communication with the R-PAS website once a user has logged into their account is encrypted using https protocol, you should be aware that there is an inherent risk in transmitting any data electronically, because of the presence of online practices such as detection, decryption, tampering, spoofing, phishing, or eavesdropping. You agree to hold us harmless from any harm, financial or otherwise, that results from unauthorized interception, viewing, or use of electronic transmissions or emails. You also are solely responsible for maintaining the security of your private information by using secure passwords and adequate malware protection and preventing unauthorized use of your computer or other web-enabled device.

    Transmission of information to and from our site is secured by Single Socket Layer (SSL) encryption. Through use of our website and transmission of information to us electronically, you consent to cross-border and international transmission of any data you submit. We verify the security of our website using a widely recognized vendor, GeoTrust, and using the highest level of authentication available among SSL certificates, which requires personal verification of our legal identity as a business and ownership of the www.r-pas.org domain. Although the security of transactions with our website are determined in part by your browser, our server provides the highest level of encryption possible with current internet speeds, which is 256-bit SSL encryption for ongoing transactions and a 2048-bit root certificate for initial encryption during connection and calibration. Please see information related to GeoTrust’s True BusinessID with Extended Validation Certification Practices here.

    Our data hosting provider is Cartika, with locations in both the United States (Dallas) and Canada (Toronto). They host, store, and retain system data. System backups are performed 15 times per day, with the site monitored through proactive management to guard against problems, and all data is protected with full and file-specific restore capabilities in the event of system failure. Cartika retains backup files until our storage limits are reached, after which they are purged and cannot be recovered.

    We retain information you enter into the site until you decide to delete it. You may delete all of your protocols, and all the protocols of any sub-users under your account. However, because of its risks, we do not provide a button to delete your whole account. If this is something you wish to do, contact us for assistance. We will honor your wishes and not retain any of the information you formerly possessed. We reserve the right to terminate an account if it has been inactive for a period of three or more years.

    You can change virtually all pieces of information associated with your account and its protocols on your own. Thus, you are readily able to fix any inaccuracies with most information. The exceptions relate to your username and account type (e.g., owner, student or supervisee), protocol-specific information generated by our program (i.e., when it was entered, who entered it, and how many times it has been edited), and the allocation of electronic products in the account. If you believe there are inaccuracies in any of that information, contact us and we will help correct it.

    You may download all the data you have entered into the site at any time using the Export function available when viewing protocols. The export function produces a highly portable comma, tab, or semi-colon separated file that can be readily imported into spreadsheet software. The export function works with protocols; it does not export the information associated with the owner of an account or any subaccounts that may have been created. That information consists of the user’s name, address, email address, phone number, and username. If necessary, we can assist you with exporting this information.

  6. Administrator Access

    Access to personal account information by R-PAS is limited to troubleshooting account related issues, assisting users with adding, deleting, or changing account holder information, or to assist with user account questions or problems.

    1. Access Control

      The R-PAS Administrative Team and Customer Support Team maintains access to all R-PAS accounts and the information within those accounts. Individual user passwords are not accessible to the R-PAS Administrative or Customer Support Teams.

    2. Administrator Access

      Administrators, which encompasses the R-PAS Administrative and Customer Support Teams, as well as some of the programmers hired by R-PAS to maintain or develop the website, have access to user information. Administrator access to the R-PAS site is only completed using secure web browsers (e.g., Safari, Firefox, or Chrome) on password encrypted devices.

  7. HIPAA, HITECH, and GDPR

    1. HIPAA

      The Health Insurance Portability and Accountability Act (HIPPA) provides regulations for the use and disclosure of an individual’s protected health information. R-PAS does not collect protected health information. In addition, R-PAS is not a covered entity and does not function as a business associate to R-PAS users as defined within HIPAA (see 45 CFR 160.103). Covered entities under HIPAA are individuals or entities that electronically transmit Protected Health Information related to transactions for which the Department of Health and Human Services has adopted standards. Business associates receive, create, or use Protected Health Information for or on behalf of a covered entity. Individual R-PAS account holders may operate as covered entities and be defined as such according to federal regulation. However, account holders do not disclose Protected Health Information to us. Consequently, R-PAS is not a business associate to its users.

      1. Patient Access to Assessment Results Under HIPAA

        R-PAS materials, protocols, results output, and Interpretive Guides were not intended to be handed to clients. They are sold for use by qualified professionals, or students receiving supervision from qualified professionals. Testing material is protected by intellectual property law including copyright and trademark law. The disclosure of test material could damage the test's integrity and usefulness in evaluation, diagnosis, and treatment. R-PAS recommends that account holders not provide copies of test materials, verbatim records, results output, or Interpretive Guides unless disclosure is clearly required. Under the HIPAA statute (Social Security Act § 1172(e) (codified at 42 U.S.C. § 1320d-1)), covered entities are not required to provide a patient with access to or the right to copy any test materials or reports to the extent that doing so would result in the disclosure of trade secrets. The forgoing is not intended to discourage users from providing collaborative feedback about R-PAS results to their clients, including using the Profile Pages to help illustrate any issues being discussed.

    2. HITECH

      Businesses covered by HIPPA are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) Act which requires organizations to report data breaches to their users and others affected directly by the breached data. HITECH also requires business associates, vendors, and covered entities to be notified of breaches to secure data. R-PAS utilizes security features to guard against data breaches. However, in the event a data breach occurs, R-PAS will notify all affected parties.

    3. GDRP

      The General Data Protection Regulation (GDPR) is a European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The primary aim of the GDPR is to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying regulations within the EU. The policies and procedures mentioned herein are in compliance with these regulations.

  8. Contact Information

    1. Any requests to access, correct, update, or remove personal information relating to a user, or questions or concerns about this Privacy Policy should be directed via e-mail to info@r-pas.org or via post to Rorschach Performance Assessment System, LLC; P.O. Box 12699; Toledo, OH 43606. You also can contact us using our customer support line by calling 567-316-0056.

    2. You may use the same methods to contact us about making requests to opt out of receiving marketing materials concerning R-PAS products or services. However, as long as you use our services or maintain a business relationship with us, you may not opt of receiving communications from us relating directly to those products and services, or to your business relationship with us.