WELLNESS RESEARCH INSTITUTE LLC, DBA Shortlister

PRIVACY POLICY

Last Updated: January 2025

This Privacy Policy explains how Wellness Research Institute LLC, D/B/A Shortlister (“we,” “us,” “our” or the “Company“) collects, uses, and discloses information about you (“user” or “you“) through our website https://www.myshortlister.com and other online products or services (collectively, the “Site“) or when you otherwise interact with us. The terms of this Privacy Policy are subject to the terms and conditions of the Agreement. In the event of any conflict between this Privacy Policy and the Agreement, the Agreement shall prevail.

For our business customers: Our data processing practices are governed by our Data Processing Agreement (DPA), available at www.myshortlister.com/dpa, which includes Standard Contractual Clauses for international transfers and additional safeguards for your data.

IMPORTANT NOTICE ABOUT SHARED DATA: Our platform facilitates business-to-business communications and data sharing. When you share information through our platform (such as sending RFPs to vendors or proposals to brokers), that information becomes part of the recipient’s business records. Please review Section 3 (Sharing of Information) and Section 7 (Your Privacy Rights) for important information about how shared data is handled.

1.   Collection of Information

  •  Information you provide to us:

When you register for the Site or update your account, we ask you to provide certain information such as your name, phone number, email address, and/or company name and address, and your credit card information. We also collect information when you participate in any interactive features of the Site, fill out a form, complete a survey, request customer support or otherwise communicate with us, or any other information you choose to provide to us.

Legal Basis for Processing (EEA/UK residents): We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our services and fulfill our agreement with you
  • Legitimate Interests: For business operations, service improvements, fraud prevention, and maintaining business records
  • Legal Obligations: To comply with applicable laws and regulations
  • Consent: Where you have explicitly agreed to specific processing activities
  • Information about your use of the Site:

Usage Information

 We collect information about your use of the Site, such as the products you search for, preferences, etc.

Automatically Collected Information

When you access or use the Site, we automatically collect information about you, including:

  • Log Information: We collect log information about your use of the Site, including the type of browser you use, app version, access times, pages viewed, your IP address and the page you visited before navigating to the Site.
  • Device Information: We collect information about the computer or mobile device you use to access the Site, including the hardware model, operating system and version, unique device identifiers, and mobile network information.
  • Information Collected by Cookies and Other Tracking Technologies: We use different technologies to collect information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve the Site and your experience, see which areas and features of the Site are popular and count visits. Web beacons are electronic images that may be used in the Site or emails and help deliver cookies, count visits and understand usage and campaign effectiveness. For more information about cookies and how to disable them, please see “Your Choices” below.
  • Information from other sources:

We may obtain information from other sources and combine that with the information described above. For example, we may collect information about you from third parties, including but not limited to, identity verification services, credit bureaus, mailing list providers and publicly available sources. We may also collect information about you from other users as they use our Site. For instance, we may collect information about you from other users if they contact us about you or from reviews they submit about you.

  • Age Restrictions:

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from anyone under 18, we will take steps to delete that information.

2.   Use of Information

We use the information we collect to provide, maintain, and improve the Site, to market our products and services, to deliver the products and services you request and customize your experience with us, to process your account registration, and to communicate with you on these and other topics. We may also use the information we collect to:

  • Send you technical notices, updates, security alerts and support and administrative messages and to respond to your comments, questions and customer service requests;
  • Communicate with you about products, services, and offers offered by Company and others, and provide news and information we think will be of interest to you;
  • Monitor and analyze trends, usage and activities in connection with the Site;
  • Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of Company and others;
  • Personalize and improve the Site and provide advertisements, content or features that match user profiles or interests;
  • Comply with legal obligations and enforce our terms and policies;
  • Facilitate the sharing of information between platform users as part of the intended operation of our services; and
  • Carry out any other purpose described to you at the time the information was collected.

3. Sharing of Information

We may share information about you as follows or as otherwise described in this Privacy Policy:

Platform Operations – Shared Data Between Users:

Our platform is designed to facilitate business communications and data sharing. When you use our platform to share information:

  • When you send RFPs to vendors: The vendors receive and maintain their own copies of the RFP information, including any personal data contained therein
  • When you submit proposals: The requesting party receives and maintains their own copy of your proposal
  • When you send messages: Recipients receive and maintain copies of your communications

Important: When data is shared through the platform’s intended operations, each recipient becomes an independent data controller of their copy. This means:

  • We cannot retrieve or delete data from recipients’ accounts at your request
  • Each party is responsible for their own data retention and compliance
  • Recipients may retain shared data for their legitimate business purposes
  • Your deletion requests apply only to data in your account, not to copies held by other users

Other Sharing:

  • With vendors, consultants and other service providers (sub-processors) who need access to such information to carry out work on our behalf;
  • In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law or legal process, including lawful requests by public authorities to meet national security or law enforcement requirements;
  • If we believe your actions are inconsistent with our Terms of Use or policies, or to protect the rights, property and safety of Company or others;
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company;
  • Between and among Company and our current and future parents, affiliates, subsidiaries and other companies under common control and ownership; and
  • With your consent or at your direction.

We may also share aggregated or de-identified information, which cannot reasonably be used to identify you.

Sub-Processors:

We use carefully selected third-party sub-processors to help provide our services. Our current list of sub-processors is available at www.myshortlister.com/subprocessors. We will notify business customers at least 30 days in advance before adding or changing sub-processors, giving you the opportunity to object to such changes.

4.  International Data Transfers

Company is based in the United States and we process and store information in the U.S. As such, we and our service providers may transfer your information to, or store or access it in, jurisdictions that may not provide equivalent levels of data protection as your home jurisdiction.

Safeguards for International Transfers:

For transfers from the European Economic Area (EEA), we implement the following safeguards:

  • EU Standard Contractual Clauses (Module 2: Controller to Processor) – Available at www.myshortlister.com/scc
  • Other safeguards as required under EU GDPR

For transfers from the United Kingdom, we implement:

For details about our international transfer safeguards, please contact privacy@myshortlister.com.

5.  Data Retention

We store the information we collect about you for as long as is necessary for the purpose(s) for which we originally collected it. Specifically:

  • Active Account Data: We retain your data for the duration of your account and any applicable subscription term
  • Shared Data: Data shared between platform users (such as RFPs sent to vendors or proposals received from vendors) may be retained by the receiving party for their legitimate business purposes, even after the sending party requests deletion. Each party is responsible for managing retention of data in their own account
  • After Account Deletion: We delete personal data from your account within 90 days of account termination, except where legal retention is required or where data has been shared with other users through platform operations
  • Backup Data: Backup copies may be retained for up to 180 days for disaster recovery purposes
  • Legal Requirements: We may retain certain information for longer periods as required by law or for legitimate business purposes such as tax, legal reporting, and auditing obligations
  • Audit Trails: We maintain logs of platform activities for security, compliance, and dispute resolution purposes

6.  Security

We implement and maintain appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Industry-standard encryption for data in transit and at rest
  • Access Controls: Role-based access, multi-factor authentication, and regular access reviews
  • Network Security: Firewalls, intrusion detection systems, and DDoS protection
  • Physical Security: Secured data centers with environmental controls
  • Monitoring: Security monitoring and incident response procedures
  • Audits: Regular security assessments

For more details about our security measures, please visit www.myshortlister.com/security or refer to our Data Processing Agreement.

Data Breach Notification:

In the event of a personal data breach affecting your information, we will comply with all applicable legal requirements. For business customers, we will notify you within 72 hours of becoming aware of a breach that affects your data or your users’ data.

7.  Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data. Please note that these rights are subject to certain limitations, particularly regarding data that has been shared with other platform users.

For All Users:

  • Access: Request a copy of the personal data we hold about you in your account
  • Correction: Update or correct inaccurate personal data in your account
  • Deletion: Request deletion of your personal data from your account (see limitations below)
  • Portability: Receive your data in a structured, commonly used format
  • Opt-out: Unsubscribe from marketing communications

Deletion Rights and Limitations:

You may request deletion of your personal data, subject to the following limitations:

  • Shared Data: When you have shared information through our platform (such as sending RFPs to vendors), we can remove data from your account but cannot delete copies that have been legitimately shared with and retained by other platform users. We will:

    • Delete data from your account and profile
    • Cease displaying it in your interface
    • Prevent future sharing from your account
    • But cannot retrieve or delete copies already transmitted to other parties

  • Other Limitations on Deletion:

    • Data necessary for other parties’ legal obligations or legitimate interests
    • Data required for audit trails or compliance
    • Data in backup systems pending scheduled deletion
    • Data we are required to retain by law

Restriction of Processing:

As an alternative to deletion, you may request that we restrict processing of your data, which means:

  • Your data remains in the system but is marked as restricted
  • We limit how your data is used
  • Your previously shared data remains with recipients but no new sharing occurs

Additional Rights for EEA and UK Residents:

If you are located in the European Economic Area or United Kingdom, you have additional rights under the EU GDPR and UK GDPR:

  • Right to Object: Object to processing based on legitimate interests or direct marketing
  • Right to Restrict: Request restriction of processing in certain circumstances
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time (this will not affect data already shared with other users)
  • Right Against Automated Decision-Making: Right not to be subject to decisions based solely on automated processing
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority

To exercise any of these rights:

  • Email: privacy@myshortlister.com
  • Online: Through your account settings (for certain rights)
  • Response Time: We will respond within 30 days of receipt

For EEA Residents – Supervisory Authority: You have the right to lodge a complaint with your local Data Protection Authority. Contact details for EU authorities: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

For UK Residents – Supervisory Authority: Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 Website: ico.org.uk

California Privacy Rights:

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
  • Right to Delete: Request deletion of personal information we collected from you (subject to the limitations described above regarding shared data)
  • Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

California residents may exercise these rights by contacting us at privacy@myshortlister.com. We do not sell or share personal information as defined under CCPA.

8.  Automated Decision Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics or scoring we perform is used solely to improve our services and requires human review for significant decisions.

9.  Cookies and Tracking Technologies

Types of Cookies We Use:

  • Essential Cookies: Required for the Site to function properly
  • Analytics Cookies: Help us understand how users interact with our Site
  • Preference Cookies: Remember your settings and preferences
  • Marketing Cookies: Used to deliver relevant advertisements

Your Cookie Choices:

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the Site.

Do Not Track: We do not currently respond to Do Not Track signals.

10.  Marketing Communications

Promotional Communications: You may opt out of receiving promotional emails from Company by following the instructions in those emails. If you opt out, we may still send you non-promotional emails, such as those about your account or our ongoing business relations.

How to Opt-Out:

  • Click “unsubscribe” in any marketing email
  • Update preferences in your account settings
  • Email privacy@myshortlister.com with your request

11.  Data Sharing and Your Responsibilities

When you share data through our platform, you acknowledge and agree that:

  • You Control What You Share: You are responsible for the information you choose to share with other platform users
  • Shared Data Cannot Be Recalled: Once you send an RFP, proposal, or other information to another user, they receive their own copy that we cannot retrieve
  • Recipients Become Independent Controllers: Each recipient of shared data becomes responsible for their own compliance with data protection laws
  • Consider Before Sharing: Before sharing personal data of others (such as your employees or clients), ensure you have the right to share that information
  • Your Deletion Rights Are Limited: If you later request deletion, we can only delete data from your account, not from recipients’ accounts

12.  Third-Party Websites

The Site may contain links to websites and services operated by third-parties (“Third-Party Sites“). We do not endorse or control Third-Party Sites, each of which may be governed by its own terms of service and privacy policy. You are solely responsible for all liability for any damages or other harm, whether to you or third-parties, resulting from your use of Third-Party Sites. Please take all protections necessary to protect yourself when accessing Third-Party Sites, particularly when downloading or purchasing anything therefrom.

13.  Data Protection Officer

For questions about our privacy practices or to exercise your rights, you can contact our Data Protection Officer:

Data Protection Officer 
Wellness Research Institute LLC
310 Busse Hwy,
#386 Park Ridge, IL 60068
Email: privacy@myshortlister.com

14.  Changes To This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the email address specified in your account) or by means of a notice on the Site prior to the change becoming effective. We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

15.  Related Documents

For complete information about our data protection practices, please also refer to:

16.   Contact Us:

If you have any questions about this Privacy Policy or our privacy practices, please contact us at the following:

Wellness Research Institute LLC, DBA Shortlister

1400 Renaissance Dr, Suite 306

Park Ridge, IL 60068

630-802-2447

END OF PRIVACY POLICY