ExpiWell: Information for IRB

Institutional Review Board (IRB) Information

Privacy Policy

• Please visit https://app.expiwell.com/privacy for the full ExpiWell Privacy Policy.

ExpiWell Data Security and Privacy information

• ExpiWell uses industry best standards to protect customer data and data collected for research.


• Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched.


• ExpiWell uses Transport Layer Security (TLS) encryption, or HTTPS, for all transmitted data. All stored data is encrypted at rest using a standard Amazon EBS encryption protocol.


• Our services are hosted by Amazon Web Services (AWS) which is a well-known and trusted data center that meets the requirements of security-sensitive organizations while providing data privacy.

o As further discussed in the web link: https://aws.amazon.com/compliance/dataprivacy-faq/ “AWS’s alignment with ISO 27018 has been validated by an independent third party assessor. ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.”


• ExpiWell subscribers control their users and their data. Therefore, it is important for subscribers to practice sound security practices by using strong account passwords, not storing passwords in easily accessible places, and restricting access to their accounts to authorized persons who can access data.


• ExpiWell researchers control their users and their own participant data. Researchers may request any of their data to be deleted and it will immediately be removed from ExpiWell’ databases. To make a deletion request, Researchers must select the item they wish to delete and confirm they would like to send their request. ExpiWell performs daily backups and thus the deleted data will be retained for a set period of time. After this retention period (8 days), the Data will be automatically removed from ExpiWell’ servers. 

Personally Identifiable Information (PII) and Passive info

• ExpiWell collects sensitive information and follows industry standards to protect this data (see above). Information that may be collected include: first name, last name, date of birth, ethnicity, gender, country and state.


• This information collected is for the purpose of building a Participant's ExpiWell profile and not shared with Researchers at any time.


• Submission data may also include sensitive information, but will not include profile information and both are protected under our Data Protection practices.


• ExpiWell currently collects only two forms of passive information.

 o One form of passive information includes location or GPS (long, lat, and timezone) data. If Researchers enable data location collection, Takers must first consent to allow passive GPS information to be collected. ExpiWell requests access for Participants’s phone microphone, camera (photo and video), storage, and GPS (long, lat, timezone). We do not store any device identifiers or any other passive information that would link back to the user on the app side.

 o The second form of passive information includes anonymous passive app usage data for the purpose of detecting mobile issues and performance  metrics

Data Protection and Retention

ExpiWell servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. ExpiWell uses Transport Layer Security (TLS) encryption, or HTTPS, for all transmitted data. Our services are hosted by Amazon Web Services (AWS) which is a well-known and trusted data center that meets the requirements of security-sensitive organizations while providing data privacy.


ExpiWell Researchers control their users and their own data. Researchers may request any of their data to be deleted and it will immediately be removed from ExpiWell' databases. To make a deletion request, Researchers must select the item they wish to delete and confirm they would like to send their request. ExpiWell performs daily backups and thus the deleted data will be retained for a set period of time. After this retention period (8 days), the Data will be automatically removed from ExpiWell's servers. It is important for Researchers and their users to practice sound security practices by using strong account passwords and not storing passwords in easily accessible places. It is also important that they are restricting access to their accounts to authorized persons who can access data.



    • Related Articles

    • Project Review for EMA and ESM

      The project review page is the final step before launching your ecological momentary assessment (EMA) and experience sampling method (ESM) project. On this page, you will be able to review the settings of your project. General Below is information ...
    • General Information about EMA and ESM Notifications

      Information about Push Notifications The ExpiWell app uses Google's Firebase Cloud Messaging push notifications to send survey and reminder and message notifications to participants. The advantages to using push notifications on the ExpiWell app for ...
    • FAQ

      These are some commonly asked questions by researchers seeking to do experience sampling or ecological momentary assessment on the ExpiWell platform. Is it possible to preview the survey? Yes, absolutely. You can go to the "App Preview" option in the ...
    • Paying Participants

      Paying Participants A. Add Payment Method Log in to your ExpiWell account on the Web. Go to “Account” and select the subscription tab. Under Payment Methods, select “Add Card”, and complete all required card information. B. Set Up Demographics Create ...
    • Changing Project Email Contact

      To enhance communication between participants and researchers, participants will be able to contact researchers directly when they view the project on their ExpiWell app. When clicking the email contact button, an email will be created that is based ...