(v.1. May, 2019)
WHO WE ARE
Your.MD is a trademark of YOUR.MD AS, incorporated and registered in Norway with the company number 999260993. The registered office is at c/o Advokatfirmaet Simonsen Vogt Wiig AS, Filipstad Brygge 1, 0252 Oslo, Norway. It offers a demonstration of the Thyroid Checker on PETRA platform ("Thyroid Checker", "Chatbot", ''Service/s'') via its subsidiary Your.MD Limited, incorporated and registered in the UK with the company number 08727263. The registered office is Your.MD Ltd, 5th Floor, 43 Whitfield Street, London, W1T 4HD, UK (hereinafter collectively referred to as: 'Your.MD' or 'we').
Should you have any privacy-related questions, please contact us at email@example.com, subject: PETRA.
HOW WE USE YOUR DATA
Consent. Where you have consented to our use of your data.
Legitimate interests.This covers data processed by us for the purposes that can be reasonably expected within the context of your use of our service to pursue our legitimate interests, in order to improve our service and your experience, for general social benefits to enable free access to health information,to enable us to offer a safe and secure service.
FOR PROVIDING OUR SERVICE
We use your data so the chatbot can calculate the most likely condition based on your reported symptoms. Legal basis: legitimate interests and explicit consent.
FOR MEDICAL TESTING
We use your data in an anonymised form to conduct medical testing of the demonstration version of the Symptom Checker which will help us in clinical assessment of the Thyroid Checker carried out before the commercial launch.
FOR SAFETY AND SECURITY
We also use your data to improve the safety and security of our service. Legal basis: legitimate interests, to enable us to offer safe and secure service.
FOR COMMUNICATION PURPOSES
We will use your email to respond to any queries you send to firstname.lastname@example.org. Please do not share any health data when sending emails to us as we do not respond to any case-specific health issues. Legal basis: legitimate interests, to enable us to respond to your queries.
THE DATA WE COLLECT
Indirectly identifiable data: age, gender, time zone, acquisition channel, identifiers (profile ID attached to your profile data, analytics IDs, conversation ID and Furhat identifier (face ID).
Health data: any type of health data you share when using our Thyroid Checker.
Technical information: Your.MD's unique identifiers (profile ID, conversation ID), Furhat unique identifiers (face ID), records of events with Technical information and your interaction with our service. For example logs on your usage of the service, which include chat information.
WHO HAS ACCESS TO YOUR DATA
We cannot provide all service necessary for the successful operation of our service by ourselves. We therefore share collected information with third-party providers for the purpose of offering and improving our service. The information we share will not identify you personally, and the providers will only use the data to offer service to us. However, we will use your email to answer your queries. For privacy-related requests, see section 6 of this Policy or send an email to email@example.com, subject: PETRA.
THIRD PARTY TECHNOLOGY PROVIDERS
Your data will be disclosed only when necessary for lawful purposes, our legal obligations and rights as stated herein, and will be limited to such purposes: a) if required by law, for example to comply with a court order, subpoena, regulation, legal process or other governmental request b) to exercise or protect the rights, property or personal safety of our company, our users or others c) to enforce this privacy statement, including investigation of potential violations d) upon fulfilling legal requirements of local legislation to supply certain service a third-party might legally request from us e) to detect, prevent, or otherwise address fraud, security, or technical issues f) if we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your data g) to respond to claims that any content published within our Service or our Service violate any right of a third-party.
HOW LONG DO WE KEEP YOUR DATA
We follow generally accepted industry standards and internal procedures to protect the data submitted to us during transmission, storing, and processing. The Furhat identifier (face ID) that enable us to recognise users that come from Furhat, as well as the profile and conversation ID are new for each session you make and get deleted after the conversation ends. This means that the data is anonymized and that we are not able to attribute the data you share with us to you personally.
We store conversation data that cannot be tracked back to you for medical testing purposes. When the data is no longer needed, we delete it using reasonable measures to protect the information from unauthorised access or use.
You can exercise your rights:
- to object and to restriction of data processing,
by sending an email to firstname.lastname@example.org, subject: PETRA.
We will process your request within 30 days of receiving it.
We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardise the privacy of others, are impractical, or if we are required to retain such information by law or for legitimate business purposes. In the event of a suspicious request made in bad faith or accompanying unlawful behavior, we reserve the right to deny any request you make. We will not respond to any enquiry emails which we do not understand, where the request is not clearly specified, or pertains to health questions as we do not offer case-specific advice. We reserve the right to delete your data after a long period of inactivity.
You should be aware that we are not able to accommodate your request for the deletion/access/copy of your data because we delete all data that could indirectly personally identify you after finishing the consultation.
Zendesk. Correcting, updating and removing your information. If you seek to exercise your data protection rights in respect of personal information stored or processed by Zendesk on our behalf (including to seek access to, or to correct, amend, delete or restrict processing of such personal information) you should direct your query to us by sending an email to email@example.com, subject: PETRA.We will then instruct Zendesk to remove the personal information and they will respond within 30 days. They will retain personal information which they process and store on our behalf for as long as is needed to provide service to us.
STORING OF INFORMATION, SECURITY AND DATA TRANSFERS
We follow generally accepted industry standards and internal procedures to protect Information submitted to us.
We process your data with the help of identifiers, namely profile ID, consultation/ conversation ID, Furhat ID (face ID) to avoid personal identification.
We store your information for as long as needed to provide our service. We delete all identifiers which could indirectly identify you after each consultation. We may store the information longer, but only in a way that it cannot be tracked back to you.
We use AWS and Google Cloud Platform for storing of information.
AWS. AWS has multiple security certificates https://aws.amazon.com/security/.The data we collect from you may be transferred to, and stored at, a destination outside and inside of the European Economic Area (EEA), namely the AWS regions in the US and EU. It may also be processed by staff operating outside the EEA who work for us, or for one of our Providers. Your data will still be safe - we have entered into the AWS data processing addendum to make sure your personal information is safe, namely:
a) that the AWS will use the data only to provide its storing service
b) that it will not disclose data to any third-party
c) that the AWS restricts its personnel to process your data without their authorisation
d) that we stay in control of correcting, blocking, deleting, retrieving your data
e) that AWS is responsible for implementing and maintaining the technical and organisational measures
f) that AWS is certified under ISO 27001 and agrees to maintain an information security program for the service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards
To guarantee your privacy, we securely encrypt, limit, and restrict access to your personal details.
We encrypt all your data at rest. The information is encrypted and key protected, and we have integrated commercially reasonable efforts to make sure your information remains secure when processed by us. However, please be aware that no security measures are impenetrable. If you have any concerns about the security of our service, please contact us at firstname.lastname@example.org.
EU Territory We store your indirectly identifiable personal data for the duration of consultation and delete it afterwards. This section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication, or as strictly necessary for us to provide the Service you requested. We reserve the right to delete your profile after an extended period of inactivity.
Should you have any privacy-related questions, please contact us at email@example.com, subject: PETRA. If we are not able to help, we will forward your enquiry to our external Data Protection Officer (DPO), ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints that our DPO is not able to resolve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Prof. Dr. Johannes Caspar, Kurt-Schumacher-Allee 4, 20097 Hamburg. If you are a UK customer, you can lodge a complaint with the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Matteo Berlucchi, CEO