Your.MD Privacy Policy

PRIVACY BASICS

(last update November 2018)


We need some information from you if you want our Services to work. If you would like to know what we do with your data here at Your.MD, keep reading, it’s only a few sentences. Please make sure you read the full version of the Privacy Policy before consenting to our Services as it includes more detailed information.

GDPR STATEMENT


We have changed our data processing to comply with the Regulation (EU) 2016/679 (EU GDPR) by following the data minimisation principle and anonymising /pseudonymising personal data where feasible.

How is your data kept private?

We store your personally identifiable data in the User Database. When using our Services this consists of your personal details (e.g. email address) and persistent identifiers (e.g. Guest Profile ID). We store your Chat data and everything that you enter when using our Services in the Health database. The User Database and Health Database are stored in separate databases, meaning that whatever you type into our Chat is not connected to information that could personally identify you. This way directly personally identifiable data is stored in a separate database than health data and each database has its own assigned ID (Profile ID for User Database and Consultation ID, Conversation ID for Health Database). This way, we are able to research the usage of our Services, verify medical accuracy as well as conduct internal analytics without knowing anything personal about you. Your IP address is used for determining location, but masked (hashed) when stored on our backend. In limited cases, we will need to access your Health Database by Profile ID/IP address for security defense against malicious activities, and to trace bugs, solve technical errors, ensure security ect. and for clinical safety. Push Notifications are sent in an anonymised manner using push tokens, which allow messages to be sent to you, but do not directly identify you. We do not share User Database/Health Database data with OneStop Health™ Providers.

As a Guest User you can use our Services by sharing the minimal amount of data we need to provide our limited Services to you, and without you being directly identified. We will not collect any historical personal information (name, email etc.). All other data will be stored off the firebase token which expires per session and changes for each guest usage and each session. You will receive a new Guest User Database (incorporating age, gender, Guest Profile ID, analytics user ID, country, region (not specific enough to identify the street), time zone, service preferences, acquisition channel, IP address, Conversation/Consultation ID) each session. You will also receive a new Guest Health Database record, incorporating health and conversation data (Chat data), Conversation ID, age, gender, personal factors, metrics, Profile ID each session. We won’t be able to link the sessions together and they will expire between one hour and one day of inactivity. However we are able to link sessions together when conducting analytics using analytics user ID: userpseudoID (Firebase ID) or Client ID (Google Analytics ID), which does not directly identify you and is only used for our internal analytics to improve our Services and your experience. We have considered safeguards to reduce the impact where possible which is why we are changing the Guest User Database and Guest Health Database record per each session. Before starting the consultation you will be asked to determine your gender and year of birth. We will collect temporary location data so that we can show you relevant OneStop Health™ Providers in your country. The location data at country level is never stored on your device and is deleted after each session. However it is stored in our analytics logs so that we can view aggregated traffic at country level and is deleted after six months. The location data at city level is stored in our backend logs and deleted within six months. Technical logs include your IP address and is stored for up to 6 months and hashed where feasible. We only use this hashed IP address to provide the safety and security of our Services. As a Guest User you will be able to use limited Services that do not require the storing of data by way of directly identifying you, these include reading articles in the Health A-Z, using our Service and using the Symptom Checker - without being able to save your consultation. If you want a personalised experience, you will need to sign in with your email/Google/FB account and become an Authenticated User. In this event we will use the same Guest Profile ID that was given to you in the Guest User session, when you requested such change, but we will not be able to tie it back to your past conversations.

As an Authenticated User you will share more data with us so that we can offer you all the features. Your User Database includes personal details: full name, email, age, gender, social media account info and picture url, country, region (not specific enough to identify the street), time zone, service preferences, messenger’s information, acquisition channel, authorisation token for Google, Facebook, phone number for all of you who have authenticated with Facebook and have not added your email to Facebook Account, password for email authenticated users, geolocation for authenticated users who opt in to Find Service Near You and persistent identifiers: Your.MD unique identifier namely Profile ID, IP address, Conversation ID (conversation identifier)/Consultation ID (term used for conversations that include consultation), analytics provider user ID: userpseudoid – the pseudonymus id (e.g. app instance ID) for the user or user_id – the user ID set via the setUserId API). Your Health Database includes Profile ID, age, gender, Conversation ID, chat and consultation data (Chat History - search history, selected symptoms, duration, rejected symptoms, questions and answers to clarify symptoms, probable conditions, personal factors that affects the consultation outcome – age, gender, location, medical conditions, chosen symptoms and duration), metrics, consultation reports (including the Consultation ID to which you relate), viewed articles in Health A-Z and Top Tips, as well as the information you decide to share with us, namely: Health Tracker data (health metrics from third parties you authorise to disclose the data to us), Notes you make within the App if the App permits it, Personal factors, Medical Conditions inserted into your in-App Profile (Smoker, Obesity, High blood pressure, Diabetes, Chronic kidney disease, Chronic obstructive lung disease, Coronary heart disease, Stroke, Cancer), Self-assessments, Quizzes you have done, responses to our Chatbot about understanding our Symptom Checker, whether the questions asked are relevant, whether you find the condition our Symptom Checker calculated helpful, Push Notification tokens, triage messages. In the future, the data you voluntarily share with us may include this Health Info: Medical and Family History, Vital Signs, Lifestyle, Health Assessments etc. We also collect your IP address and assign you a Profile ID and Conversation ID for each conversation. Your User Database and Health Database are stored in a separate database. This enables us to process the data without directly identifying you. Our technical and medical team can check our Services through the usage of Your.MD user identifiers without knowing anything personal about you (for example name, email address). With the help of the Your.MD user identifiers, we are able to connect the User Database with your Health Database in limited cases. This is only for security defense against malicious activity, as well as clinical safety on limited occasions.

As an Authenticated User using our Android App, you can withdraw your consent at any time by visiting Your Profile/Settings/Profile and choosing ‘’Delete Profile’’ option. This will anonymise or delete all personally identifiable data and you won’t be able to get it back, although you will still be able to use our Services as a Guest. You can change notifications by visiting Your Profile/Settings/Notification Preferences. To withdraw consent for event based and contextual notifications, please use the notification settings within your mobile device or see the Opt-Out Section of this Privacy Policy. You can also change your data collection settings by visiting Your Profile/Settings/Privacy and untoggling the ‘’Health Info’’ option. As a user of our iOS App and Web App you can withdraw your consent/object to processing by sending us an email to privacy@your.md. For Messengers, you can withdraw your consent by using the delete profile/data option within messengers and sending us an email to privacy@your.md. You can deactivate Health Goals notifications in Health Goals section of our iOS App and delete Health Tracker history within Health Tracker. For more information on how to opt out of specific Providers/features, please see the Opt-Out Section of our Privacy Policy.

Right to object and to restriction of processing

We are processing your data on legitimate interests’ basis when using our Services as Guest User (either on Android App or Web App), using our Site or receiving business emails and so you have the right to object to our processing. We have limited the amount of data we collect and cannot directly identify you. To exercise your right to object or restrict processing, please send us an email to privacy@your.md.

Right to access and data portability, copy, rectification

As an Authenticated User using our Android App, you can request your data by visiting Your in-App Profile/Settings/Profile and choosing the ‘’Request Your Data’’ option. You can use the Personal Info section of Your Profile to change the data you inserted. If you are using our iOS App you can change the data you inserted in the Account or Profile section of the App and send an email to privacy@your.md for more info. When using messengers, please contact your messenger provider and send us an email to privacy@your.md. You have the right to request rectification of inaccurate personal data that can not be rectified within our Services by sending an email to: privacy@your.md. We will send you the personally identifiable data within 30 days of the receipt of your request. In case we need to acquire your data from third parties, this might take longer.

Right to erasure

As an Authenticated User using our Android App, you can request erasure of your data at any time by visiting Your Profile/Settings/Profile within our App and choosing the ‘’Delete Profile’’ option. Users on iOS App should send us an email with a “Delete my data” request to privacy@your.md. As a Guest User using our Android App or Web App, you should be aware that we are not able to accommodate your request for the deletion of your data because we cannot personally identify you due to the Guest User Database and Guest Health Database changing per session and not collecting any data that could directly personally identify you. Similarly, we cannot carry out the deletion request if you are a visitor of our Site as we do not store any data that could directly identify you. If you stop using our Services, we will delete all data within six months, as stated in this Privacy Policy. If you are using Messengers, please send an email to privacy@your.md. Upon such request we will delete the personally identifiable data on our end and refer you to the messenger to do the same. We will delete the personally identifiable data within 30 days of receiving your request.

To prevent malicious activity we reserve the right to request a copy of your ID, Passport or other official identification documents before sending the data to you. In the event of a suspicious request made in bad faith or accompanying unlawful behavior we reserve the right to deny any request you make.

As a Guest User, we will process your data for internal analytics to improve our services, for security purposes (so that we can intervene in case of security breaches or crashes, and to check bugs), to adhere to the medical devices regulation, ensure clinical safety and provide safe Services. We wanted to give you an option to use our services even if you are not prepared to consent to the full data collection to adhere to the data minimisation requirement, as well as for general social benefits to enable more free access to health information (e.g. legitimate interests).

As an authenticated Android, iOS App and Messenger user, we process your data based on your explicit consent, which you can withdraw at any time.

When you are using our Site we process your data on a legitimate interests basis to improve our Service and your experience.

While exploring the possibilities of collaboration with business representatives of potential B2B customers/salespersons we collect and process business emails based on our legitimate commercial interests.

Data Protection Officer

Should you have any data processing or privacy related questions, please contact us at: privacy@your.md. In case we are not able to help or upon your appeal, we will refer your request to our External Data Protection Officer ("DPO"), ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints we or our DPO is not able to solve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Prof. Dr. Johannes Caspar, Kurt-Schumacher-Allee 4, 20097 Hamburg, https://datenschutz-hamburg.de/pages/kontakt/ or if you are a UK customer, with Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, https://ico.org.uk/make-a-complaint/.

Why we need your data?

We process your data to offer our Services such as the Symptom Checker (so that you can access past consultations), Health A-Z (so that you can view articles about diseases/conditions), Health Tracker (to track health, fitness metrics and your feelings), Symptom Tracking functionality (to enable you to track your symptoms over time), to display Alerts/Reminders (to help you manage your health), Health Goals (to receive articles about topics of your interest), Notes (to insert your notes), Push Notifications (contextual, event based and Health Goals you chose to receive), Personalised Health Plans (so that you can follow the personalised health plan based on general health assessment to improve your wellbeing) to enable you to use our assessments, Quizzes, Tools and to recommend third-party services via our OneStop Health™ Platform. We use the information we collect to constantly improve our Services, to personalise your experience as well as for security and clinical safety reasons. We use your data to recommend services in your location based on your consultation/searches. We encrypt all user and profile data at rest and all personal information is double encrypted with two keys at both the infrastructure and application level.

OneStop Health™ Platform

If you decide to use our OneStop Health™ Platform and click on a third-party service listed, you will leave our Services and be redirected to our providers’ services. Please be aware that by doing so, your data processing will be governed by the provider’s Privacy Policies and not by us. Please read the links available in our Privacy Policy before you start using third-party services.

Third Party Technology and Providers

You can use our Service with various messengers such as Kik, Skype, Telegram. By doing so your data processing shall be governed by such messenger’s individual privacy policies you accepted when registering for their service, so please read those carefully before starting to use such services. We check how you use our Services to improve them and personalise your experience with the help of analytic providers. You can use our Services via various messengers and by doing so, you accept such parties’ data policies. We use third-party providers for surveys, user support and sending newsletters.

Data deletion

We follow generally accepted industry standards and internal procedures to protect the information submitted to us, during transmission, storing and processing. We store your data for as long as needed to provide our Services. We process your request to delete/access data within thirty (30) days of its receipt. We delete the logs we keep of the IP addresses you have used after approximately 6 months.

WE RESPECT YOUR PRIVACY


(last update November 2018)

We respect your privacy and we take protecting it seriously. If you have any privacy related concerns, please contact us at: privacy@your.md

Your.MD Services (hereinafter referred to as: "Services") is offered by Your.MD Limited, incorporated and registered in the UK with company number 08727263 whose registered office is at Your.MD Ltd, 5th Floor, 43 Whitfield Street, London, W1T 4HD, UK (hereinafter referred to as: "Your.MD", "We").


Before you start using the Services you will need to actively accept this Privacy Policy and confirm that you have read and agreed to our data processing practices as described herein. By doing so, you consent to the collection and usage of your data, so please read this Privacy Policy carefully. We do not share any of your User Database/Health Database data with our OneStop Health™ Partners. We share collected data with our Providers only for the purpose of offering the Services to you and improving your user experience. If there is anything you do not understand, please contact us at privacy@your.md. If you are using our Services as a Guest, or use our Website, we will collect the minimal amount of data we need to provide the Service, without directly identifying you. In this case, we will use your data on a legitimate basis interests as described in the GDPR Statement of Privacy Basics.

This Privacy Policy describes how Your.MD collects and uses the information and/or data (the terms are used interchangeably) you provide. It also describes the choices available to you regarding our use of your information and how you can access the information. We will never use your data for any purpose not explicitly stated herein. Your.MD Services should only be used by persons over the age of 16 or older and capable in your country of residence of entering into legal binding agreement to use our Service.

COLLECTION OF INFORMATION


In order for you to be able to use our Services, we need to collect limited information (the term "data" or "information" is used collectively for the information stated below).

Technical Information

  • Device model, screen information, mobile service provider, installed App version, OS version, location (country and city), time zone (when using Your.MD services via mobile apps)
  • User agent (web browser type and version) for those parts of the app that use an embedded web browser, country and region, time zone (when using Your.MD services via Web App and Site)
  • IP address at the time of usage ("IP address"), Your.MD’s unique identifiers, namely Profile ID and Conversation ID/Consultation ID, social network picture URL at the time of log in (the last one refers to Authenticated User only)
  • User’s interaction with the App/Services
  • Kik, Skype, Telegram and other messenger identifiers (when using Your.MD services on these messenger platforms)
  • Logs with technical information as stated above
  • Logs on your usage of the Services as described in Analytical Information section
  • Logs with Symptom Checker Information as described in Symptom Checker Information Section
  • Logs on your usage of Quizzes, Self-Assessment and tools, BMI calculator (your answers, score etc.), the articles you view in the Health A-Z, Top Tips and our OneStop Health™ Platform.

Analytical Information

APPS

  • Hashed IP address, hashed Profile ID and hashed Conversation/Consultation ID
  • Logs with technical data as described under Technical Information
  • Logs with Symptom Checker Information as described under Symptom Checker Information
  • Analytics provider’s unique user ID (Firebase ID)
  • Various information on how you use the Service such as: Sessions (when you started a session, and how you used it); App remove (if you deleted the mobile App); App update (when you upgraded to the new version); Authentication (tracking whether you attempted to authenticate, if you were successful and whether you used Google, Facebook or email authentication); Acquisition channel (which Google/Facebook ad you clicked on to get to our Services – Google Ads, FB Ads, older version of the App, organic or paid channel); Chat Activity (whether you did any of the following in chat: a) Symptom check (all data inputted by the user, plus the outcome and feedback), b) general search (all data inputted by the user, plus the outcome and feedback), c) Quiz/Self- Assessment (plus outcome and feedback), d) Three strike (whether you sent an input that failed to be understood by our chatbot), e) Navigation path through Chat menu, f) Tutorial, g) OneStop Health™ partner Q&A, g) Consultation report Activity (whether you: opened a consultation report, viewed all tabs of the report - for different conditions, clicked through to OneStop Health™, clicked to full article, provided Consultation feedback, deleted reports, viewed consultation history); Consultation Activity (your interaction with consultation e.g. whether you exited the consultation or whether a consultation was started for a primary user or an additional user); Health A-Z Activity (whether you use the Health A-Z - all articles you view, save, share or download); OneStop Health™ Activity (whether you view a partner, search for a partner, view or click on the partner link); Health Tracker activity (whether you are logging your feelings, syncing with Google / Samsung Health, viewing graphs, Notification activity (whether you opt out and to what notifications); Opening menu (what you select in the opening menu), General App Analytics (general activity within our Services such as whether you view the About Us section); Screen Activity (every screen you view, time spent on a specific screen); Profile activity (whether you complete your basic information (name, age, gender, email, Country) and medical information (medical conditions) in your in-App Profile); Push Notifications (whether you sign up for, receive and open the various push notifications, such as Health Goals, follow ups or symptom tracking); Symptom Tracking (whether you sign up for symptom tracking, the symptoms you track and whether you sign up for notifications); AB testing (whether you are in the test or control groups for the experiments we run to improve our app); Home Feed (the items that appear on your personalised Home Feed and whether you interact with them); Personal Health Plans (whether you sign up for, and participate in, the Personal Health Plans, and your interactions with the associated features, such as symptom tracking and article views).
  • Logs on your usage of the Quizzes, Self-Assessment and tools, BMI calculator (your answers, score etc.), the articles you view in the Health A-Z, Top Tips and on our OneStop Health™ Platform.

To improve the quality, safety and security of our Services, and for our internal analytics, we collect analytical data using Google Analytics for Firebase (“GAF”) along with Google BigQuery ("BigQuery”), as described in Analytics Providers section.

WEB APP

  • Hashed IP address, hashed Guest Profile ID, hashed Conversation ID/Consultation ID
  • Logs with technical data as described under Technical Information
  • Logs with Symptom Checker Information as described under Symptom Checker Information
  • Analytics provider’s unique user ID (Client_ID) that is stored in a cookie
  • Various information on how you use the Service such as: Sessions (when you started a session, and how you used it); Acquisition channel (which Google/Facebook ad you clicked on to get to our Services – Google Ads, FB Ads, older version of the App, organic or paid channel); Chat Activity (whether you did any of the following in chat: a) Symptom check (all data inputted by the user, plus the outcome and feedback), b) general search (all data inputted by the user, plus the outcome and feedback), c) Quiz/Self-Assessment (plus outcome and feedback), d) Three strike, e) Navigation path through Chat menu, f) Tutorial, g) OneStop Health™ partner Q&A, g) Consultation report activity (whether you: opened a consultation report, viewed all tabs of the report - for different conditions, clicked through to OneStop Health™, clicked to a full article, provided Consultation feedback, deleted reports, viewed consultation history); Health A-Z Activity (Whether you use the Health A-Z - all articles you view, save, share or download); OneStop Health™ Activity (whether you view a provider, search for a provider, view or click on the proder’s link); Opening menu (what you select in the opening menu), General App analytics (general activity within our Services such as whether you view the About Us section); Screen Activity (every screen you view, time spent on a specific screen)
  • Logs on your usage of the Quizzes, Self-Assessment and tools, BMI calculator (your answers, score etc.), the articles you view in the Health A-Z, Top Tips, and on our OneStop Health™ Platform.

While you are exploring our Web App we process your limited data to help us understand how you engage with our Services, to help us improve them as well as your experience and for safety and security purposes. We collect analytical data using a third party analytics provider Google Analytics (‘’GA’’), as described in Analytics Providers section.

MESSENGERS

  • IP address, Profile ID, Conversation ID/Consultation ID, Messenger ID
  • Logs with technical data as described under Technical Information
  • Logs with Symptom Checker Information as described under Symptom Checker Information
  • Analytics provider’s unique user ID
  • Various information on how you use the Service such as: Sessions (when you started a session, and how you used it); Acquisition channel (which Google/Facebook ad you clicked on to get to our Services – Google Ads, FB Ads, older version of the App, organic or paid channel); Chat Activity (whether you did any of the following in chat: a) Symptom check (all data inputted by the user, plus the outcome and feedback), b) General search (all data inputted by the user, plus the outcome and feedback), c) Quiz/Self-Assessment (plus outcome and feedback), d) Three strike, e) Navigation path through Chat menu, f) Tutorial, g) OneStop Health™ partner Q&A, g) Consultation report Activity (whether you: opened a consultation report, viewed all tabs of the report - for different conditions, clicked through to OneStop Health™ Platform, clicked to full article, provided Consultation feedback, deleted reports, viewed consultation history); Health A-Z Activity (Whether you use the Health A-Z - all articles you view, save, share or download); OneStop Health™ Activity (whether you view a partner, search for a partner, view or click on the partner link); Opening menu (what you select in the opening menu); General App Analytics (general activity within our Services such as whether you view the About Us section); Screen Activity (every screen you view, time spent on a specific screen)
  • Logs on your usage of the Quizzes, Self-Assessment and tools, BMI calculator (your answers, score etc.), the articles you view in the Health A-Z, Top Tips and on our OneStop Health™ Platform.

We use Google Analytics (“GA”) on messengers to track your activity using Services available on messengers, as described in Messengers section.

SITE

  • Hashed IP address
  • Logs with technical data as described under Technical Information
  • Analytics provider’s unique user ID (Client_ID), third party cookies
  • Various information on how you use the Site such as: Acquisition channel (which Google/Facebook ad you clicked on to get to our Services – Google Ads, FB Ads, older version of the App, organic or paid channel); Health A-Z Activity (Whether you use the Health A-Z - all articles you view or share); Marketplace Activity (OneStop Health ™ Platform) (whether you view a partner, search for a partner, view or click on the partner link); Opening menu (what you select in the opening menu); General Site Analytics (general activity within our Site such as whether you view the About Us section); Screen Activity (every screen you view, time spent on a specific screen); AB testing (whether you fall into the test or control groups for the experiments we run to improve our Site).

We use Google Analytics (“GA”) on our Site and we have requested to mask your IP address before it is stored to our technical and analytical logs, as described in Website Section.

Symptom Checker Information

  • User Database: full name as per email/Google/FB profile, year of birth or age, gender, email address, social media picture Url, country and region (not specific enough to identify a street), geolocation (if you decide to provide consent), time zone, Services preferences (push notifications, Health Goals, Symptom Tracking, Alerts/Reminders enabled etc.), Country of residence, email/FB/Google account information (used for sign in and identification purposes only), messenger’s information, acquisition channel.
  • Health Database consists of Chat History (Symptom Checker conversation data), Profile ID, Conversation ID/Consultation ID, articles in Health A-Z and Top Tips you have viewed, Self-assessments (such as mood assessment etc.) and Quizzes you have done as well as the information you decide to share with us. Namely, the Health tracker data, which enables you to store information about your wellbeing; in some cases, you can also sync the Health Tracker with your health and fitness apps’ health metrics such as steps, weight, heart rate, blood pressure, and sleep; Notes (data you voluntarily insert into Health Tracker for example your mood; only available for some versions of our Services); Medical Conditions inserted in your in-App Profile (such as high blood pressure, smoker, coronary artery/heart disease, stroke, chronic kidney disease, diabetes, obesity, chronic obstructive lung disease, cancer). In the future we could include Medical and Family History (of diseases such as coronary artery disease, diabetes, stroke, specific cancers), Vital Signs (including heart rate, blood pressure, oxygen saturation, temperature, weight and height), Lifestyle factors (Health Info).
  • Additional Users Profiles - name (family name not required), year of birth, gender.
  • Third Party Profile - name (family name not required), year of birth, gender.
  • Chat History (conversation logs, your search history, selected symptoms, duration, rejected symptoms, questions and answers to clarify symptoms, probable conditions, personal factors that affect the consultation outcome (age, gender, location, medical factors, chosen symptoms and duration), medical factors inserted into your in-App Profile, reasons for you not understanding our Symptom Checker, whether the questions asked are deemed relevant, the fact that you do not have the condition our Symptom Checker calculated based on your entries, Push Notification tokens, triage message, Conversation ID).

USE OF INFORMATION


We use your data to provide our Services, and to make constant improvements with troubleshooting, testing, research, internal analytics and surveys, to ensure the best user experience. When you use the services of any of the Providers available through our OneStop Health™ Platform you accept our Provider’s privacy policies, which are available in the section “Our Providers".

User Database

We use your User Database (and Additional User Database you may insert) information for the purposes of the Symptom Checker to help us better understand your reported symptoms. We normally do not tie your User Database with the Health Database when checking the performance of the Services. In limited cases, we need to tie your User Database/Health Database by using a hashed IP address/Profile ID for security and clinical safety reasons. You can set up an account by signing in with your email/Google/Facebook account. By doing so you give us permission to access and use your information as permitted by such services. We will use your email address and registered name obtained from Google/Facebook/other email account for identification purposes. The action of signing in with your email address and password is done with the help of the Firebase Authentication tool.

Symptom Checker

We use Technical, Symptom Checker and User Database/Additional User Database Information to be able to provide the Symptom Checker service to you. The Symptom Checker will ask you questions to assess the most likely conditions, based on your reported symptoms. To ensure pseudonymisation (*), we store the Health Database and User Database data in separate locations, meaning that whatever you type into our Symptom Checker is not directly connected to your User Database/Additional User database. With the help of the Your.MD identifier (Profile ID), we can use the Chat History/Health Database (including age and location, but not your name or email) for internal analytics and research to improve our Services and the Symptoms Checker’s algorithm in a pseudonymised way. For example, if you tell our Symptom Checker that the information it provided was not relevant, we can research the inserted information without personally identifying you via your name or email. We use the Symptom Checker’s results to suggest relevant Providers to you on our OneStop Health™ Platform, but it is completely up to you to decide if you want to use any such services/products or not. If you decide to use our Provider's Services your data collection while using their services will be governed by such Provider's Privacy Policy.

We will store our Symptom Checker’s results in the Health Tracker section of our App/Services or in the "Profile" section under "Consultations", to enable you to keep track of your Consultation Reports. We also use the Chat History to send you follow-up notifications for relevant conditions and offer Symptom Tracking. We will ask you if you are feeling any better and provide useful information according to your response. We will offer to track your symptoms for a continuous period of time to see how they change. Please see the Opt-Out Section/GDPR Statement of this Privacy Policy for the instructions about enabling/disabling Push Notifications.

*Pseudonymisation is a procedure by which identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. This means the processing of personal data is done in a manner that the personal data can no longer be attributed to you. It is done without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that your in-App Profile data are not attributed to you in an identifiable form.

We do not use this data for the Symptom Checker's calculation: health tracker data such as mood, step metrics, your Notes, weight, heart rate, blood pressure, sleep, Medical Conditions (such as high blood pressure, smoker, coronary artery disease, stroke, chronic kidney disease, diabetes, obesity, chronic obstructive lung disease, cancer) and your Subjective Scores (such as mood assessments) for Symptom Checker calculation. In the future we plan to include Medical Conditions into the Symptom Checker’s calculation.

Push Notifications

We may send you various Push Notifications based on the Symptom Checker’s results, Consultations, Symptoms, Conditions (Contextual Push Notifications), Health Goals (Health Goals Push Notifications), Self-Assessments, and other notifications based on your behavior within our Services and/or your in-App Profile (Event Based Push Notifications). Event Based Push Notifications may be sent as reminders for inactivity (not completing authentication etc.), to recommend articles based on your Health A-Z search and/or to recommend OneStop Health™ Service providers available in your territory. We might also use your User Database data namely age, gender, and acquisition channel, to send various push notifications related to such characteristics. For example, we might send an article we think may be of interest to users in a certain age group, or send you articles we think might be interesting to you. Push Notifications are sent in an anonymised manner using push tokens, a technical solution that allows messages to be sent to you but that do not directly identify you. We do store the notifications sent to each push token so that we can throttle the frequency of messages sent to each person and avoid sending excessive or repetitive communications. We do not store information that individually identifies you directly with the information on the push notifications you have been sent. For more information about various types of Push Notifications please see our Terms of Service. For more information on how to opt out please see the Opt Out Section of this Privacy Policy.

OneStop Health™ Platform

We use the information that was calculated by our Symptom Checker to present the Providers that might be useful, based on your reported symptoms. Our OneStop Health™ Platform consists of vetted professional health Providers who supply specific services, treatments and products to help you with staying healthy and medical or health related problems. We will not disclose any of the User Database/Health Database data to our Providers within the OneStop Health™ Platform. If you click on the link provided within the chat, or click on one of the Providers within the OneStop Health™ section of our Services, you will leave our Services and be redirected to our Providers’ service. Please be aware that by doing so, your data processing will be governed by our Providers’ Privacy Policy. Please see the links in Section “Our Providers". We have created a local database on the device to remember if you (for Authenticated Users only) have clicked on One Stop Health™ Partners. We will use this data only to ask for your feedback later.

Find Services Near You

By accepting the location permission by clicking Okay, you will be able to use Find Services Near You. This feature enables us to collect the longitude and latitude of your mobile device so that we can find services near you. As well as related information using Google Maps APIs (namely, Places Search and Places Details). By using this feature, you consent to Google's Terms of Service and Privacy Policy, all of which is hereby incorporated into this Privacy policy. For more information on how Places API and Places Details works, please see Place Search and Place Details. For more information on how Google processes your location data, please see Types of Location Data Used By Google and Google Privacy Policy.

We do not store your location data as we are using Google APIs. We will only process your location data when you use ''Find Places Nearby'', and we won't store them. You can withdraw your consent at any time by disabling your location permission for our App within the settings of your mobile phone. You can exercise your right to access, rectify and delete your data with Google by accessing your account: https://myaccount.google.com/security#signin.

Temporary caching*. We are allowed to temporarily store limited amounts of Google Maps Content for no more than 30 consecutive calendar days under specific conditions determined from Google. For more information please read Google Maps Platform Service Specific Terms.

*Caching is the technique of storing frequently used data/information in memory, so that when the same data/information is needed next time, it can be directly retrieved from the memory instead of being generated by the application.

Health Goals

We can help you stay focused on your health priorities. Via our Health Goals section, you can choose the health-related topics that are of interest to you and we will send you useful and actionable information, written by doctors. For more information on how to opt out please see the opt out Section of this Privacy Policy.

Health Tracker

Our Health tracker service enables you to store information about your wellbeing and your Chat History (for some versions, consultations are stored in the your in-App Profile area of our Services under section "Consultations"). Some version will store this information only if you tell us that the result of our Symptom Checker was useful. Newer versions allow you to delete Consultation Reports by clicking on the trash bin icon on the top right side of the Report. You can also add your own data via the notes section (only in some versions of our Services), and sync with your health and fitness apps data, to get useful insights relevant for your health. We will use this data on a pseudonymised basis to help improve our Services. Some versions enable you to store your own Notes. Notes will be stored for your convenience only and will not be used by us. You can access your Notes by contacting us at privacy@your.md when using the versions without the Notes feature available. Please make sure you do not store any sensitive information (such as, but not limited to, medical health records, doctor's diagnosis, prescriptions etc.) in Notes. We store this information only in technical logs, but not in the User Database and we do not use them for the Symptom Checker calculation.

Quizzes, Self-Assessments and Tools, BMI calculator, Top Tips

We store the data related to your interactions with these sections and use them solely to improve the user experience. We do not take this data into account when you are using the Symptom Checker and we do not add it into Your Profile. We collect your answers to our quizzes, self-assessments, BMI calculator and the scores/outcome.

Health A-Z (Health Library)

You can find health information within the "Health A-Z" ("Library") section of our Services. You can store preferred Articles in newer versions of our Services by clicking on the "Save Article" icon and the Article will be saved in the "Health A-Z" under the "Saved Items" section. You can review saved articles without an internet connection.

HealthKit for iOS users

Our App uses HealthKit to make your user experience better. Any personal data gathered from HealthKit and also any other health or fitness data (“HealthKit Data") gathered from our Services will never be used for advertising or data mining purposes neither used for, or disclosed to any third parties. We will use HealthKit Data solely for providing our Services, namely for the purpose of providing health, motion, and/or fitness services in connection with our Services, to improve health management, or for the purpose of health research, all with your permission only. We do not conduct health-related human subject research.

Medical Conditions, health info (Family History, Vital Signs, Your Subjective Scores)

Medical Conditions available in your in-App Profile (such as high blood pressure, smoker, coronary artery disease, stroke, chronic kidney disease, diabetes, obesity, chronic obstructive lung disease, cancer) will be collected if you decide to voluntarily share them with us and could be used for the Symptom Checker's calculation in the future. This data will be stored in the Health Database. The data that you voluntarily share with us might include Health Info in the future: Family History (of diseases such as coronary artery disease, diabetes, stroke, specific cancers), Vital Signs (including heart rate, blood pressure, oxygen saturation, temperature, weight and height), lifestyle and health assessments (such as mood assessments) etc.

Personalised Health Plan

The Personalised Health Plan (“PHP”) enables you to improve your wellbeing by following the personalised health plan based on your responses in the General Health Assessment (“GHA”). In GHA you will be asked to assess (by choosing one of the options e.g. most of the time, some days, rarely) your wellbeing by answering 12 wellbeing relating questions (e.g. in the last month, how would you rate your overall health?). Based on your answers you will be recommended to follow your personalised health plan to improve your health habits. The data collected will only be used for providing you with the PHP sending you daily reminders for symptom tracking, and weekly notifications about health tips; our internal analytics to improve our Services; and for user’s experience.

E-mail

When you log in to use our Services or when you subscribe to receive emails about new articles published on our Blog or to participate in our Tester Program, you may enter your email address. Your data - namely your name, email address, and IP address - is then transferred to MailChimp (a third party service provider that we use for sending out newsletters on our behalf). MailChimp uses your data to provide and support their service to us and may share your data with third parties for the same purpose. Your data is stored on a secure MailChimp server. MailChimp is not allowed to sell your data. They will give an individual, either us or you, access to any Personal Information they hold about you/us within 30 days of any request for that information. For more information read Mailchimp Privacy Policy. You can unsubscribe from the list by clicking on unsubscribe from the list link available in the footer of every newsletter that you will receive.

We will use your email to send you articles about the topics you mark you would like to receive in the Health Goals section of our Services, to send you other information upon your request or approval, to update you about our Services, to respond to your queries, to inform you about material changes to our Privacy Policy, to send you research questionnaires/surveys that will help us improve our Services, to send you emails about our new articles published on our Blog or if you have decided to participate in our Tester program. You are free to opt out at any time.

Any information you send to care@your.md and/or privacy@your.md shall be deleted as soon we respond to your enquiry and/or the information is no longer needed.

We also give your data to Kickbox, the email address verification service provider we use to validate email addresses and find out whether or not they can be delivered to. Kickbox collects information under our direction. They may transfer personal information to companies that help them provide their service to us. Transfers to subsequent third parties are covered by the service agreement between Kickbox and us. Kickbox acknowledges that you have the right to access your personal information. Kickbox has no direct relationship with you. If you seek access, or to correct, amend, or delete inaccurate data you should direct your query to the us by sending an email to privacy@your.md. If requested to remove the data Kickbox will respond within 30 business days. Kickbox will retain personal data they process on our behalf for as long as needed to provide services to us. Kickbox will retain this personal information as necessary to comply with their legal obligations, resolve disputes, and enforce their agreements. For more information about Kickbox data processing read Kickbox Privacy Policy.

When we collect your email by conducting a Survey, we will use it only for the purposes of the Survey. If you for example confirm that you would like to receive notifications when we develop a specific feature, we will inform you when this feature is available. If you carry out a risk assessment survey, we will send you the results of the assessment via email.

Improving our Services

We use your data to improve our services and your experience by conducting internal analytics, troubleshooting, root cause analysis in the event of an error or bug, testing, research and surveys. We store your Health Database and User Database data in separate databases, meaning that whatever you type into our chat is not connected to information that could personally identify you. This way we can check how well we did without knowing anything personal about you. For example, if we want to improve the Health Tracker, your data will be aggregated in most cases and if we need to access a specific Profile, we will do so by using the Your.MD ID (Profile ID) so that your name or email will not be seen or needed. In limited cases, we will need to access your Conversation History and IP address/Your.MD ID/Conversation ID to trace bugs, solve technical errors, ensure technical and clinical safety and distribute answers.

OUR PROVIDERS


We cannot provide all services necessary for the successful operation of our Services by ourselves. We therefore share collected information with our Providers for the purposes of offering the Services to you and improve your user experience.

ANALYTICS PROVIDERS

We use the information we collect with the help of our Analytics Providers to constantly improve our Services and make it better for you. We chose our Providers carefully and we set the most restrictive controls they offer to ensure they do not use your data for any purposes other than providing services to us. The Analytics Providers process the information we share - namely information on how you use the Services by their own unique user ID’s, but they also have access to your IP address. We do no share your name, email or Profile ID’s with analytics providers, but they have access to the year of birth, gender, country & region (but not street level), push notification preferences (signing up for Health Goals) and acquisition channel.

Analytics Providers are considered as data processors according to the GDPR. That means that they collect and process data on our behalf, pursuant to our instructions. We are data controllers who retain full rights over the collection, access, retention, and deletion of our/your data at any time.

Analytical Providers’ use of data is controlled by the terms of their contract with us and any settings enabled by us through the user interface of their product.

Google Analytics for Firebase

To improve the quality, safety and security of our Services and for our internal analytics we collect analytical data using Google Analytics for Firebase (“GAF”) along with Google BigQuery. GAF allows us to collect data on the usage of the Services via our Apps and also when you are using our Services as a Guest within Apps. We use your data only for the purposes of our internal analytics to improve our Services and we do not allow sharing of your data with other parties and their products or services. GAF collects this data: Unique Identifiers, browser type and settings, operating system, mobile network information, IP Address (which is anonymised before any storage or processing takes place), crash reports and device identifiers as well as an App-Instance Identifier — a randomly generated number that identifies a unique installation of an App. They collect this information when you install the app. Your device periodically contacts GAF servers to provide information about your device and connection to their services. GAF use various technologies to collect and store information such as application data caches.

We do not share any data that could directly identify you with GAF or Big Query. We use Firebase created userpseudoid which does distinguish one mobile phone from another, but does not personally identify the user to conduct analytics. Hashed Profile ID, Conversation ID and Consultation ID is stored in BigQuery and used when conducting analytics. BigQuery database includes conversation logs (identified with hashed Conversation ID, Consultation ID and Profile ID) along with the analytics data collected through GAF. Profile and Consultation ID cannot be retrieved in Big Query as hashing is a one-way process, meaning original unhashed data cannot be generated from hashed data. This way analytics data is based on GAF pseudo_id and hashed Conversation ID, Consultation ID and Profile ID which does not directly identify a user of our Services. In limited occasions where users consent to receiving push notifications, we send push notifications to users via Firebase using Profile ID.

We use the Firebase Authentication feature only to enable you to sign in with your Email/Google/FB account, to facilitate your account management. Firebase Authentication stores this data: Password (only relevant for users authenticated with the “Email” authentication method), Email address, Phone number (only relevant for users authenticated with Facebook, for which the email address is not available). It also uses User agent strings and IP addresses to provide added security and prevent abuse during sign-up and authentication. We also use these Firebase features: Remote Config., Crash Reporting, Analytics (about usage of our App in an pseudonymised way), and Firebase Cloud Functions. For more information, please see Google Analytics for Firebase Use Policy, Informations for Visitors of Sites and Apps Using Google Analytics, How Google uses information from sites or apps that use their services, Terms of Service for Firebase Services.

Google BigQuery

We use Google BigQuery (an enterprise data warehouse) along with GAF for our internal analytics to improve our Services. We can draw and analyse data from GAF using BigQuery. BigQuery database includes Conversation history (identified with hashed Conversation ID and Profile ID along with the analytics data collected through GAF). Profile ID and Conversation ID cannot be retrieved in BigQuery as hashing is a one-way process, meaning original unhashed data cannot be generated from hashed data. For more information, please see Google Service Specific Terms.

Tableau

Tableau is a third party Analytics Platform, that we use for graphic visualisations of the data extracted from Firebase Analytics and BigQuery. It has access to hashed Profile ID and hashed Conversation ID. For more information, please see Tableau Software Privacy Policy.

We use Google Optimize with GAF data to quickly and easily identify areas of our App that can be improved upon. We use this service to provide you A/B tests and track whether you were involved in an AB test, whether you were part of test or control group. For more information on Google Optimize, please see https://marketingplatform.google.com/about/optimize/.

AWS Analytics

AWS Analytics does not access or use your data for any purpose other than to provide services to us, as legally required and for maintaining the AWS services. We have chosen strong encryption for your data. For more information, please see AWS Privacy Notice. AWS Analytics is only used in our iOS app.

Google Analytics

We use Google Analytics (“GA”) on our Site and Web App. When you visit the Web App or our Site, as with all web sites and apps, your web browser automatically sends the IP address and information on how you use the Services. Processing is based on GA created browser ID with the use of cookies. GA uses IP addresses to provide and protect the security of the service, and to give us a sense of where in the world you come from (also known as "IP geolocation"). GA provides a method to mask the IP addresses they collect, and we requested such masking, which means that GA anonymises the IP address as soon as technically feasible, namely at the earliest possible stage of the collection network before any storage or processing takes place by obfuscating the last few digits. The full IP address is therefore never written to the disk in GA’s platform. For more information on IP Anonymisation in Analytics, please read IP Anonymization in Analytics. We do not send any of your user IDs (Profile ID or Consultation ID) and conversation logs to GA, but the analytics data sent to them does include fragments of the conversations. We store your hashed Profile ID and hashed Conversation ID/Consultation ID along with your conversation in analytics database and we use this information when conducting internal analytics through BigQuery.

GA process the data based on GA identifier called Client ID stored in a cookie. Identifiers such as cookies and GA user’s IDs are used to measure and report statistics about your interactions on our Site and/or Web App. They may use a set of cookies to collect information and report Site and/or Web App usage statistics without directly personally identifying you. We use the data collected by GA to help us improve the quality of our Site and Web App and to analyse Site/Web App usage. GA processes the information we share - namely various information on how our users use the Site using their own unique user ID’s. GA stores cookies on users’ device to keep track of how they use our Site/Web App.

We do not allow sharing of your data with Google’s other products and services. Google can share your data only in limited situations where a) it concludes that it is required by law or has a good faith belief that access, preservation or disclosure of customer data is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or b) in certain limited circumstances when third parties carry out tasks on Google's behalf (e.g., data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google.

Data sharing. Google Analytics provides several data sharing settings to us, through which we may customise how data collected using an Analytics data collection method (like the JavaScript code, mobile SDKs, and the Measurement Protocol) may be accessed and used by Google according to our preferences. Regardless of our data sharing settings, Analytics data may also be used only insofar as necessary to maintain and protect the Analytics service. We may control their own access to data in their Analytics accounts or properties by configuring view and edit permissions for employees or other representatives who may login to our Analytics account. Your Google Analytics data is never shared without our authorization (including via settings in the product user interface), or as otherwise expressly permitted under the terms of our Google Analytics agreement, except in limited circumstances when required by law.

Data Retention. With the Data Retention controls, we can limit or expand the duration for which user-level and event-level data is stored in Google Analytics servers.

User Deletion. We are able to request deletion of a single user’s data from Google Analytics by passing a single user identifier to the Google Analytics User Deletion API.

User-level Data Access and Portability. We may pull event information for any given user identifier via our User Explorer report. This feature enables us to analyse and export event level data for a single user. In addition, our 360 customers may integrate with BigQuery to create a full export of all event data associated with their users in a single query able repository.

Data privacy and security. Google has EU Privacy Shield certificate and uses Standard ISO 27001 security measures.

For more information about Information security and Operational security and disaster recovery please visit: How Google analytics secures your web traffic and Safeguarding your data.

Please see these links for general information: How Google uses information from sites or apps that use their services, Safeguarding your data and Google Privacy Policy.

Google Analytics Cookies

Google Analytics mainly uses first party cookies to report on user interactions on websites that use Google Analytics. Google Analytics stores cookies on your computer to keep track of how you use our Services. For more information please read How Google uses cookies. We use Cookies to analyse your activity to improve the Web App. For example, by using Cookies, we can look at aggregate patterns such as the average number of symptom checks that were not finished. We can use such analysis to gain insights about how to improve the functionality and experience of the Web App.

For more information about cookies read our Cookie Policy.

AppsFlyer

AppsFlyer provides a software development kit which allows the tracking of mobile application use, installations and downloads. We use it as a download attribution (basically analytics) that allows us to determine where a user came from (e.g. Facebook, Google Ads, organic user). We use it to track and analyse the characteristics and your activities, and for such purpose upload some of your data to their platform and servers. Such data is provided to AppsFlyer by integration and implementation of AppsFlyer’s SDK and APIs into our App. The data they receive from us refers to downloads, impressions, clicks and installations of our mobile applications, mobile device usage and data regarding in-app events. We may use their services to collect and analyze the data parameters, namely (i) unique identifiers and technical data, such as IP address, User agent, IDFA (Identifier For Advertisers) or Android ID (in Android devices); (ii) technical data regarding your operating system, device attributes and settings, applications, advertising opt-out signals, Google Advertiser ID, in-app events, device motion parameters and carrier. AppsFlyer’s data is stored on EU-based servers as well as on AWS and Google Cloud in the US.

The personal data collected or processed through AppsFlyer Services will be used for: (i) creating aggregate data and anonymous data, (ii) providing the Services, and (iii) improving and maintaining their Services. For example, they use such data to help diagnose problems with their servers, to diagnose and prevent fraudulent activity, to consider and develop new services and features and to improve the services and make them more useful.

For more information how Appsflyer protect, disclose and transfer and other information relating to data processing please read AppsFlyer Privacy Policy.

Fabric

Fabric is a business division of Google Inc. and we use their service “Fabric Crashlytics” for crash reporting and beta testing of our mobile App. It helps us understand what’s happening in our App, by providing us information about the functioning of publicly released and beta versions of our App.

Crashlytics collects information that includes, but is not limited to, device state information, unique device identifiers, device hardware and OS information, information relating to how an application functions, and the physical location of a device at the time of a crash. They also collect personal information, namely Installation UUID and crash traces. They use this data to help us associate crash data with specific instance of our app. Crash traces and their associated identifiers are kept for 90 days.

Crashlitycs transfer, store, and use your information in the United States and any other country where they or any third party service providers acting on their behalf, operate. The privacy and data protection laws in some of these countries may vary from the laws in the country where you live.

The information Crashlytics collects about you and your activities is our property, not of Crashlytics. The information collected by the Services that you use is used to provide us with insight into the functionality of and engagement with our Apps, including any problems that occur. Crashlytics algorithms process and analyse the data separately for each application provider ("Developer"). However, Crashlytics may aggregate information across Developers in a non-personally identifiable way. Such aggregate and anonymous information is used by Crashlytics to (i) improve the Services, (ii) create analysis of trends or behaviors, and (iii) other similar uses, but always in an aggregate and anonymous way.

Crashlytics and Google Inc. comply with the EU-US Privacy Shield principles regarding the collection, use, sharing, and retention of personal information from the European Union.

For more information about Fabric data processing, plase read Crashlytics Privacy Policy, Fabric Privacy and Security and Google Privacy Policy.

Facebook Pixel

The Facebook Pixel is an analytics tool that allows us to measure the effectiveness of our advertising by understanding the actions you take on our Site. We have placed a pixel code on the header of our Site, so that when you visit our Site and take an action (like clicking on our Web App), the Facebook pixel is triggered and reports this action. This way we know when you take an action and we will be able to reach you again through future Facebook ads. With Facebook Pixel we relay conversions back to Facebook which enables retargeting. For more information, please read Facebook Data Policy and visit Facebook Pixel Website.

OUR ITERNAL ANALYTICS

Our internal analytics is based on using Chat History and an IP address/Your.MD identifier/Consultation ID, but the data is stored in a separate database. This means we can review Chat History without seeing any of Your Profile data, so your data is kept confidential with pseudonymisation. We analyse Chat History to constantly improve our Services and make them better for you.

ONLINE SURVEY PROVIDER


Typeform

Is an online software service company that specializes in online form building and online surveys that we use for our online surveys. For more info about Typeform, please see https://www.typeform.com/. When you decide to participate in one of our Surveys, Typeform will collect this information: your responses (that are managed by us and we take the responsibility for such data which may include personal data), usage data (data about interaction with Typeform services), device and application data (IP address, browser type, operating system, geolocation), referral data (the source that referred you to us – link on Site, email etc.), email address (to send you Typeform notifications email). All data is hosted on Amazon’s AWS service. Their main servers are located in Virginia, USA and backup servers are located in Frankfurt, Germany. They use TLS to secure all data in transit. More information on What happens to my data. Please see the Opt Out section for more rights on Typeform data processing.

SUPPORT REQUEST PROVIDER


WHEN REQUESTING SUPPORT BY SENDING US AN EMAIL TO CARE@YOUR.MD OR/AND PRIVACY@YOUR.MD DO NOT SEND ANY OF YOUR HEALTH DATA AS OUR SUPPORT SYSTEM AND AGENTS ARE NOT DOCTORS AND CANNOT HELP YOU WITH YOUR MEDICAL QUIARIES.

Zendesk

We use Zendesk® (Zendesk, Inc.) as a support ticket system that allows our support agents to streamline our communications in a single ticket, all within an organized workflow. This leads to quicker resolution of individual support requests. If you will reache out us again, our support agent will automatically have access to important information about you, including when you last requested support, what the issue was, how it was resolved, and even how long you had to wait for a resolution.

Data collection/processing. When you send a support request to care@your.md or privacy@your.md, Zendesk collects your electronic data, text or. message included in the support request, communications or other materials submitted to and stored in or transmitted via the Zendesk in connection with our use of their Service, which may include, without limitation, Personal Data, namely IP address, email address, “cookie” information and the type of browser and/or device being used to access the Services. They use the collected data to help us access and use the services, to respond to your inquiries, send communication related to the services, and to operate and improve their services. When they collect this information, they only use this data in aggregate form, and not in a manner that would identify you personally. For example, this aggregate data can tell them how often you use a particular feature of the services, and they can use that knowledge to improve their services. Throughout the time that we subscribe to services with Zendesk, we retain ownership of and control over all the data (your/our) in our account.

Disclosure of Data. Zendesk only discloses the data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities. They never sell, rent, or lease our/your data to any third party.

Data Security. They provide us compliance with high security standards, such as encryption of data in motion over public networks, auditing standards (SOC 2, ISO 27001, ISO 27018), Distributed Denial of Service (“DDoS”) mitigations, and a Support team that is on-call 24/7.

Access Management. Zendesk provides an advanced set of access and encryption features to help us effectively protect our/your information. They do not access or use our content for any purpose other than providing, maintaining and improving the Zendesk services and as otherwise required by law.

Zendesk has data centers in three main regions — United States, Asia Pacific, and the European Union. Service Data may be stored in any region, that means that your Personal data may be processed outside the European Economic Area.

Zendesk recognizes that privacy and data security issues are top priorities for us and has achieved a number of internationally-recognized certifications and accreditations (The EU-U.S. and Swiss-U.S. Privacy Shield, Binding Corporate Rules and others) demonstrating compliance with third-party assurance frameworks.

Zendesk. Correcting, updating and removing your information. If you seek to exercise your data protection rights in respect of personal information stored or processed by Zendesk on our behalf (including to seek access to, or to correct, amend, delete, port or restrict processing of such personal information) you should direct your query to us. We will request then Zendesk to remove the personal information and they will respond to our request within thirty (30) days. They will retain personal information that they process and store on our behalf for as long as needed to provide the Services to us. For more information, please read: Zendesk Privacy Policy, Zendesk The Ticketing System, Zendesk EU Data protection and How Zendesk Protects Personal Data.

ADVERTISING PROVIDERS


We use third party providers to advertise our Services and acquire new users.

Google AdWords

We use AdWords, Google’s online advertising program to reach new customers and grow our business. We use features as Search Ads, Display Ads and App Ads. More information about these features on https://adwords.google.com/intl/en/home/how-it-works/.

Advertising cookies

Cookies help to make advertising more effective. Without cookies, it’s harder for us to reach our audience, or to know how many ads were shown and how many clicks they received. When you visit our Site or see an ad that uses AdWords, either on Google services or on other sites and apps, various cookies may be sent to your browser. These may be set from a few different domains, including google.com, doubleclick.net, googlesyndication.com, or googleadservices.com, or the domain of Google’s partners’ sites.

Facebook Ads

With the use of Facebook Ads we can redirect you from our Your.MD Facebook profile to download the Apps from App Store or Google play or directly to our Web App to enable you to use our Services. For more information on Facebook Ads, please visit Facebook ads basic and Facebook Data Policy.

ONESTOP HEALTH™ PLATFORM PROVIDERS


We will not provide any of Your Profile or Chat History information to our Providers. We choose our Providers carefully and we request that they use your data solely for the purposes of providing their services to you. If you click on the link provided within the chat or click on one of the Providers within the OneStop Health™ section of our Services, you will leave our Services and be redirected to our Providers’ service. Please be aware that by doing so, your data processing will be governed by our Provider’s Privacy Policies. Please see the links below.

Our OneStop Health™ Platform consists of vetted providers who supply specific services, treatments and products to help with medical or health related problems. We use the information calculated by our Symptom Checker data to present you the services in your local area that might be useful. We do not share Your Profile data or Chat History with our OneStop Health™ Providers. Any information you disclose while using the services offered by the Providers you find on the OneStop Health™ Platform is disclosed only to the Provider and is governed by its Privacy Policy. For our service to be free, we need to track which of our Providers’ customers come from our Services. This means that your IP address will be disclosed to the OneStop Health™ Providers should you choose to visit their service. We require our Providers to adhere to our Best Practice Guidelines. Your opinion counts and you are very welcome to share any positive or negative experiences you might have with our Providers via care@your.md.

Although we choose our Providers carefully, we are not responsible for the actions of these companies, the content of their sites, products or services, the use of information you provide to them, or any products or services they may offer. Our links to the OneStop Health™ Platform Providers and any other third parties’ services does not constitute our sponsorship of, or affiliation with, these companies. Nor is such linking an endorsement of such third party’s privacy or information security policies or practices, or their compliance with laws. Information collected by third parties, which may include personal information is governed by their privacy practices. The Providers and other third parties websites or services may place their own cookies or other files on your computing or smart device, collect information or solicit personal information from you. We encourage you to learn about the privacy practices of Providers and third parties with which you interact. We are not responsible or liable for your interaction with Providers and third parties, the information requests initiated by them, or the subsequent use, treatment or dissemination of information you voluntarily choose to provide to them.

Addicaid, AIDE, Akira, Altbibbi, Ask The Midwife, AugmentCare, Antidote, BetterPT, BigWhiteWall, Bisa, Braive, Brook, CCBT, Cera, ConnectMed, Daily Yoga, Doctor Care Anywhere, Doctify, Doctor Insta, Doctor On Call, Doc2Us, Dr. Morton’s, Echo, Eyr Medical, First Derm, Firstcheck, GetDoc, GPDQ, Hay Fever Relief, HelloDoctor, HelloDoctor Ethiopia, healthexpress, InnerHour, KRY, KingFit, Knok, Lark, Life Circle, London Osteoporosis Clinic, Marie Stopes International, MDalgorithms – MDAcne, MedicSpot, MedGrocer, Mimi, Minds for life,MyHouseCall, MyMeds, My Pocket Doctor, mySugr, Murgency, National Migraine Centre, NHS Choices, Obino, PAPYRUS, PayAsUGym, Pacify,Pliro, Portea, Project Red Ribbon, Samsung Health, Sehat, Sexwise, Siha Health, SH:24, Slide safe, Smoke Free App, Supercarers, TB Alert, The Pip, Thriva, Urban Massage, VIDA, WellaHealth, West Africa Aids Foundation, Zennya, ZoomDoc, 1mg.

THIRD PARTY TECHNOLOGY


To make our Services simple to use, you can use it with these messengers: Telegram, Kik and Skype (“Messengers"). To make our Health Tracker more efficient, you can also sync your data from other service providers with our Health Tracker. When you use our Services via Messengers or in combination with other services, your data processing is governed by their individual privacy policies you accepted when registering for their service, so please read their respective privacy policies carefully before you start using their services.

MESSENGERS

When using Messengers you are able to chat with our chatbot available on the selected messenger. Features like the Health A-Z, OneStop Health™ platform, Health Tracker, Consultation history or your in-App Profile are not included in these messenger services. However you are able to Check Symptoms, Ask questions, and Find health info (Quizzes, Self-Assessments, Top Tips, BMI Calculator). You are also able to access articles on Health A-Z and OneStop Health™ Providers via Chat (e.g. if you search for “migraine” we will show you the Migraine article, which you will be able to view on our website. You can also search for a OneStop Health™ Provider by entering its name and you will be given information about their services and how to access them). All messenger sessions use an operational system called Morse that integrates the individual messenger platform into our system. Via Morse, the Messengers are able to use the same internal systems as our App uses, including User Database and Health Database.

Messengers data Processing

We collect Health Data that you enter during the consultation as well as more general personal information about you, namely your birth year, your gender and an IP geolocation (if the messenger in question provides us with this data). By entering this data our chatbot is able to calculate the most likely conditions that could be affecting you, based on your reported information and symptoms. Some of the messengers allow us to capture your IP address in our technical logs (which is logged in a hashed form wherever feasible). The technical (but not analytical) logs are deleted after six months. We will not retrieve the IP address except for security reasons, such as a root cause analysis of bugs and outages, and for safety validation. We process Messenger assigned ID’s.

We process analytical data in the same manner and to the same extent as determined in GDPR statement for Authenticated User. We use Google Analytics in the same way as for Web App. We store conversation data in an analytics database but this does not include messenger ID, so users can not be indirectly, personally identified. We use hashed Profile ID and Consultation ID for BigQuery analytics.

Messengers might send us personal information you have authorised them to share with us if you have given them your consent. This includes an identifier they use for your account and account data. The unique ID that is given to you, and comes from the messenger platform to us, is not a personally identifiable identifier (we cannot see who you are) and it is always the same. It enables us to see when “you” return to use our service.

Skype

Our Your.MD bot on Skype is enabled by Microsoft Bot Framework. The Microsoft Bot Framework is a set of web-services that enable intelligent services and connections using conversation channels you authorise. As a service provider, Microsoft will transmit content you provide to our bot/service in order to enable the service. Our bot will have access to your Skype Name (the username you created when you first joined Skype, other than your email address or phone number), your profile picture, and any chat messages or content that you share with it. For more information about Microsoft’s privacy policies, please see their privacy statement.

In addition, your interactions with this bot/service are also subject to the conversational channel's applicable terms of use, privacy and data collection policies. To report abuse when using a bot that uses the Microsoft Bot Framework to Microsoft, please visit the Microsoft Bot Framework website and use the “Report Abuse” link in the menu to contact Microsoft. More information on Skype IP, Data Protection & Privacy and Skype Connect Terms.

To protect user’s privacy rights and to control the data processing, we have click wrapped Microsoft Online Services Terms that include Microsoft’s core privacy and security commitments, as well as data processing terms, Model Clauses, and their GDPR Terms. The GDPR Terms closely follow the requirements of GDPR Article 28 (and 30, 32-36, 44, etc). The GDPR Terms are considered to be compliant with the requirements of the processors making binding commitments to the controller. The GDPR Terms state GDPR compliance with Attachment 4.

Kik

When you send a message to our chatbot available on KIK, your messages go from your device – the phone or tablet running the Kik app – to Kik’s servers. Kik then sends the message via REST to our bot via bot’s webhook (our bot’s address on the internet). It’s the bot’s “point of entry” for messages. The bot can process the message, formulate a reply and then send it back to KIK. For more information about how our bot works on KIK visit https://www.kik.com/blog/how-to-get-started-with-chatbots-on-kik/. To learn what happens with your data read Kik Privacy Policy and Kik Terms of service. When you chat with our bot on KIK our Terms govern the relationship between us as determined in Kik Terms of service. KIK automatically collects and store your log information in their server logs including details of how you used their Services, such as the date and time a message was sent, the account you were messaging with, and your IP address, as well as third party websites or services you used (your chats with bots). They only collect the content of your chats with bots for the limited purposes of debugging and improving the functionality of the Kik bot platform). You can read more information about your privacy on KIK here.

Telegram

Our Your.MD bot on Telegram is connected to our system via Bot API. Messages, commands and requests sent by you are passed to the software running on our server. Telegram intermediary server handles all encryption and communication with the Telegram API for us. We communicate with this server via a simple HTTPS – interface that offers a simplified version of the Telegram API, the Bot API. For more information about how our bot works on Telegram visit https://telegram.org/faq. To learn what happens with your data read Telegram Privacy Policy.

Our Your.MD bot can see your public name and profile pictures, and it can see messages you send to it. It doesn’t see your phone number (unless you decide to give it to it yourself). All Telegram messages are always securely encrypted. All data (including media and files) that you send and receive via Telegram cannot be deciphered when intercepted by your ISP, network administrator or other third parties (see https://telegram.org/faq#q-are-bots-safe). All data are stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. This way local engineers or physical intruders cannot get access to user data. They never share your data with anyone. To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force them to give up any data. Telegram only keeps the information it needs to function as a feature-rich cloud service — for example, your cloud chats so that you can access them from any devices without using third-party backups, or your contacts so that you can rely on your existing social graph when messaging people on Telegram. Please read Telegam's Privacy Policy for more information.

Free Basics Platform

We have integrated our Services with Free Basics to enable you to access our Services where internet access may be less affordable. You will be able to chat with our bot and find health information by reading articles. Free Basics by Facebook offers access to basic websites and third party services free of charge. You can find our Services here https://freebasics.your.md/. To learn more information about Free Basics and how it works please visit their official website Free Basics. For more information about Privacy on Free Basics, please read Privacy on Free Basics.

VHI HEALTH ASSISTANT APP

Our chatbot is connected to the VHI Health Assistant App via Your.MD API. We will capture your IP address in our technical logs and fully encrypt it. The technical logs expire (are deleted) after six months. We will not be able to reveal the IP address, but shall use the logged data that includes the encrypted IP address for security, to ensure root cause analysis of bugs and outages, and for safety validation. We anonymise chat (your responses) and profile data (age, gender) by storing it in a separate database which contains no personally identifiable information, and hence this data cannot be tied back to any personally identifiable information such as the IP address.

VHI (the Partner offering our API through its health assistant app) will not include any information that could directly or indirectly identify you in the requests that it will make of the Your.MD API. VHI will include a randomly generated alphanumeric identifier code and a generic name for you (‘’user’’ or ‘’guest’’) in the requests which will allow us to treat the requests within a single chat stream without directly or indirectly identifying you. VHI is obligated to generate a new identifier code for each session which will mean that each session is treated as a new user with no link between the previous sessions. We do not have access to VHI data.

THIRD PARTY HEALTH-TRACKING PROVIDERS

HealthKit (only iOS v.2. version)

Samsung Health

Google Fit

FACEBOOK AND GOOGLE AUTHENTICATION

FB and Google Accounts

You can set up an account by signing in with your Google or Facebook account. By doing so you give us permission to access and use your information from that service as permitted by that service. We use your email to identify your identity in the Profile tables. We enable Google or Facebook authentication when you use Apps. Some services enable you to use them as a Guest, so without Google/FB/ authentication, but this means that you will not be able to retrieve your information later. More information on Google Privacy policy and Facebook Privacy policy.

YOUR.MD’S INTERNAL AND EXTERNAL COMMUNICATION PROVIDERS

We use various third-party services for our internal communications and communication with external partners, namely

Skype https://www.skype.com/en/, https://www.skype.com/en/legal/,

Slack https://slack.com/, https://slack.com/privacy-policy,

Google Hangouts https://hangouts.google.com/, https://policies.google.com/privacy?gl=SI&hl=en-GB,

Gmail https://www.google.com/gmail, https://policies.google.com/privacy?gl=SI&hl=en-GB.

We do not use these services to share directly identifiable personal data.

YOUR.MD’S MANAGING PROJECTS, HOSTING AND BUILDING SOFTWARES, CLOUD STORAGE

Github https://github.com/, https://help.github.com/articles/github-privacy-statement/,

Trello https://trello.com/en, https://trello.com/privacy?truid=trd2c0ae-6aa2-0b90-4a85-b5288442e268,

Zeplin https://zeplin.io/, https://zeplin.io/privacy,

Jira https://www.atlassian.com/, https://www.atlassian.com/legal/privacy-policy,

Google drive https://www.google.com/drive/, https://policies.google.com/privacy?hl=en&gl=US

Dropbox https://www.dropbox.com/privacy2016,

Tableau https://www.tableau.com/tos, https://www.tableau.com/privacy.

YOUR.MD’S PRESS RELEASE AND TOP TIPS

We use a third party provider called Medium to post our articles for Top Tips. When you click on the link you send your IP address to Medium and you are then subjected to Medium’s terms and privacy conditions.

We use third party provider called Totem for Your.MD press page. When you click on Press link you will be able to choose between different articles. By clicking on the link you will be directed to a Third Party. Please be aware that by doing so, your data processing will be governed by their Privacy Policies.

SHARING OF INFORMATION


Sometimes we need to disclose the Information for other lawful purposes, as customary for all developers.

Apart from sharing the information with our Analytics and OneStop Health™ Providers, as stated in Section “Our Providers" and “Usage of Information", we may also disclose information in the following cases:

  • if required by law, for example to comply with a court order, subpoena, regulation, legal process or other governmental request;
  • to exercise or protect the rights, property or personal safety of the Company, our users or others;
  • to enforce this privacy statement, including investigation of potential violations thereof;
  • upon fulfilling legal requirements of local legislation to supply certain services/information a third party might legally request from us
  • to detect, prevent, or otherwise address fraud, security or technical issues;
  • if Your.MD is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your information via our website;
  • to respond to claims that any content published within our Services violates any right of a third party.

STORING OF INFORMATION AND SECURITY


We follow generally accepted industry standards and internal procedures to protect information submitted to us, during transmission, storing and processing. We are encrypting all user and profile data at rest and all personal information is double encrypted with two keys at both the infrastructure and application level. We store your information for as long as needed to provide our Service. We may store the information longer, but only in a way that it cannot be tracked or associated back to you. We delete the logs that we keep of the IP addresses you have used after approximately 6 months. If you have any concerns about the security of our Services, please contact us at privacy@your.md.

We have restricted access to production environments and monitoring of user activities. The information is encrypted and key protected, and we have integrated commercially reasonable efforts to assure that your information remains secure when maintained by us. However, please be aware that no security measures are perfect or impenetrable.

To ensure security of processing we engage third party providers for penetration testing (“Security Testing”) - a controlled form of hacking in which a professional tester, working on behalf of an organization, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications. Please be aware that during Security Testing, the third-party provider may have access to Your Profile and/or Health Profile data (“Your Data“). We contractually bind providers of Security Testing to take all necessary technical and organizational measures to protect Your Data and they are not allowed to transfer Your Data to third parties or to use it for any other purposes than to perform the Security Testing for us.

We use AWS and Google Cloud Platform for storing of information.

AWS. AWS has multiple security certificates https://aws.amazon.com/security/. The data we collect from you may be transferred to, and stored at, a destination outside and inside of the European Economic Area ("EEA"), namely AWS's regions in the US and EU. It may also be processed by staff operating outside the EEA who work for us, or for one of our Providers. Don’t worry, your data will still be safe - we have entered into the AWS data processing addendum to make sure your personal information (IP address) is safe, namely a) that the AWS will use the data only to provide its storing services; b) that it will not disclose data to any third party; c) that the AWS restricts its personnel to process your data without their authorisation; d) that we stay in control of correcting, blocking, deleting, retrieving your data; e) that AWS is responsible for implementing and maintaining the technical and organisational measures; f) that AWS is certified under ISO 27001 and agrees to maintain an information security program for the Service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards; and g) that AWS may use subcontractors, but will restrict their access only for the purposes of offering AWS services. By using and downloading our Services, you agree to the transfer, storing and processing, as stated herein. We will take all the reasonably necessary steps to ensure that your data is treated securely and in accordance with this privacy policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

Google Cloud Platform. We store all analytical data on Google Cloud Platform (“GCP”). We are the controller of the stored data and Google is the processor. This means that Google processess the data only for the purposes of providing GCP services and technical support to us, in accordance with Data Processing and Security Terms https://cloud.google.com/terms/data-processing-terms. We control what happens to our data and we can access the data whenever we want. We have chosen to store the data in the US. Google stores data in a multi-tenant environment on Google-owned servers. The data and file system architecture are replicated in multiple geographically dispersed data centers. Google also logically isolates our data. We have control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, enable us to determine the product sharing settings applicable to our End Users for specific purposes. We may choose to make use of certain logging capability that Google may make available via the Services. Google complies with legal frameworks relating to the transfer of data such as EU-US and Swiss-US Privacy Shield. More information on Google Cloud Platform and its terms https://cloud.google.com/product-terms.

Firebase Hosting. We use Firebase Hosting for our Site. Firebase Hosting is a production-grade web content hosting for developers. Zero-configuration SSL is built into Firebase Hosting, so content is always delivered securely. For more information about the data processing and security of Firebase Hosting, please see https://firebase.google.com/terms/data-processing-terms/.

DELETION OF INFORMATION


We store your information for as long as needed to provide our Service. We may store the information longer, but only in a way that it cannot be tracked back to you. When the information is no longer needed, we shall delete it using reasonable measures to protect the information from unauthorized access or use. We will delete the personally identifiable data within 30 days of the receipt of your request.

EU Territory We store Personal Information, namely IP Address, email and Your.MD identifier for the duration of the provision of our Services or period of inactivity, after which we will delete your account. Traffic information is erased or made anonymous when it is no longer needed for the transmission or, in the case of payable services, up to the end of the period during which the bill may lawfully be challenged or payment pursued. Location information is stored to the extent and for the duration necessary for the provision of a value-added service. Cookies, direct marketing and provision of value-added services information (including traffic information used for these purposes) is stored so long as the same is necessary for the provision of these activities, or up to the time when a user opts out from such use in accordance with this Privacy Policy. Other information is stored for as long as we consider it to be necessary for the provision of our Service. This Section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication or as strictly necessary in order for us to provide the service you requested.

US Territory We will retain collected information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by applicable legislation. We will delete your account after a long term of inactivity.

Storing might be different depending on the territory of collecting the information and the applicable legislation, but we always strive to store the information only as long as it is needed for the purposes of providing, improving or personalizing our Services.

OPT-OUT


We make sure we do not collect more information than is needed to provide our Services and we strive to limit our Providers to do so as well. We have integrated protocols to allow us to process Chat History in a pseudonymised way, but you are always free to opt out of the information collection by not using our Services or uninstalling the App.

Notifications

You can deactivate notifications by changing the notification settings in accordance with the instructions of the operating system running on your device.

E-mail: You can opt out from e-mail notifications by unsubscribing or sending us a request to care@your.md or privacy@your.md.

If you seek access, or to correct, amend, or delete inaccurate data held by Kickbox, you should direct your query to privacy@your.md. If requested to remove the data Kickbox will respond within 30 business days.

iOS: You will be asked to accept or refuse push notifications after the App is downloaded. If you do not accept, you will not receive push notifications. Please note that if you accept, mobile phones will allow you to disable push notifications later on by using the settings on your mobile phone.

Website: You can turn off the use of cookies at any time by changing your specific browser settings.

Android: After an App is downloaded, you will automatically receive push notifications. You can always disable those within the mobile phone settings.

Health Goals: You can turn on/off the Health Goals notifications in the Profile Section of our Services.

Personalised Health Plans: In future we plan to enable the option to stop your personalised health plans at any time within the feature. Until this feature is available you can opt out by not using the service.

Find Services Near You: You can withdraw your consent at any time by disabling your location permission for our App within the settings of your mobile phone. You can exercise your right to access, rectify and delete your data with Google by accessing your account: https://myaccount.google.com/security#signin.

Analytics: You can opt out of our information processing and Google Analytics for Firebase by sending an email to care@your.md and/or opt out of Google Analytics by installing this browser add-on https://tools.google.com/dlpage/gaoptout. You may disable cookies or delete any individual cookie set by Google Analytics. Google Analytics supports an optional browser add-on that - once installed and enabled - disables measurement by Google Analytics for any site you visit. Note that this add-on only disables Google Analytics measurement.

You can opt-out of AppsFlyer Analytics tracking by yourself by sending an email to privacy@appsflyer.com or by completing the form on their website https://www.appsflyer.com/optout. The opt-out is specific to AppsFlyer activities and does not affect other tools that we may use. If you choose to opt-out, AppsFlyer will stop tracking data for that device going forward. The services will stop across all applications on not only ours.

Deleting Your Account: If you do not want to use our Services anymore, you can always delete the Mobile App and/or stop using the Web App and/or Messengers. We will delete your account on receipt of the request sent to privacy@your.md. The same will be done if you withdraw your consent for data processing needed to provide Your profile and the Services. We reserve the right to delete your account after a long period of inactivity. We will delete the personally indetifiable data within 30 days of the receipt of your request.

How to control advertising cookies: You can use Ads Settings to manage the Google ads you see and opt out of Ads Personalisation. Even if you opt out of Ads Personalisation, you may still see ads based on factors such as your general location derived from your IP address, your browser type, and your search terms. You can also manage many companies’ cookies used for online advertising via the consumer choice tools created under self-regulation programs in many countries, such as the US-based aboutads.info choices page or the EU-based Your Online Choices. Finally, you can manage cookies in your web browser. For more information visit https://policies.google.com/technologies/ads?hl=en and read our Cookie Policy.

Telegram: Telegram has developed a new @GDPRbot to enable you to: Request a copy of all your data that Telegram stores and to Contact Telegram's Data Protection Officer. For more information visit https://telegram.org/faq#q-what-about-gdpr.

Typeform: Enables you to exercise your right to access, rectification, erasure, restriction and objection by opening a support ticker via the Help Centre. You can send a request via https://typeform.com/help.

Kik: You can request deletion, correction or updating of your personal information by following the instructions EUROPEAN USERS available here https://www.kik.com/privacy-policy/.

Zendesk: Correcting, updating and removing your information. If you seek to exercise your data protection rights in respect of personal information stored or processed by Zendesk on our behalf (including to seek access to, or to correct, amend, delete, port or restrict processing of such personal information) you should direct your query to us. We will request then Zendesk to remove the personal information and they will respond to our request within thirty (30) days. They will retain personal information that they process and store on our behalf for as long as needed to provide the Services to us.

Our Providers

As you can see we use our Providers for limited purposes only and we strive to limit their usage of the information. For this reason we do not offer Provider specific opt-out service, but you can always opt out from analytics and tracking we use by uninstalling our App or stop using our Services. You can opt out from Third Party Technology (messengers we use) and OneStop Health™ Platform data collection by not using these specific services. You can use some of our Services as a Guest, meaning that minimal amount of data to offer the Services and no personal information that could directly identify you will be collected.

YOUR.MD WEBSITE


Your.MD's website ("Site" or "Website") does not collect any personal information that could directly identify you. We process the information stated below for analytics to improve our Services, for security purposes (so that we can intervene in case of security breaches, check bugs and crashes etc.), to analyse and optimise the content and reading experience through the use of cookies. Some of the Health A-Z Articles include a "When To Worry" feature, which helps you assess the need to visit a health professional or not. No data is being collected when you use this feature.

When you visit our Site for the first time, you are asked to consent to the cookie usage and are informed about what data is being processed based on legitimate interest. We use third-party cookies and analytics to secure and improve our services and the users’ experience. This helps us to provide you with a good experience and also allows us to improve our Site. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Policy. You can turn off the use of cookies at anytime by changing your specific browser settings by following instructions available within our Cookie Policy and on third parties’ webpages. We also allow Facebook and DoubleClick to use their cookies for tracking and advertising purposes.

Limited information we collect via our Site: User agent (web browser type and version), screen information, geolocated country and region, time zone, IP address at the time of usage, Acquisition channel (on which ad from Google/Facebook you clicked to get to our Website, which channel was used to get our Website), Logs with technical information, Logs on users’ usage of the Website (articles you view in the Health A-Z, partners you view on OneStop Health™ Platform, clicks on OneStop Health™ Providers), General Analytics (general activity within the Website such as whether they view the About Us section etc.), Screen Activity (every screen they view, time spent on a specific screen).

When you visit our Site, your web browser automatically sends the IP address and information on how you use the Service to us. We use this data only for the purposes of providing the services, and our internal analytics to improve our Services. We do not use any other features apart from Google Analytics (“GA”) for analytics purposes and we do not allow sharing of your data with Google’s other products and services. GA process the data based on a GA user identifier called Client ID, stored in a cookie. We collect traffic data on country level.

We have enabled IP address anonymisation in GA which means that GA anonymises IP address as soon as technically feasible, namely at the earliest possible stage of the collection network, before any storage or processing takes place. The full IP address is therefore never written to the disk in GA’s platform. That means that we are not able to see your whole IP address to personally identify you. We only use the masked IP address to view the traffic of our Services by country.

GA help us understand how our visitors engage with our Site. They may use a set of cookies to collect information and report Site usage statistics without directly personally identifying you. We use the data collected by GA to help us improve the quality of our Site and to analyse Site usage. GA processes the information we share - namely information on how you use the Site - using their own unique user ID’s. GA stores cookies on your device to keep track of how you use our Site. We can use such analysis to gain insights about how to improve the functionality and experience of the Site. All analytical data is stored on Google Cloud Platform in the US.

All the data that we store in our technical logs are stored in a way that we cannot personally identify you. All the analytics data is stored using an analytics identifier which cannot personally identify you and cannot be tied to the directly identifiable personal data as we do not enable the access to such data of analytics providers or internal personnel conducting analytics.

The data collected from you will be used solely: to provide our Service (so you can surf the Site, read articles, blog, Health A-Z and access OneStop Health™ Platform), for technical support purposes (check bugs and crashes etc.), for security purposes (so that we can intervene in case of security breaches), for internal analytics to improve our services (we need to collect limited data to improve our services and users’ experience with conducting internal analytics and research), for advertising (so that we can display ads).

We use Facebook Pixel, an analytics tool that helps us measure the effectiveness of our advertising to understand the actions you take on our Site and reach audiences of our preference. With FB Pixel we relay conversions back to Facebook which enables retargeting.

We use Google Optimize with Google Analytics data to quickly and easily identify areas of our Site that can be improved upon. We use this service to provide you with A/B tests, track whether you were involved in an AB test, and whether you were part of test or control group. For more information on Goggle Optimize, please see https://marketingplatform.google.com/about/optimize/.

WEB APP


The limited Services are also offered via our Web App available within our Site and Blog or any web browser you can access our Web App. The Web App offers limited functionality as explained in our Terms of Service and you can use it only as a Guest User. For more information on Guest User data processing, please see the GDPR statement. We process your personal information, namely your IP address, analytics Client ID, technical information (e.g. users’ location) on legitimate interests basis.

While you explore our Web App we process your data to help us understand how you engage with our Services and improve them as well as your experience. We collect your data using the Google Analytics third party provider. They may use a set of cookies to collect information and report Web App usage statistics without directly personally identifying you. GA collects first-party cookies, data related to the device/browser, IP address and activities on Web App to measure and report statistics about your interactions on our Web App. We do store masked IP address in our technical logs and use it only for providing the safety and security of our Services. We use technical and health data for internal statistics on an aggregated level. We use the data collected by GA to help us improve the quality of our Web App and to analyse Web App usage. GA processes the information we share - namely information on how you use the Web App - using their own unique user ID’s (Client ID). The analytical database does not include Conversation ID or Profile ID and Client ID is never tied to these two identifiers. We conduct analytics based on our conversations and analytical logs. We store conversations in GA but we are not able to tie them with Guest User Profile IDs. We are able to see which article in Health A-Z you have viewed and what OneStop Health™ Service you have clicked on.

The data collected form you will be used solely: to provide our Services to you, for security purposes, for internal analytics and for clinical safety reasons.

YOUR.MD TESTING


TESTER PROGRAM

If you decide to participate in our Tester Program we will collect your personal data: IP address which will be stored in our technical logs and used for security purposes, your email address, name (not full name), year of birth, gender and location (country level) which will be stored on Mailchimp. Please read the Email section to learn how Mailchimp processes your data. Your email will be used to contact you when we have a beta test, survey or another testing and research opportunity available for you based on your demographic information and on which phone you use.

When answering questions during the survey completion you might enter information about your health. In that event you will be asked to consent to health data processing. By answering the questions about your health during the survey completion we will be able to analyse the results for the purpose of improving our services and products. All data that your provide during the survey will be collected and stored by Typeform for us. Please read the section Online Survey Provider of this Privacy Policy to learn how they process your data.

We also collect technical data to be able to carry out the tester program and analytical data on how you use our Services.

We follow generally accepted industry standards and internal procedures to protect information submitted to us, during transmission, storing and processing. We store your information for as long as needed to provide our Service. We delete the logs we keep of the IP addresses you have used after approximately 6 months.

You can request correction/access and erasure of your data at any time by sending an email to tester@your.md. You can request that we delete your email by clicking on the unsubscribe link available at the end of each email you receive from us.

This Privacy Policy and Your.MD Terms of Service are hereby part of the Tester Program Policies where applicable. In the case that a specific Tester Program Policy is available, and there are discrepancies between the Tester Policy and this Privacy Policy and/or Your.MD Terms of Service, the Tester Policy prevails.

MVP’s

We strive to provide the service that would be of best interest and use to you therefore we are constantly testing new products and services ("Minimum Viable Products" or MVP’s). Should you wish to use the MVP’s, you will need to accept the MVP specific Privacy Policy and Terms of Service ("MVP Policies"). This Privacy Policy and Your.MD Terms of Service are hereby consisting part of the MVP Policies where applicable. The MVP Policies are available on our Site and before you decide to use the MVP. In case a specific MVP Policy is not available, the terms of this Privacy Policy and Your.MD Terms of Service apply. In case of discrepancies between the MVP Policy and this Privacy Policy and/or Your.MD Terms of Service, the MVP Policy prevails.

CHANGES TO THE PRIVACY POLICY


We may update this Privacy Policy to reflect the changes in our information processing practices. Because we are constantly adding new services and features, we might not make an immediate upgrade of the Privacy Policy, unless in case of material changes to our data processing practices. We encourage you to periodically review http://www.your.md/privacy or "About Your.MD" section of our Services for the latest information on our privacy practices. You will be informed about changes to our data processing practices within the "What’s New" section of our Services and/or with a push notification. You understand that we integrate new Providers on OneStop Health™ weekly, so if you do not see the Provider's Privacy Policy stated herein, please contact us for the latest information.

CONTACT AND ACCESS TO PERSONAL INFORMATION


If you have any questions, please contact us at: privacy@your.md

Your.MD is a trademark of YOUR.MD AS, incorporated and registered in Norway with company number 999260993 whose registered office is at c/o Advokatfirmaet Simonsen Vogt Wiig AS, Filipstad Brygge 1 , 0252 Oslo, Norway and is offering the Your.MD Services (hereinafter referred to as: “Services" or “App") via its subsidiary Your.MD Limited, incorporated and registered in the UK with company number 08727263 whose registered office is at this date at Your.MD Ltd, 5th Floor, 43 Whitfield Street, London, W1T 4HD, UK (hereinafter collectively referred to as: "Your.MD").

We are committed to keep your information accurate, complete and up-to-date. You can request that we correct or delete the information, provided that we are not required to retain such information by law or for legitimate business purposes. To make such request or ask us about this privacy statement please send us an email to privacy@your.md. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law. We will not respond to any inquiry emails which we are not able to understand, the request is not clearly specified or to health questions.

Data Protection Officer. Should you have any data processing or privacy related questions, please contact us at: privacy@your.md. In case we are not able to help or upon your appeal, we will forward your inquiry to our External Data Protection Officer, ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints we or our DPO is not able to solve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Prof. Dr. Johannes Caspar, Kurt-Schumacher-Allee 4, 20097 Hamburg, https://datenschutz-hamburg.de/pages/kontakt/ or if you are a UK customer, with Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, https://ico.org.uk/make-a-complaint/.

Your.MD,

Matteo Berlucchi, CEO