1st September 2023
We are committed to protecting and respecting your privacy and this policy (together with the terms of service) sets out:
2) Applicable law
3) Information we collect about you
4) How we use your information
5) Where we store your information
6) How we protect your information
7) Legal bases for processing your data
8) How long we keep your information
9) Subject access requests, changing and deleting your personal data
10) Your rights
11) Child safety
Our data protection officer (DPO) is Martyn Rankin and can be contacted at firstname.lastname@example.org
2.0 APPLICABLE LAW
Data processing by Alvie Limited is subject to English law. Pursuant to UK GDPR, UK DPA 2018, and any other applicable data protection regulations, we work to ensure our users have appropriate protection of their privacy and personal data.
For the purposes of European Economic Area data protection law, (the “Data Protection Law”), the data controller is Alvie Limited. This means we are responsible for deciding how we hold and use personal information about you.
3.0 INFORMATION WE COLLECT ABOUT YOU
We are committed to the GDPR principle of data minimisation, and only collect the personal data we require to be able to provide our Services to you. We will collect and process the following personal data from you:
Information you give us
Register on our programme and create an account
Build a baseline and ongoing health profile to enable us to deliver a safe, personalised health coaching service
If you are a healthcare provider or carer, to enable us to contact you
How we obtain your information
This will be collected in a number of ways including:
In an initial telephone call with you following your referral
Via SMS when replying to appointment messages
In any video, telephone or chat appointments with our customer service teams, coaches or healthcare professionals
When you input information into the App or website (including responses to questionnaires)
When you report a problem with the App or website
Information provided by your referring healthcare professional (e.g. your clinical team) on referral and throughout your use of our Services.
The information you provide may include your name, address, email address, telephone number, date of birth, gender, login and password details.
To interact fully with the Service you will need to provide additional information including information about your existing health conditions, treatment and/or medication, symptoms and referring hospital, and use our chat functionality to let us know how you are progressing with your coaching programme on a regular basis.
You can choose to import metrics on activity, heart rate and sleep via wearable devices (for e.g. Fitbit and Apple Health). You will also be able to journal your mood and symptoms, such as the type, severity and frequency, so you can track your progress over time and share with others where you choose to do so.
We provide some services to the NHS. For NHS patients, we are obliged to collect data on your health and healthcare in order fulfil our contractual obligations. This data may include relevant information about your diagnosis and treatments from your NHS health care records. We use this data to provide health coaching, give feedback to your clinical team, to account for our NHS activity and to evaluate our outcomes in line with our contractual obligations.
4.0 HOW WE USE YOUR INFORMATION
Only employees and agents of Alvie , which are obligated to maintain confidentiality, can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your personal data without your explicit consent.
Your personal data, as well as all data collected via the App or website (e.g. data about activity, symptoms, mood etc., including from connected external apps e.g. Fitbit, Apple HealthKit,) will only be used for rendering Services according to contractual obligations. When Alvie is providing Services to, and on behalf, of the NHS or Private medical Insurers, personal data is exchanged between Alvie and referring healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also report our activity to referring healthcare organisations.
When Alvie is providing Services to, and on behalf of the NHS or Private Medical Insurers, non-personally identifiable (or anonymised) data on Service users is shared with commissioning bodies and contractually relevant parties for the purposes of evaluating our Services and/or for research. Such data may be used by Alvie and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research) during the duration of the contract and after the termination of the contractual relationship.
We also record telephone/video calls as needed for optimal customer service and quality management purposes.
You have the right and ability to opt out of certain uses or sharing of your data etc., please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”. The reason you cannot opt out of all data sharing with us is that we would be unable to provide you with our Service.
5.0 THIRD PARTY SERVICES
If you decide to allow any third-party wearable devices to connect with our Services, we will receive information about you such as your steps, heart rate and sleep data via Bluetooth.
We use third party services for some aspects of our programme.
6.0 WHERE WE STORE YOUR INFORMATION
All information you provide to Us is stored on secure servers held in both the European Economic Area (EEA) and GDPR-compliant international data processors only. Where international data processors are used, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.
Data stored on Alvie systems is hosted with Amazon Web Services (“AWS”) (offered by Amazon Web Services, 60 Holborn Viaduct, London, EC1A 2FD). This data is processed on servers in the UK. Data is encrypted end to end.
The data we collect from you is stored within the European Economic Area (“EEA”).
7.0 HOW WE PROTECT YOUR INFORMATION
All information you provide to us is stored on our secure servers and is encrypted between your device and any external host storage to keep it safe (i.e. ‘encrypted in transit’ as well as ‘encrypted at rest’). We use the AES 256 encryption standard.
The Microsoft Teams platform is used for our video consultations. Microsoft Teams is compliant with a range of regulatory security standards, including ISO 27001, ISO 27018 and HIPAA Business. All data sent via stored and backed up in Azure cloud storage. Azure is delivered through data centres in 54 global regions, which allows Microsoft to store Teams data based on each organisation’s region. This means that all data is stored in compliance with the data security regulations of the region that each organisation is operating in. Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network. For further information around security please consult https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide and for further information around data collection please consult https://privacy.microsoft.com/en-GB/data-collection-teams
8.0 LEGAL BASES FOR PROCESSING YOUR DATA
Any information about your health is classed as sensitive personal data and we ensure that additional safeguarding measures are in place to protect this information. Our legal bases relied upon in processing of your personal data are:
Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems;
Performance of a contract;
Legitimate interest; and/or
Should you have any questions on which may apply to your particular personal data, please e-mail email@example.com
9.0 HOW LONG WE RETAIN YOUR INFORMATION
Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. In many cases, the retention period is 8 years, to comply with applicable NHS data retention standards.
Should you have any questions on this, please e-mail firstname.lastname@example.org
10.0 SUBJECT ACCESS REQUESTS, CHANGING AND DELETING YOUR PERSONAL DATA
You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by e-mail to email@example.com. We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.
We strive to respond to your requests within 28 days and will let you know if we are unable to meet this timeframe. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority (see https://ec.europa.eu/info/law/law-topic/data-protection_en).
The Information Commissioner (ICO) is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
11.0 YOUR RIGHTS
Under data protection legislation, data subjects have the following rights with regards to their personal information:
the right to be informed about the collection and the use of their personal data
the right to access personal data and supplementary information
the right to have inaccurate personal data rectified, or completed if it is incomplete
the right to erasure (to be forgotten) in certain circumstances
the right to restrict processing in certain circumstances
the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
the right to object to processing in certain circumstances
rights in relation to automated decision making and profiling
the right to withdraw consent at any time (where relevant)
the right to complain to the Information Commissioner
12.0 CHILD SAFETY
The website and the App is intended for use only by persons who are at least 18 years of age. By using our Services, you confirm to us that you meet this requirement. If you suspect that a child under 18 is accessing the App and providing personal data without their parent or guardian’s consent, please contact us at firstname.lastname@example.org so that we can investigate and remove/delete the data where necessary.
13.0 MARKETING AND EMAIL COMMUNICATIONS
We use mailchimp to provide you with our monthly update email (Monthly Brief). This is a carefully curated update and is part of the Alvie Service delivering you content to help you with your health and wellness goals.
We may use information for marketing services to you in the following ways:
Marketing emails relating to our own services and events, only where you have not opted-out of receiving that marketing.
Newsletters and marketing emails where you have requested this information from us, or we have obtained your consent to send you marketing.
We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at any time by emailing email@example.com