(v.2 April 2020)
Your.MD respects your privacy and is committed to protecting your personal data. This policy, alongside our Your.MD Thyroid Checker Terms of Service, explains how we process your data when you use our services.
Your.MD is a trademark of YOUR.MD AS, incorporated and registered in Norway with the company number 999260993. The registered office is at c/o Advokatfirmaet Simonsen Vogt Wiig AS, Filipstad Brygge 1, 0252 Oslo, Norway. It offers Your.MD Services (hereinafter referred to as: “Services") via its subsidiary Your.MD Limited, incorporated and registered in the UK with the company number 08727263. The registered office is Your.MD Ltd, 5th Floor, 43 Whitfield Street, London, W1T 4HD, UK (hereinafter collectively referred to as: ‘Your.MD’ or ‘we’).
Should you have any privacy-related questions, please contact us at email@example.com, subject: Thyroid Checker.
We use your data to personalise your experience when you use our Thyroid Checker. We also use your data to improve the safety and security of the Services we provide, and for the purpose of analytics and communications.
Contract performance. This covers data that is processed by us in order to provide you with Services that you have requested.
Consent. Where you have consented to our use of your data, for processing your health data.
Legitimate interests. This covers data processed by us for the purposes that can be reasonably expected within the context of your use of our Services to pursue our legitimate interests, in order to improve our Services and your experience, for general social benefits to enable free access to health information, to enable us to offer a safe and secure service.
WE USE YOUR DATA:
We use your data to understand your health so that we can provide relevant information personalised to your needs. We will use this data to personalise the thyroid checker experience. Legal basis: contract performance and consent as special condition for processing your health data. Data collected: As stated in ‘The data we collect’ section of this policy.
We collect data on how you use our Thyroid Checker so we can make improvements to the service we offer you. We use identifiers and we carry out troubleshooting and testing. We also analyse your activities to understand how you use and interact with our Services. Legal basis: legitimate interests, to helps us improve our Service. Data collected: Analytical information, Technical Information, as stated in ‘The data we collect’ section of this policy.
We usually process your data based on IDs attached to your profile. To safeguard your privacy, we store health data and data which could indirectly personally identify you in separate databases. We do store technical logs of your activities in the Thyroid Checker. In line with best practice, only authorised staff members can access personal data, and only when required for user safety or critical systems issues. Legal basis: legitimate interests, to enable us to offer a safe and secure service. Data collected: As stated in 'Technical Information of this Policy' in ‘The data we collect’ section.
We use your data to respond to your request and/or queries sent to firstname.lastname@example.org and/or email@example.com. Legal basis: legitimate interests. Data collected: email, full name (if provided), IP address or other identifier assigned by a third-party service provider. Your data will be transferred to Zendesk , a third-party service provider that we use for a support ticketing system. Please do not share any health data when sending emails to firstname.lastname@example.org and/or email@example.com as we do not respond to any case-specific health issues.
We provide the following information to Merck on monthly basis: how many users used the Thyroid Checker, finished the consultation, were identified as susceptible to suffer a specific condition all in an aggregated and anonymised form, meaning your data and health data is never disclosed. Merck has the right to appoint an independent auditor to verify the data. In such case, we might need to disclose more data, but don’t worry, your data will be anonymised should this need to happen.
DIRECTLY IDENTIFIABLE PERSONAL DATA (only applicable for users who decide to write to us): email address.
INDIRECTLY IDENTIFIABLE PERSONAL DATA: First name or nickname, age, gender, location (country, region - not specific enough to identify the street), time zone, service preferences, acquisition channel), identifiers (profile ID attached to your profile data, IP address, analytics IDs, conversation/consultation ID, device ID).
HEALTH DATA. Any type of health data you share when using Thyroid Checker.
TECHNICAL INFORMATION. User agent (web browser type and version), device model, screen information, mobile service provider, OS version, location (country and city), time zone, IP address at the time of usage, Your.MD's unique identifiers (profile ID, conversation ID/consultation ID), records of events with Technical Information and your interaction with our Services. For example, logs on your usage of the Services, which include chat information, articles you have viewed in the Health A-Z
ANALYTICAL INFORMATION. Hashed IP address, hashed profile ID, hashed conversation/consultation ID, analytics provider's unique user ID (Firebase ID) or client ID (Google Analytics ID), third-party cookies. Information on how you use our Services:
General Activity (e.g. time spent)
Sessions (e.g. when you started the session, duration)
Acquisition channel (e.g. which ad you clicked on to get to our Services)
Activity within our Services and features (e.g. your data and activities, consultation outcomes, whether you sent an input that failed to be understood by our chatbot, logs on your usage of our Services).
We cannot provide all services necessary for the successful operation of Your.MD Services by ourselves. We therefore share collected information with third-party providers for the purpose of offering and improving the Services. The information we share will not identify you personally, and the providers will only use the data to offer services to us. However, we will use your email to send you newsletters and surveys. For privacy-related requests, send an email to firstname.lastname@example.org, subject: Thyroid Checker.
THIRD-PARTY TECHNOLOGY AND PROVIDERS
Third party providers are data processors. This means they process your information on our behalf, in accordance with our instructions. We only allow your information to be used by them to offer services to us. How third party providers' use of information is controlled by the terms of their contract with us and any settings enabled by us through the user interface of their product.
With the help of analytics providers, we collect Analytical Information to help us improve our Services for you. We chose our providers carefully and set the most restrictive controls available to ensure they do not use your data for any purpose other than providing services to us.
Your data will be disclosed only when necessary for lawful purposes, our legal obligations and rights as stated herein, and will be limited to such purposes: a) if required by law, for example to comply with a court order, subpoena, regulation, legal process or other governmental request b) to exercise or protect the rights, property or personal safety of our company, our users or others c) to enforce this privacy statement, including investigation of potential violations d) upon fulfilling legal requirements of local legislation to supply certain services a third-party might legally request from us e) to detect, prevent, or otherwise address fraud, security, or technical issues f) if we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your data g) to respond to claims that any content published within our Services or our Services violate any right of a third-party.
We follow generally accepted industry standards and internal procedures to protect the data submitted to us during transmission, storing, and processing. We store your data for as long as is needed to provide our Services. We may store it for longer, but only in a way that it cannot be tracked back to you. We delete all personally identifiable data we have about you within 30 days of receiving your data deletion request. Please make sure you request a copy of your data before you ask to delete your data, as your data will not be retrievable afterwards.
We delete the logs we keep of the IP addresses you have used after approximately six months. When the data is no longer needed, we delete it using reasonable measures to protect the information from unauthorised access or use. Any information you send to email@example.com and/or firstname.lastname@example.org will be deleted as soon as we respond to your enquiry and/or the information is no longer needed.
We are committed to keeping your data up-to-date. You can exercise your rights by sending an email to email@example.com, subject: Thyroid Checker. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardise the privacy of others, are impractical, or if we are required to retain such information by law or for legitimate business purposes. In the event of a suspicious request made in bad faith or accompanying unlawful behaviour, we reserve the right to deny any request you make. We will not respond to any enquiry emails which we do not understand, where the request is not clearly specified, or pertains to health questions as we do not offer case-specific advice.
RIGHT TO WITHDRAW YOUR CONSENT
You should be aware that we are not able to give you an option to withdraw the consent for processing health data because we do not store any data that could directly personally identify you. You can withdraw your consent by stop using the Thyroid Checker.
RIGHT TO OBJECT AND RESTRICTION OF PROCESSING
We process your data on a legitimate interests basis, when using our Site or when responding to your queries. We limit the amount of data we collect, and this data cannot directly identify you. To exercise your right to object or restrict processing, please send us an email to firstname.lastname@example.org, subject: Thyroid Checker objection/restriction of processing.
RIGHT TO ERASURE/ACCESS/COPY
You should be aware that we are not able to accommodate your request for the deletion/access/copy of your data because we do not store any data that could directly personally identify you. If you stop using our Services, we will delete all collected data within six months.
Google Analytics. You can opt out of Google Analytics by installing this browser add-on https://tools.google.com/dlpage/gaoptout.
Zendesk. Correcting, updating and removing your information. If you seek to exercise your data protection rights in respect of personal information stored or processed by Zendesk on our behalf (including to seek access to, or to correct, amend, delete or restrict processing of such personal information) you should direct your query to us by sending an email to email@example.com. We will then instruct Zendesk to remove the personal information and they will respond within 30 days. They will retain personal information which they process and store on our behalf for as long as is needed to provide services to us.
We follow generally accepted industry standards and internal procedures to protect information submitted to us.
We store Indirectly Identifiable Personal Data and Health Data in separate databases. This means that whatever you enter in Thyroid Checker, it is not connected to data that could indirectly identify you. We normally process your data with the help of identifiers, namely profile ID, consultation/ conversation ID and analytic identifiers to avoid personal identification. In limited cases when required for user safety or critical systems issues, authorised personnel can access Indirectly Identifiable Data along with Health Data. Your IP address is used to determine location, but it is normally masked (hashed) when stored on our backend.
We store your information for as long as needed to provide our Service. We may store the information longer, but only in a way that it cannot be tracked back to you. We use AWS and Google Cloud Platform for storing of information.
AWS. AWS has multiple security certificates https://aws.amazon.com/security/.The data we collect from you may be transferred to, and stored at, a destination outside and inside of the European Economic Area (EEA), namely the AWS regions in the US and EU. It may also be processed by staff operating outside the EEA who work for us, or for one of our Providers. Your data will still be safe - we have entered into the AWS data processing addendum to make sure your personal information (IP address) is safe, namely:
a) that the AWS will use the data only to provide its storing services
b) that it will not disclose data to any third-party
c) that the AWS restricts its personnel to process your data without their authorisation
d) that we stay in control of correcting, blocking, deleting, retrieving your data
e) that AWS is responsible for implementing and maintaining the technical and organisational measures
f) that AWS is certified under ISO 27001 and agrees to maintain an information security program for the service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards
Firebase Hosting. We use Firebase Hosting for our Site. Firebase Hosting is a production-grade web content hosting for developers. Zero-configuration SSL is built into Firebase Hosting, so content is always delivered securely. Please refer to the Firebase Data Processing and Security Terms for more information.
To guarantee your privacy, we securely encrypt, limit, and restrict access to your personal details. The information is encrypted and key protected, and we have integrated commercially reasonable efforts to make sure your information remains secure when processed by us. However, please be aware that no security measures are impenetrable. If you have any concerns about the security of our Services, please contact us at firstname.lastname@example.org, subject: Thyroid Checker.
EU Territory We delete logs we keep of the IP address within six months. We store your personally identifiable data for the duration of the provision of our Services or up to 30 days after your deletion request. This section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication, or as strictly necessary for us to provide the Services you requested. We reserve the right to delete your profile after an extended period of inactivity.
Storing might be different depending on which territory is collecting the information and the applicable legislation, but we always strive to store the information only if it is needed for the purposes of providing, improving or personalising our Services.
Should you have any privacy-related questions, please contact us at email@example.com, subject: Thyroid Checker. If we are not able to help, we will forward your enquiry to our external Data Protection Officer (DPO), ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints that our DPO is not able to resolve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Prof. Dr. Johannes Caspar, Kurt-Schumacher-Allee 4, 20097 Hamburg. If you are a UK customer, you can lodge a complaint with the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Matteo Berlucchi, CEO