Your.MD is a trademark of YOUR.MD AS, incorporated and registered in Norway with the company number 999260993. The registered office is at c/o Advokatfirmaet Simonsen Vogt Wiig AS, Filipstad Brygge 1, 0252 Oslo, Norway. It offers the Your.MD Symptom Checker (“symptom checker”, “chatbot”) via its subsidiary Your.MD Limited, incorporated and registered in the UK with the company number 08727263. The registered office is Your.MD Ltd, 5th Floor, 43 Whitfield Street, London, W1T 4HD, UK (hereinafter collectively referred to as: ‘Your.MD’ or ‘we’).
Should you have any privacy-related questions, please contact us at [firstname.lastname@example.org](email@example.com?subject= Vhi Health Assistant app).
Consent. Where you have consented to our use of your data.
Legitimate interests. This covers data processed by us for the purposes that can be reasonably expected within the context of your use of our service to pursue our legitimate interests, in order to improve our service and your experience, for general social benefits to enable free access to health information, to enable us to offer a safe and secure service.
We use your data so the chat-bot can calculate the most likely condition based on your reported symptoms. Legal basis: legitimate interests.
With the help of analytics ID assigned to you, we can use the data that you enter when talking to our chatbot (health data, age and gender) for our internal analytics and research. We do not process any information which could directly identify you in our analytical databases. For example, we check how many users have finished a consultation.
We also use your data to improve the safety and security our service. To safeguard your privacy, we store health data and data which could personally identify you in separate databases. In line with best practice, only authorised staff members can access personal data, and only when required for user safety or critical systems issues. Legal basis: legitimate interests, to enable us to offer safe and secure service.
We will use your email to respond to any queries you send to firstname.lastname@example.org. Please do not share any health data when sending emails to us as we do not respond to any case-specific health issues. Legal basis: legitimate interests, to enable us to respond to your queries.
We will send reports to our partner VHI, who is hosting our chatbot on VHI Health Assistant App. We provide information such as, how many users used the symptom checker, have finished the consultation, to VHI on monthly basis, all in an aggregated and anonymised form, meaning that your personal data is never disclosed. VHI has the right to appoint an independent auditor to verify the data. In such case, we might need to disclose more data, but don’t worry, your data will be anonymised should this need to happen. Legal basis: legitimate business interests.
Indirectly identifiable data: age, gender, time zone, acquisition channel, identifiers (IP address, profile ID attached to your profile data, analytics IDs, conversation ID and session ID.
Health data: any type of health data you share when using our Symptom Checker.
Technical information: installed app version, IP address at the time of usage, Your.MD’s unique identifiers (profile ID, conversation ID, session ID), records of events with Technical information and your interaction with our service. For example logs on your usage of the service, which include chat information.
Analytical information: hashed IP address, hashed profile ID, hashed conversation ID, analytics provider’s unique ID (Firebase ID), various information on how you use our service: selected symptoms, duration, rejected symptoms, questions and answers to clarify symptoms, factors that affect the diagnosis (age and gender), other information about our service you may voluntarily provide, symptom checker’s results.
We cannot provide all service necessary for the successful operation of our service by ourselves. We therefore share collected information with third-party providers for the purpose of offering and improving our service. The information we share will not identify you personally, and the providers will only use the data to offer service to us. However, we will use your email to answer your queries. For privacy-related requests, see section 6 of this Policy or send an email to email@example.com, subject: Vhi Health Assistant App.
With the help of analytics providers, we collect analytical information to help us improve our service for you. We chose our providers carefully and set the most restrictive controls available to ensure they do not use your data for any purpose other than providing service to us.
Your data will be disclosed only when necessary for lawful purposes, our legal obligations and rights as stated herein, and will be limited to such purposes: a) if required by law, for example to comply with a court order, subpoena, regulation, legal process or other governmental request b) to exercise or protect the rights, property or personal safety of our company, our users or others c) to enforce this privacy statement, including investigation of potential violations d) upon fulfilling legal requirements of local legislation to supply certain service a third-party might legally request from us e) to detect, prevent, or otherwise address fraud, security, or technical issues f) if we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your data g) to respond to claims that any content published within our Service or our Service violate any right of a third-party.
We follow generally accepted industry standards and internal procedures to protect the data submitted to us during transmission, storing, and processing. The session ID that enable us to recognise users that come from Vhi, as well as the profile and conversation ID are new for each session you make and get deleted after the conversation ends. This means that we are not able to attribute the data you share with us to you personally.
We store data and analytics ID that cannot be tracked back to you for internal analytics purpose. When the data is no longer needed, we delete it using reasonable measures to protect the information from unauthorised access or use.
You can exercise your rights:
We will process your request within 30 days of receiving it.
We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardise the privacy of others, are impractical, or if we are required to retain such information by law or for legitimate business purposes. In the event of a suspicious request made in bad faith or accompanying unlawful behavior, we reserve the right to deny any request you make. We will not respond to any enquiry emails which we do not understand, where the request is not clearly specified, or pertains to health questions as we do not offer case-specific advice. We reserve the right to delete your data after a long period of inactivity.
You should be aware that we are not able to accommodate your request for the deletion/access/copy of your data because we delete all data that could indirectly personally identify you after finishing the consultation.
Zendesk. Correcting, updating and removing your information. If you seek to exercise your data protection rights in respect of personal information stored or processed by Zendesk on our behalf (including to seek access to, or to correct, amend, delete or restrict processing of such personal information) you should direct your query to us by sending an email to firstname.lastname@example.org. We will then instruct Zendesk to remove the personal information and they will respond within 30 days. They will retain personal information which they process and store on our behalf for as long as is needed to provide service to us.
We follow generally accepted industry standards and internal procedures to protect Information submitted to us.
We store identifiable personal data and health data in separate databases. This means that whatever you enter our chatbot, it is not connected to data that could personally identify you. We normally process your data with the help of identifiers, namely profile ID, consultation/ conversation ID, Vhi ID and analytic identifiers to avoid personal identification.
We store your information for as long as needed to provide our service. We delete all identifiers after each consultation. We may store the information longer, but only in a way that it cannot be tracked back to you.
We use AWS and Google Cloud Platform for storing of information.
AWS. AWS has multiple security certificates https://aws.amazon.com/security/.The data we collect from you may be transferred to, and stored at, a destination outside and inside of the European Economic Area (EEA), namely the AWS regions in the US and EU. It may also be processed by staff operating outside the EEA who work for us, or for one of our Providers. Your data will still be safe - we have entered into the AWS data processing addendum to make sure your personal information (IP address) is safe, namely:
a) that the AWS will use the data only to provide its storing service
b) that it will not disclose data to any third-party
c) that the AWS restricts its personnel to process your data without their authorisation
d) that we stay in control of correcting, blocking, deleting, retrieving your data
e) that AWS is responsible for implementing and maintaining the technical and organisational measures
f) that AWS is certified under ISO 27001 and agrees to maintain an information security program for the service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards
To guarantee your privacy, we securely encrypt, limit, and restrict access to your personal details.
We encrypt all your data at rest and any directly identifiable personal information is double encrypted with two keys at both the infrastructure and application level. We have restricted access to production environments and monitoring of your activities. The information is encrypted and key protected, and we have integrated commercially reasonable efforts to make sure your information remains secure when processed by us. However, please be aware that no security measures are impenetrable. If you have any concerns about the security of our service, please contact us at email@example.com.
EU Territory We delete logs we keep of the IP address within six months. We store your personally identifiable data for the duration of the provision of our Service or up to 30 days after your deletion request. This section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication, or as strictly necessary for us to provide the Service you requested. We reserve the right to delete your profile after an extended period of inactivity.
Storing might be different depending on which territory is collecting the information and the applicable legislation, but we always strive to store the information only if it is needed for the purposes of providing, improving or personalising our Service.
Should you have any privacy-related questions, please contact us at firstname.lastname@example.org. If we are not able to help, we will forward your enquiry to our external Data Protection Officer (DPO), ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints that our DPO is not able to resolve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Prof. Dr. Johannes Caspar, Kurt-Schumacher-Allee 4, 20097 Hamburg. If you are a UK customer, you can lodge a complaint with the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Matteo Berlucchi, CEO