Privacy Notice

UK Privacy Notice

Our Vision

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you. It applies to all products and services, and instances where we collect your personal data.

This notice:

  • lets you know what we do with your personal data and what we do to keep it secure. It also explains where and how we collect your personal data, as well as outlining your rights over any personal data We hold about you; and
  • It applies to all products, services and instances where we collect your personal data (for example, if you use any of our websites, any of our services, if you use any of our mobile apps or if you are interacting with us on social media (however, please note that certain of our sites and products will have their own specific privacy notices or policies which will apply in place of this notice).

This privacy notice has been adopted by Umedeor Ltd (company number 11067577) and its subsidiary Cohort Science (company number 13780369) in line with UK GDPR and the Data Protection Act 2018. The contact address for all the companies referred to above is: 8 Warner Yard, London, EC1R 5EY.

Scope of this privacy notice

This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. ‘Processing’ for the purposes of this notice covers a very broad range of activities including using, transferring, storing and even deleting.

Please read the following terms carefully to understand our views and practices regarding your personal data and how we will treat it. For the avoidance of doubt, by registering with, or using, our websites, apps, services or otherwise interacting with us, you consent to the collection, use and transfer of the relevant data and your information under the terms of this privacy notice (save that, as noted above, certain of our sites and products will have their own specific privacy notices or policies which will apply in place of this notice).

What information about you might We process and where do We get it from?

We may collect and process the following information about you:

  • Information you give us:
    • You may give us information about you by filling in forms on our websites, using our services or by corresponding with us (for example, by e-mail or via social media). The information you give us may include your name, address, email address, phone numbers and feedback you might provide.
    • If you contact us, We may keep a record of that correspondence.
    • Information provided when submitting or updating a request for support or contacting our support teams.
    • Information provided when creating a user account within our clinical systems (including, usernames and password information).
    • Information collected as a result of any monitoring which may take place. We may monitor (which may include recording) certain interactions between us in order to comply with any legal obligations, to detect fraud or criminal activity as well as for training purposes.
  • Information about any device which you use to visit our websites or access our services (such as the type of device used, operating system, browser type, IP address and screen resolution).
  • Details of the resources you access through our websites or services.

What uses do We make of the information?

The information We collect may be used in the following ways:

  • to manage your account and for our own internal administrative purposes;
  • to provide you with information, products or services that you request from us;
  • to contact you about our services (see below for more information regarding our marketing activities);
  • to conduct market research and statistical analysis, either ourselves or through an agency;
  • to help us to understand you better as a user of our websites and/or a recipient of our services so that We can improve our sites and services and better deliver them to you;
  • to perform any contracts entered into between you and us;
  • for security and safety purposes;
  • to assist you with your use of our websites and services and to respond to any comments or queries which you may have raised;
  • to allow you to participate in interactive features of our websites or services, when you choose to do so;
  • to notify you about changes to, or any issues with, our services;
  • to ensure that We present the correct version of our websites and services for your device; and
  • to monitor visitor interests, behaviour and understand general usage of our websites and services, to help us improve our sites and services. Please note that our websites are not intended for children and (save as may be expressly provided for) we do not knowingly collect data relating to children via our websites.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

What are the grounds used to justify our processing of your personal data?

Like most businesses We may rely on a range of legal bases in order to ensure that our use your personal data is lawful, including:

  • Where it is needed to provide you with our products or services, such as:
    • updating your records, contacting you about the relevant product or service (where appropriate);
    • sharing your personal data with services providers in order to deliver the relevant product or service;
    • Activities relevant to managing the relevant product or service including any enquiries you may make regarding the product or service, your application to receive the relevant product or service, and the administration and management of accounts.
  • Where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
    • managing your products and services relating to that, updating your records, contacting you about the relevant product or service (where appropriate)
    • performing and/or testing the performance of our products, services and internal processes
    • following guidance and recommended best practice of government and regulatory bodies
    • managing and auditing our business operations including accounting and finance functions
    • monitoring and keeping records of our communications with you
    • Administering our governance requirements, such as internal reporting and compliance obligations
    • undertaking market research analysis and developing statistics
    • for direct marketing communication purposes to help us to offer you relevant products and services; and/or
    • complying with any relevant legal and/or regulatory obligations
  • To comply with our legal obligations; and/or
  • with your (explicit) consent (though with the exception of some direct marketing communications it is not likely that We would be relying upon this ground).

Cookies

We use cookies to distinguish you from other users, this helps us to provide you with a good experience when browsing and also allows us to improve our website.
To each of your visits to our website, the information we collect about you includes:

  • Technical information, including the internet protocol (IP) address used to connect your computer to the internet.
  • Internet browser type and version
  • Login information, time zone setting and location.
  • Browser plug-in types and versions.
  • Operating system and platform.
  • Other technology used to access our website
  • Full Uniform Resource Locators (URL) clickstreams to, on and from our websites, products/services you viewed or searched for.
  • Page response times, download errors, length of visits to certain pages.
  • Page interaction information (such as scrolling, clicks and mouse-overs).
  • Methods used to browse away from the page

For detailed information on the cookies we use and the purposes for which we use them please refer to our Cookie Policy.

Disclosure of the information

We may disclose your information to other organisations in certain situations. For example, We may disclose information:

  • within uMedeor Ltd for our internal business purposes and to the extent necessary for us deliver any relevant services to you.
  • to third party partners and suppliers where We need them to process your personal data on our behalf so that We can deliver our services to you. We of course remain responsible for those third parties and it is our responsibility to ensure that they use any personal data that We make available to them correctly and in accordance with our instructions and the law.
  • in order to:
    • enforce or apply our terms of use in respect of our websites, services and/or other agreements or to investigate potential breaches; or
    • protect our rights, property and safety (and that of our customers, or others).
  • if We are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
  • in connection with a potential sale or transfer of part or all of our business, We may share information with prospective purchasers.

Information storage and information retention

The information that We collect from you will be processed (which may include, where relevant, storing it) in accordance with our obligations under the relevant laws which set out our obligations as someone that has personal data within our possession and control.

We will retain a record of your personal data in accordance with relevant law and based on the following criteria:

  • where We have a reasonable business need to do so, for example, in order to manage our relationship with you;
  • where We are providing products and/or services to you and then for as long as someone could bring a claim against us in respect of those products or services; and/or
  • in line with any legal and regulatory requirements or guidance in respect of retention periods.

We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control. All information you provide to us is stored securely at our offices and (where relevant) at the offices of third-party agencies, service providers, representatives and agents as described above. We also hold your personal data in secure data centres in the UK.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website(s) or services, you are responsible for keeping this password confidential. We ask you not to share your password information with anyone.

Transfers of personal data overseas

We are primarily a UK based business but from time to time personal data may need to be transferred outside of the European Economic Area – where this is the case then we will ensure that we have the necessary safeguards in place.

Third party sites and links

Our websites may, from time to time, contain links to and from the websites of our partner networks, (from certain of our sites) advertisers or other third parties (for example, we include links below to the site of the Information Commissioner’s Office).

If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and policies and that we do not accept any responsibility or liability for these notices or policies (and how they may be applied) or for any personal data that may be collected through those third party websites or services, such as contact and location data. Please check the relevant third party policies before you provide any personal data to those websites or use their services.

Marketing – Letting you know about our products and services

From time to time we would like to tell you about the products and services available from Umedeor Ltd.

If you have agreed to receive marketing materials from us then we may contact you through the post, by email, text message, online, using social media, or by any other electronic means.

In addition, as noted above We have a legitimate interest in using personal data We hold in respect of individuals to let them know about our products and services. This ground will not apply if you are interacting with us in a personal capacity.

You have the right at any time to ask us not to process your personal data for marketing purposes. You can exercise your right to limit or prevent such processing by contacting us (see below) or by selecting an option to unsubscribe in any relevant electronic communication.

Your rights

You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Information Commissioner’s Office website – please see https://ico.org.uk/for-the-public/

We have outlined below the key rights which We believe may be relevant to your use of our websites and services.

If you would like to exercise any of these rights then please contact us using the contact information provided below. Please note that You may be asked to provide us with reasonable proof of your identity so that We can be sure that We are discussing your information with you (or if someone is making a request on your behalf, that they have the authority to do so).

Please note that if you have a query regarding any medical record or similar which We hold on behalf of a GP practice or hospital or similar then We will most likely need to refer your query to the relevant third party as they are responsible for that information (i.e. they are the ‘data controller’) and will need to determine how to respond to your query.

Right of access to information

You have the right to access certain information held about you so that you can be aware of, and verify the lawfulness of, the processing we undertake.

You can exercise your right of access by making what is generally referred to as a ‘subject access request’.

We will review each request which we receive and if we agree that we are obliged to provide personal data to you then we will (subject to certain limited exceptions provided under the relevant law) amongst other things: (i) describe it to you; (ii) tell you why we are holding it; (iii) tell you who it could be disclosed to; and (iv) let you have a copy of it (this may include providing an electronic copy).

Right to have information corrected

If you identify that any personal data that We hold about you is wrong, inaccurate or out of date then you may ask us to correct or update it. Please contact us via the details provided below and We will review each request and respond accordingly.

Right to stop or limit our processing of your personal data

This is also known as the ‘right to be forgotten’. You have the right to require us to stop or to limit any processing we are undertaking in respect of your personal data if we no longer have a valid reason to do so or if we have held it for too long.

This is not an absolute right but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).

Right to withdraw consent

You are free to withdraw any consent which you have given to us in relation to our use of your personal data at any time. As noted above, you have the right to tell us to stop sending you any direct marketing materials at any time.

Right to complain

If you are unhappy about the way in which we have processed your personal data then you have a right to raise the issue or to lodge a complaint with the Information Commissioner’s Office – as noted above please see https://ico.org.uk/for-the-public/ for further details.

Changes to our privacy notice

We will keep this privacy notice under regular review and we may update it from time to time (for example, to reflect changes we might make to our services or to reflect changes in the law or best practice).

Any changes we may make to our privacy notice in the future will be posted on this page. We encourage you to visit this page periodically so that you are aware of any changes which have been made.

This version of the privacy notice is effective from 04/11/2022 (v1.2)

Contact

If you have any comments or concerns regarding our privacy notice, or the manner in which We handle your personal data or if you would like to exercise any of the rights outlined above then please do feel free to contact us by one of the following means and we will consider your comments and respond accordingly:

By email: dpo@umed.org


US Privacy Policy

THIS POLICY EXPLAINS HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

This HIPAA Privacy Policy is about Your Information, Your Rights, and Our Responsibility.

OUR PLEDGE REGARDING HEALTH INFORMATION:

We understand that health information about you is personal, and we are committed to doing our best to protect the privacy of the data that you or any others share with us. This information is called Protected Health Information (PHI), and it comes from you, your physicians, hospitals, and other healthcare service institutions involved in your care. We will only use and disclose the minimum necessary information for the intended purpose and consented by you or as required by law.

This Privacy Policy will tell you how we may use and disclose your health information with your consent or as required by law. It also describes your rights and certain obligations we have regarding the use and disclosure of health information.

We may share your information to:

  • As directed by you or with your consent;
  • To enforce any agreement, including any applicable terms of service;
  • Third-party vendors, service providers, contractors, or collaborators(“third parties”) who perform services for us or on our behalf and require access to such information to do that work. We have contracts with our third parties, designed to help safeguard your personal information.
  • To establish or exercise our right to defend against legal claims;
  • To law enforcement and other government authorities such as legislatures, courts, agencies and litigants, if we reasonably believe that such action is necessary to: (a) comply with the law and the reasonable requests of governmental authorities; (b) comply with legal process; (c) respond to requests from public or government authorities, including public or government authorities outside your country of residence; (d) protect the security or integrity of the Services’s information systems; and/or (e) exercise or protect our rights, privacy, safety or those of affiliates, clients, you or others;
  • If we reasonably believe disclosure is necessary or appropriate to protect the rights, property, or safety of Cohort Science or others; and
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about the users of the Site or the Service is among the assets transferred;

We are required by law to:

  • Maintain the privacy and security of your PHI under HIPAA ACT 1996.
  • Enter into a Business Associate Agreement with third parties who may handle your PHI by association with us.
  • Notify your HCI and/or legal entities promptly if we determine inappropriate use or disclosure of your PHI has occurred that compromises the privacy or security of your information.
  • We will use and disclose your information, as described in this Policy unless you tell us we cannot or you opt out of a registry at some point. If you change your mind at any time, you must tell us in writing.
  • Follow the duties and privacy practices described in this Policy and give you a copy of it.

Who will need to follow this Privacy Policy:

  • All staff at Cohort Science.
  • Any business associate working with Cohort Science that has access to PHI.
  • Any researchers or collaborators of Cohort Science Registries.

YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU:

This section describes your rights and our responsibilities to help you. Your rights include, but are not limited to, the following:

  • Getting a copy of your health and claims records.
  • Requesting correction of your health and claims records.
  • Getting a list of those with whom we have shared your information.
  • Asking us to limit the information we share.
  • Requesting confidential communication.
  • Requesting a copy of this Privacy Policy.
  • Filing a complaint if you believe your privacy rights have been violated.
  • Choosing someone to act on your behalf.

California Resident Privacy Rights

Residents of the State of California have the right to request from certain businesses with whom the California resident has an established business relationship, a list of all third parties to which the business, during the immediately preceding calendar year, has disclosed certain personally identifiable information for direct marketing purposes. We are only required to respond to a customer request once during any calendar year. To obtain this information, you should send a written request to privacy.officer@cohort.science with the subject heading “California Privacy Rights.” In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California Privacy Rights requirements, and only information on covered sharing will be included in our response.

What additional information do you need if you are located in the European Economic Area (EEA), Switzerland or the United Kingdom (UK)?

In addition to the disclosures made elsewhere in the Privacy Policy regarding our privacy registries, you have certain rights under applicable data protection laws in some regions, such as the UK. Our legal basis for collecting data in these regions can vary depending on the nature of the information and the purpose for which we collect it. This applies to the ‘personal data’, as defined under applicable data protection laws, of natural persons located in the EEA, Switzerland and the UK. Any terms not defined herein have the meaning ascribed to them elsewhere in the Privacy Policy or, if not defined in the Privacy Policy, in applicable data protection laws.

The General Data Protection Regulation (GDPR) requires us to explain the valid legal basis we rely on in order to process your personal information. As such, we may rely on the following legal basis to process your personal information: We may process your information if you have given us permission (i.e. consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you. We may process your information where we believe it is necessary to comply with our legal obligations, such as cooperating with a law enforcement body or regulatory agency, exercising or defending our legal rights, or disclosing your information as evidence in litigation in which we are involved. We may process your information where it is necessary to protect your vital interests or the vital interests of a third party, such as in situations involving potential threats to the safety of any person. In addition, we may process your personal information for the purpose of the legitimate interests pursued by us, or by a third party, as per the provisions of the applicable data protection law, ensuring your interests and fundamental rights are always protected.

You have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv), if applicable, to data portability. In certain circumstances, you may also have the right to object to processing your personal information. You can make such a request by contacting us by using the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If you believe we are unlawfully processing your personal information, you also have the right to complain to the UK Data Protection Authority-ICO.

In the case of processing special categories of personal information, as per the definition in applicable data protection law, your consent is our lawful basis for processing. If we rely on your consent to process your personal information, you can withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided below. However, please note that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

To contact Cohort Science Ltd DPO, please contact dpo@cohort.science

Changes to this Policy. We have the right to change this Policy. All changes to the Policy will apply to the information we already have about you and any information we receive in the future. We will post a copy of the current Policy on our website accesspd.org. The effective date and version control of the current Policy will be posted in the Policy’s footer. If we make material changes to this Policy, we will provide you with the updated Policy within further communications.

For more information, see also:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

How to contact us. If you have any questions about this Policy, or if you need to make a request to the Privacy Officer, please contact us at Cohort Science Ltd c/o Privacy Officer please email us at privacy.officer@cohort.science.io or +1888-4545580.

A copy of this Privacy Policy will be available upon request.