Data protection is a subject of special importance for Buddy Healthcare: We take data protection and privacy issues very seriously and comply with the applicable national and European data protection regulations. In particular, we process your personal data exclusively in compliance with legal requirements and in accordance with appropriate technical and organizational data security measures.
The purpose of this Privacy Policy is to inform you about the nature, scope and purpose of personal data processing on Posita and the associated applications, sites, functionalities and content (hereinafter collectively referred to as “Service”). This Privacy Policy applies to all domains, systems, platforms and devices (e.g., desktop or mobile devices) on which the Service is run, browsed and accessed.
The provider of the Service and the organization responsible for data processing as well as ensuring compliance with the applicable data protection regulations is Buddy Healthcare Ltd Oy, Kuortaneenkatu 2, FI-00510 Helsinki, FINLAND (hereinafter referred to as “Buddy Healthcare”, “we“ or “us“).
The Service is designed to automate patient journey and related communications between a patient and its care provider (hereinafter “the Controller”). The Service is directed especially to the Controller’s customers and their caretakers. With respect to additional information about the Controller, we may refer you to Controller’s privacy policy or privacy declaration.
Our Data Protection Officer can be contacted via e-mail at: care@buddyhealthcare.com.
The processing of personal data is primarily based on the care relationship between the Controller and the data subject (hereinafter ”the User”, or “you” and “your”) formed when the User creates a user account for the Service, and, e.g., insofar as the User enters information on his or her state of health or treatment information in the Service.
Personal data is processed for the implementation and provision of the application or browser based Service offered by the Controller and Buddy Healthcare, for the patient guidance, the care coordination and for managing the customer relationship as well as for service development after having been anonymized.
Processing tasks can be outsourced to external,service providers in accordance with and within the limits set by the data,protection legislation.
In the case of the User being automatically profiled to be in a high risk group of cancelling the procedure or care, not showing up in the appointments or having complications of the procedure or care, the User may be notified by the Posita app or the Controller by push notifications, text messages, email messages or phone calls.
We collect and process your personal data only if you request the Services and we need your data for this purpose or if you have voluntarily given us your express consent. The legal basis for data processing is Art. 6 Para. 1 b GDPR and Art. 6 Para. 1 a GDPR.
The User of the Service can be:
Information stored on the User may include, for example, the following:
Information is received mainly from the following sources:
The collected data may be transferred to Controller’s other patient systems such as their electronic health record or electronic medical record systems either manually or via a technical integration.
Collected data and information is submitted and stored in a secure server provided by third party service providers Amazon Web Services Inc. (servers in Ireland and Germany) and Aptible Inc. (servers in Ireland and Germany).
In some situations, a subset of personal data are stored on 3rd party service providers’ servers as following:
Data will not be disclosed to the parties other than those participating in the production, development, or maintenance of services or communications of the Controller or on its behalf, except when based on an agreement, separate consent, and/or explicit regulations.
We disclose your personal data only if you request the Services and we need your data for this purpose or if you have voluntarily given us your express consent. The legal basis for data processing is Art. 6 Para. 1 b GDPR and Art. 6 Para. 1 a GDPR.
Recipients of personal data may be located in countries outside the European Union (cloud service providers: Amazon Web Services Inc., Aptible Inc., Google, Twilio, Sumo Logic, Apple), including the United States, which may not have data protection laws equivalent to those in the European Union. In such a case, the necessary measures will be taken to ensure safety of personal data in accordance with applicable data protection laws.
We transfer your personal data only if you request the Services and we need your data for this purpose or if you have voluntarily given us your express consent. The legal basis for data processing is Art. 6 Para. 1 b GDPR and Art. 6 Para. 1 a GDPR.
The Service operates via the internet and can be used via protected data-communication media, such as those used with a browser on a computer, mobile phone, mobile device or other smart device, or with another technical application provided by the Controller and/or Buddy Healthcare at any given time.
Our security measures include, in particular, the encryption of data for transmission between your device or browser and our server.
The User logs in to the Service by using personal credentials or another authentication method approved of by the Controller. The Services and its information security are provided by means of appropriate technical solutions.
Material can only be accessed by employees, practitioners or co-operation partners specifically entitled to do so with a personal User ID and password. There are different levels of access rights, and each User is issued sufficient rights, though as limited as possible, to complete his or her work tasks.
Also, the User him/herself can grant the persons to view and process data on the User stored in the Service, and the right to receive an equivalent restricted access right to the User’s patient data as the User him/herself has. Only persons who themselves are Users of the Service, and thus also Users, can be linked to the with User’s profile in the Service.
When a User terminates his or her account in the Service, the Controller will remove all information related to the Service that the User has saved personally and also the User's profile in the Service, but information related to other services (such as patient register or feedback and information used for allocation of services) will be transferred to and/or will remain in the Controller’s customer register.
The purpose of the measures described above is to ensure the confidentiality of the Service and the availability and integrity of its data, and the fulfillment of the rights of the Users.
The Service uses Session Cookies (Cookies that are deleted after User having closed the Service).
Cookies are small text files that are stored on a User’s computer's browser directory. Cookies enable websites to recognize the internet browser. They can comprise the exchange of information between a User and the Service, a third party acting on behalf of the Controller or a third party in accordance with data protection laws.
Cookies can be used by the Service to collect Users’ data. Users can configure their computers and smartphones to inform them when a Cookie is being sent to them. Furthermore, it is possible to deactivate all cookies. This option can be found in Users’ internet browser settings. If Users deactivate Cookies, they no longer have full access to the wide range of functions that aid their visit to the website. Furthermore, not all Services will function correctly. In the final part of this information on Cookies there are further entries on how a User can administer and deactivate Cookies in their browser.
The legal basis for Cookies is Art. 6 para. 1f GDPR, whereby the authorization arises from the fact that, on the one hand, we have an interest in evaluating the app data for purposes of app optimization and, on the other hand, the User can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.
Furthermore, the Service uses a plugin of the performance analysis service of New Relic Inc. ("New Relic") which enables us to statistically analyze the speed of the service.
When a User visits a page with his/her browser or the mobile app makes a request to the back-end which contains such a plugin, the back-end builds a direct connection to the servers of New Relic. New Relic collects information like the service request times and possibly the user IP address.
By integrating the plugin, New Relic receives the information that a User has accessed the corresponding page of the website. If the User is logged in at New Relic, New Relic may assign the User's visit to the website to his/her account at New Relic. If a User is not a member of New Relic, there is still the possibility that New Relic will detect and store his/her IP address.
The purpose and scope of data collection and the further processing and use of data by New Relic, as well as the corresponding rights and settings to protect the privacy of Users, can be found in New Relic's privacy policy under: https://newrelic.com/privacy.
If a User is a member of New Relic and does not want New Relic to collect data about them in order to combine them with the member data stored by New Relic, the User must logout of New Relic before visiting the website.
Furthermore, the Service uses a plugin of the crash analysis service Crashlytics which is part of the Fabric platform, a business division of Google Inc. ("Crashlytics") which enables us to detect and log the crashes of the mobile apps.
When a User uses the mobile app and encounters an application crash, the mobile app builds a direct connection to the servers of Crashlytics. The Crashlytics service may collect information which includes, but is not limited to, device state information, unique device identifiers, device hardware and OS information, information relating to how an application functions, and the physical location of a device at the time of a crash.
The purpose and scope of data collection and the further processing and use of data by Crashlytics, as well as the corresponding rights and settings to protect the privacy of Users, can be found in Crashlytics' privacy policy under: https://try.crashlytics.com/terms/privacy-policy.pdf.
The legal basis for Web Analysis Tools is Art. 6 para. 1 f GDPR, whereby the authorization arises from the fact that, on the one hand, we have an interest in evaluating the app data for purposes of app optimization and, on the other hand, the User can reasonably foresee at the time when the personal data is collected and in view of the circumstances under which it is carried out (in particular the above-mentioned measures) that it will possibly be processed for this purpose.
The Service may contain adverts by the Controller and its partners. The customer cannot prohibit the occurrence of adverts in the Service.
The Controller or its partners may never use the collected data for service-external direct marketing, sales or research purposes.
When logging in to the Service, the User can view most of the data included on him or her in the Service.
The User may at any time request free of charge information about the scope, origin and recipients of the stored data as well as the purpose of the storage. Such an information request must be made in accordance with Section 12 of this data protection description. The right to inspection may be declined on statutory grounds.
The User can also update his or her basic information contained in the Service. Insofar as the User can act him or herself, after having been informed of an error in the data or having detected such an error him or herself, he or she must, without undue delay, on his or her own initiative, rectify, erase, or supplement the erroneous, unnecessary, incomplete or obsolete personal data or the data contrary to the purpose of the Service.
Insofar as the User cannot rectify, erase, or supplement the data him/herself, the request for rectification, erasure, or supplement shall be made in accordance with Section 12 of this Privacy Policy.
In case of erasing data, the Controller cannot remove the anonymous and non-identifiable data used statistical and analytical purposes for service improvement stored by Controller’s data processors.
The User also has the right to demand the Controller to restrict the processing of his or her personal data, for example, in a situation where the User is waiting for the Controller’s response to his or her request to rectify or erase data.
In the case of data erasure request by the User, some data may be retained to due to legal obligation to maintain patient records or access logs. The data may be removed from active operational system but stored in the backups and logs until the retention period is over (which may be up to 6 years).
A User has the right to make a complaint to the competent supervising authorities if the Controller has not followed the applicable data-protection regulations in its operations.
If the personal data is being processed on the basis of the User’s consent, the User has the right to cancel the consent by notifying the Controller of this in accordance with Section 12 of this data protection description. You may at any time and free of charge object to the data processing as well as you may have a right to data portability.
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the User should contact the Controller by email or by post to the addresses mentioned in the Posita app menu under “Contact”.
When required, the Provider can request the User to further define their request in writing, and, if needed, the identity of the User can be authenticated before initiating any other measures.
This Data Protection Description is currently valid and dated as of 18 June 2018.
The Controller reserves the right to amend the Privacy Policy at any time with effect for the future, in particular to adapt it to further development of the Service or the implementation of new technologies.