Book a demo
Demo

Privacy Policy and Notice

(Abi Global Health Limited)

Data Protection and Privacy Policy and Notice

 

Version Number: 1.2
Creation Date: August, 2020
Revision Date: August, 2020
Notice Owner: Abi Global Health Limited

 

Identity of the Data Controller and Contact Details

“Data controllers” are the people who or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, that make independent decisions in relation to the Personal Data and/or otherwise control that Personal Data. 

For the purposes of the GDPR, Abi Global Health Limited [The Organisation] is the data controller with regard to the Personal Data described in this Privacy Policy and Notice.  The Organisation is based in Ireland and is a telemedicine service provider. 

Our Data Protection Coordinator can be contacted as follows:- 

Email: privacy@abi.ai

 

Purpose and Scope

The purpose of this document is to provide you as our data subject with a statement regarding our Data Protection and Privacy practices and obligations and an explanation of your rights as a data subject. This Data Protection and Privacy Policy and Notice applies to the services provided by Abi Global Health Limited (“Abi”) as a telemedicine service which is accessible from https://abi.ai, its sub-domains. This Data Protection and Privacy Policy and Notice sets out what Personal Data we process about you when you make use of Abi as a service. We are not responsible for the content or the data protection and privacy notices for any websites to which we provide external links.

 

Laws that apply to us: 

State and/or Country of Incorporation Applicable Law
Ireland
  • General Data Protection Regulation (EU Regulation 679/2016) 
  • Irish Data Protection Acts 1998 to 2018
  • Regulations flowing from DPA 2018

 

 

 

Updates

Our practices as described here now may be changed, but any changes will be posted, and changes will only apply to activities and personal data on a going forward, not retroactive basis. You are encouraged to review this Privacy Policy and Notice periodically to make sure that you understand how any personal data you provide will be used. We may also email you to let you know if and when we update this Privacy Policy and Notice to ensure you are informed. 

Any changes to this Privacy Policy and Notice will be posted on this website so you are always aware of what personal data we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use Personal Data in a manner significantly different from that stated in this Privacy Policy and Notice, or otherwise disclosed to you at the time it was collected, we will notify you by email, and you will have a choice as to whether or not we use your personal data in the new manner.

 

Why and how do we ensure compliance?

Data Protection and Privacy Laws provides rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data. 

Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal data. 

We need to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable Data Protection and Privacy Laws, and that we have in fact complied with the laws. We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules. We also have certain obligations in relation to keeping records about our data processing.

 

Who must comply?

All our representatives, which include directors, employees and contractors, are required to comply with our Data Protection and Privacy Policy which inform this Privacy Policy and Notice when they process Personal Data on our behalf.

 

What are the Data Protection principles and rules?

We aim to comply with the following principles found in Data Protection Law:

Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.

Purpose Limitation. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.

Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.

Retention – Personal data should be kept in an identifiable format for no longer than is necessary.

Integrity and confidentiality – Personal data should be kept secure.

Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

 

What types of personal data will we process?

Categories of Personal Data 

 

Category of Data Subject Regular Personal Data Special Category Data (SCD) 
End Users (Beneficiaries) Name and surname, phone number, email address, age or date of birth, gender, country of residence, language preference. Health related data, including the possibility of sexual orientation and sex life. Possible transfer of digital media.

 

Children’s Personal Data

You must be at least 18 years old to create an account and engage in activities and transactions on our digital and social media. As our service is not aimed at children, if we are notified or learn that a child has submitted Personal Data to us through our application or digital or social media without the correct permissions or consents, we will delete such Personal Data. If you would like to make use of our services and you are not yet 18 years old, we require that an adult be present when you register, if registration is required. Where consent is required to process your Personal Data as a child, we will obtain that consent from the adult who is authorised to give the consent on your behalf. By creating an account or engaging in activities or transactions on our digital and social media, you affirm that you are at least 18 years old and are fully able to enter into and comply with our regular Terms of Use and this Data Protection and Privacy Policy and Notice.

 

Who has access to or processes personal data?

Directors and Employees of the Business

Directors and employees of the Organisation who are bound by confidentiality agreements will process personal data on behalf of the business.

Service Providers

We may use trusted service providers who could be considered recipients of personal data and may be classes as data processors, sub-processors or third parties. We need to have written agreements in place with all of our data processors and, before we sign each agreement, we need to have vetted and be satisfied with the processor’s data security. The agreements also need to contain specific clauses that deal with data protection.  We require all third parties to have appropriate technical and operational security measures in place to protect your Personal Data, in line with Irish and EU laws on data protection. Service providers will have access to only the personal data needed to perform functions required of them and may not use it for any other purpose. 

We use the following categories of third party service providers including data processors in the course of our business:

  • Cloud Web and App Hosting Services
  • Corporate Communications Platforms
  • Approved Doctors
  • Secure Chat Channels
  • Nature Language Processing and Machine Translation Platforms
  • Professional Service Providers such as Lawyers, Solicitors and Accountants
  • Financial Transaction Providers
  • Telecoms Service and Carrier Providers

This list may be updated from time to time so for an updated list of third parties you should check this Privacy Policy and Notice periodically.

We may pass on your details if we are under a duty to disclose or share a Data Subject’s Personal Data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes reporting information about incidents (as appropriate) to the law enforcement authorities and responding to any requirements from law enforcement authorities to provide information and/or Personal Data to them for the purposes of them detecting, investigating and/or prosecuting offences or in connection with crime sentencing.

Where does your data travel to?

Depending on your choice of cookies, there may be one or more cookies that transfer data to the USA served from Google Analytics - these are ¨aggregation¨ cookies. This activity involves Google, which has demonstrated its compliance with GDPR data transfer requirements.

International Transfers

If we transfer your Personal Data out of the EEA, we ensure an adequate degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

  1. We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. 

  2. Where we use certain service providers, we may use specific contracts approved by the European Commission which give Personal Data the same protection it has in Europe. 
  3. Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Data Privacy Framework which requires them to provide similar protection to Personal Data shared between Europe and the US.

Please contact us for further details of any intended transfers to a third country (non-EU member state) or international organisation and details of adequacy decisions and safeguards.

 

Automated Decision Making and Profiling

Automated Decision Making refers to a decision which is taken solely on the basis of automated processing of your personal data. This means processing using, for example, software code or an algorithm, which does not require human intervention.  As Profiling uses automated processing, it is sometimes connected with automated decision making. Not all profiling results in automated decision making, but it can do. 

Besides the natural language processing currently implemented in Abi to highlight possible emergency situations and prioritise or assign queries, which may be construed to be profiling, we do not use automated decision making or individual profiling in our normal course of business. 

 

Security

We follow strict security procedures in the storage and disclosure of your Personal Data, and to protect it against accidental loss, destruction or damage. We take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. The data you provide to us is protected using modern encryption, intrusion prevention, and account access techniques. We have put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. We maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows: 

Confidentiality means that only people who are authorised to use the data can access it. 

Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed. 

Availability means that authorised users should be able to access the data if they need it for authorised purposes.

 

Data Retention

We have a documented data retention schedule. Generally, we will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for. As a user of Abi, we will keep your personal data while you are registered and use the services, and, once you have unsubscribed, for 10 years, except where the legal obligation of data retention requires a longer period.

We may also retain your personal data during the period of time needed to complete our legitimate business operations, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

Marketing

We may use your Personal Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising.  Where appropriate, you will be asked whether you wish to receive any marketing communications from us. 

We will not share your Personal Data with any third party for marketing purposes. You may object to direct marketing by using the contact details herein to opt-out or make use of the opt-out links on communications.

 

Cookies and Other Technical Personal Data

Cookies

Cookies are small text files that are transferred to your computer’s hard drive through your web browser to enable us to recognise your browser and help us to track visitors to our site. Most web browsers automatically accept cookies, but, if you wish, you can set your browser to prevent it from accepting cookies. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. 

Technical Personal Data

Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website. We may gather technical information for security reasons. We will make no attempt to identify individual visitors, or to associate the technical details listed below with any individual. We will only use the technical information for statistical and other administrative purposes. 

We may collect this technical information from you when you visit our website and accept cookies. This information may include standard information from you (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on our website (such as the web pages viewed and links clicked). We do note that your IP address is considered personal data under the GDPR. 

Certain information in relation to web usage is revealed via our internet service provider who records some of the following data. Whilst we do not access this information regularly, the technical information may be used to inform our security measures, to allow us improve the information we are supplying to our users, to find out how many people are visiting our sites and for statistical purposes. The information we receive depends upon what you do when visiting our site: 

  • The IP address you are using. 
  • The date and time you access our site. 
  • The pages you have accessed and the documents downloaded. 
  • The previous Internet address from which you linked directly to our site.
  • The user agent used to access our site.

 

 

Sale of Business

Situations may arise where it is necessary to transfer information (including your Personal Data) to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of our organisation provided that the third party agrees to adhere to the terms of the Privacy Policy and Notice and provided that the third party only uses your Personal Data for the purposes that you provided it to us. The Personal Data transferred will be limited to that which is absolutely necessary. You will be notified in the event of any such transfer and you will be afforded an opportunity to opt-out.

 

Information on Consent

By consenting, where this is the appropriate grounds, to our processing your Personal Data in line with this Privacy Policy and Notice you are giving us permission to process your Personal Data specifically for the purposes identified. 

You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you. If you have any queries relating to withdrawing your consent, please contact our Data Protection Coordinator using the contact details set out below. 

Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

 

Details of data processing activities

 

In order to attend and answer your questions, Abi has a team of health professionals available. Your queries, once pseudonymised, will be referred to these professionals who, as soon as possible, will attend and resolve your query, as far as possible.

Should you engage in contact by telephone with Abi or one of our health professionals, the conversation will be recorded for security reasons, for compliance reasons and to guarantee the quality of the service provided.

Abi recommends you to not provide data in any queries that allows you to be identified (for example, name and surname, attached images where you can be identified) to protect your identity and privacy.

We have captured our data processing activities in a general manner below. For specific details, please contact us and we will identify actual processing that occurs over your personal data and the lawful basis we rely on for such processing.

Categories of Data Purpose/Activity Possible Lawful Basis for Processing
Name and Contact Details To manage our relationship with you as a contracted doctor.
  1. Performance of a contract with you

    2. Necessary to comply with our legal obligation

Name and surname, Phone Number, Email Address, Age or Date of Birth, Country of Residence and Language Preference.

Health related data, including the possibility of sexual orientation and sex life. Possible transfer of digital media.
Using Abi.
  1. Performance of a contract with you
  2. Necessary to comply with our legal obligation
  3. Processing is based on Article 9(2)(h) of the GDPR
  4. Explicit consent
Name and Contact Details Notifying you about changes to our terms or this policy. Necessary to comply with our legal obligation
Name and Contact Details Asking you to leave a review or take a survey. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
Name and Contact Details; IP Address To administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
  1. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  2. Necessary to comply with a legal obligation
IP Address To use data analytics to improve our website, products/services, marketing, customer and investor relationships and experiences. Necessary for our legitimate interest (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
Name and Contact Details To respond to your enquiry, feedback or complaint.
  1. Necessary to comply with a legal obligation
  2. Performance of a contract with you

 

What rights do you have?

Under certain circumstances, by law you have the right to:

 

  • Request information about whether we hold personal data about you, and, if so, what that personal data is and why we are holding/using it. 
  • Request access to your personal data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected. 
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). 
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes. 
  • Object to automated decision-making including profiling where there may be a significant legal effect upon you.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. 
  • Request transfer of your personal data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

 

How do you exercise your rights?

We have appointed a Data Protection Coordinator to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection and Privacy Team. 

Data subjects must make a formal request for Personal Data we hold about them or otherwise to exercise their data protections rights whether to make an access request or otherwise by contacting our Data Protection and Privacy Team who will respond to the request within 30 days. 

We are obliged to comply with exceptions to your requests where laid out in law. Such exceptions relate to health data, disclosures that would be likely to cause serious harm to your physical or mental health or emotional condition and opinions given in confidence. 

Our Data Protection Coordinator can be contacted as follows:- 

Email: privacy@abi.ai

 

Your Right to Lodge a Complaint 

You as the Data Subject have the right to complain at any time to a data protection supervisory authority in relation to any issues related to our processing of your Personal Data. As our organisation is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner. 

You can contact the Data Protection Commissioner as follows: 

Website: www.dataprotection.ie 

Phone: +353 57 8684800 or +353 (0)761 104 800 

Email: info@dataprotection.ie 

Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland

 

Privacy Policy and Notice Approval

This Privacy Policy and Notice has been approved and authorised by:

NAME: Victor Vicens

POSITION: Chief Medical Officer

DATE: 18/12/2020

SIGNATURE:
Victor Vicens
NOTICE IMPLEMENTATION DATE: February 16, 2021