PRIVACY POLICY

DOCLY UK LTD, 38 BERKELEY SQUARE, LONDON, W1J 5AE, ("Docly", "we" or "us") is a company established in England and Wales, and as such, we comply with applicable data protection legislation in the UK, comprising the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the 'Data Protection Laws'). We believe that personal privacy is important and we take your privacy extremely seriously. This policy shall apply in the situations where we are the controller of your information which means that we are responsible for looking after it. We will use your personal data fairly, lawfully and in a transparent manner, and in accordance with the Data Protection Laws. This privacy policy outlines how we will use, store and share your personal data. We also explain the lawful basis for our processing of personal data and your rights in relation to the personal data we process.

In some circumstances however, Docly acts as a data processor or as a data sub-processor on behalf of a third party, a data controller, like an insurance company, pathology and diagnostics centers or the like ("Service Providers") for the processing of personal data necessary to provide the technical platform and related services. This means that data related directly to your medical- or healthcare consultation is processed by Docly according to the instructions of the Service Provider since it is their privacy policy and not the privacy policy of Docly which applies in relation to the processing of personal data when providing you with medical- and/or healthcare.

SCOPE OF THE PRIVACY POLICY

Please note that this privacy policy relates to the processing of personal data for which Docly is the data controller. This privacy policy applies when you register with us or share your personal data directly or indirectly with Docly when you visit our website at www.docly.uk or use any of our services via mobile and/or tablet application (together, the 'Platform'). This privacy policy applies to your use of the Platform whether you register with us or not, and is supplemental to our Terms of Service at www.docly.uk/tos. Please note that this privacy policy also applies to the personal data of any child for whom you have parental responsibility and to your use of the Platform on their behalf.

You can contact us at privacy@docly.uk or via support at www.docly.uk/support if you have any questions about this policy or generally on how your personal data is processed by us.

PERSONAL DATA THAT IS PROCESSED

Personal data means data from which you may be identified, directly or indirectly, in particular by reference to an identifier such as your name or any user id that we allocate to you. We may process the following types of personal data about you:

  • Contact details ("Account Information") such as name, e-mail address and telephone number which you provide to us on registration.
  • Users' online behaviour including digital behaviour (for example, behaviour within the app, how you use the search functions) ("Digital Behaviour").
  • Technical data (for example, your device's ID and IP address) ("Technical Data").
  • Where applicable, details about your previous and current physical and mental health ("Health Data"), including information in relation to diseases or conditions from which you may be suffering, your physiological or biomedical condition, the health profile provided to us by you or your GP, information stored in your NHS record (including your NHS number), the medical record of your appointment (including any diagnosis or treatment prescribed by the Docly service), and any summary information about your online appointment.

WHY DO WE NEED YOUR INFORMATION?

The main purpose for which we use your personal data is to provide you with our services, connecting you with either your Service Provider via the Docly Platform, or enabling you to receive a medical consultation with one of our own clinicians . We use your personal data:

  • for the purpose of medical diagnosis and treatment plan
  • for the management of a health system
  • to create a patient record detailing the treatment you have received via our service
  • for the continuous provision of your care
  • to manage the relationship with you as a patient
  • to fulfil our contract that we have entered into with your Service Provider who we hold a sub-contract partnership with.
  • to understand your medical history including detailed health information like family health history, past diagnoses, treatment plans, medication, body measurements and test results in order to provide you with safe, effective treatment
  • to develop and improve our services by understanding how you use our platform
  • to notify you about changes to our service
  • to provide you with technical support

SPECIAL CATEGORIES OF PERSONAL DATA

The Data Protection Laws define certain personal data as falling into 'special categories of personal data' such as personal data regarding your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning your health (including mental and physical health), or data concerning your sex life or sexual orientation.

Your Health Data will therefore be classed as "Special category data". As we note above, either you or your provider of Health Data provides to us that we need in order to diagnose and prescribe safe and effective treatment for you. We will only use this personal data for this purpose, and for the purposes of keeping your NHS record up to date, to enable us to improve the service we are able to give you,, and to improve the service the NHS is able to provide to both you and other patients.

We will only process such data (in accordance with Data Protection Laws) where it is necessary for the purposes of medical diagnosis, the provision of health care or treatment, the management of our health system, or for scientific research purposes.

We may share your Health Data with your GP practice or your Service Provider we hold a sub-contract partnership with, and with other health care professionals for the reasons above, and where it is needed to protect your vital interests (or someone else's interests) and you are not capable of giving your consent. We may also process Health Data in order to make reasonable adjustments in the provision of our services, or where it is otherwise permitted or required by law.

In addition, we may process other special category personal data to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.

BASIS FOR USING YOUR INFORMATION

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances

  • Where we need to provide you with the services you have requested (and therefore perform our contract with you).

  • Where we need to comply with a legal obligation.

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those legitimate interests We may also use your personal data in the following situations, which are likely to be rare:

  • Where we need to protect your vital interests (or someone else's interests) or

  • Where it is necessary for the performance of a task in the public interest.

There may also be circumstances in which we will only use your personal data with your consent. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will contact you and explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above, where this is required or permitted by law.

Where we need your information to provide the service you have requested

When you register for our service a contract between you and us will have been entered into. In order for us to fulfil our obligations under this contract and to provide our services to you, we will need to collect, and process your Account Information. If you do not provide the personal information we need when you register with us (or if applicable, you later object to our using the personal information or ask us to delete it), we will not be able to provide our service to you.

Where we need your information to comply with a legal obligation

There may be circumstances when it is necessary for us to process your personal information in order to comply with a legal obligation. For example, we may be required by the Equality Act to monitor and ensure equal opportunity, which may mean that we need to collect and process data in relation to disability, or to monitor the diversity of those who use our service.

Our legitimate interests

We use your Account Information (excluding special categories of personal data) as set out in this privacy policy for the legitimate interests of our business to enable us to:

  • conduct marketing activities, e.g. for distribution of newsletters (where you have provided additional consent to such activities);
  • contact you, for example in order follow up on your user experience; and
  • carry out quality assurance of our systems and services and develop our systems and services.

We process Digital Behaviour information where it is necessary for the purposes of our legitimate interests in improving the Platform, understanding and analysing users' behaviour and improving the user experience.

We process Technical Data where it is necessary for the purposes of our legitimate interests in understanding users, and enabling us to build a profile about you and your interaction with our services.

We have a legitimate interest in processing your personal data in order to provide the service and its benefits to you, and to develop and improve that service. We will process your personal data only so far as is necessary to achieve the purposes outlined in this policy and in a way which we consider does not unreasonably intrude on your privacy.

CONSENT

We may, on occasion, send you marketing messages about other similar services we offer. This is only in circumstances where you have not unsubscribed and where you have purchased similar services from us, or where you have otherwise consented. If you have consented, we may share your details with third parties for marketing purposes. You can opt out of marketing at any time by contacting us via support at www.docly.uk/support.

We may also process your special category personal data in circumstances where you have explicitly consented for us to do so.

You have the right to withdraw your consent to processing of this nature at any time.

We may also ask for your consent to treatment. This is separate to the consent we may ask you to give under the Data Protection Laws. If you are under the age of 16, it may be the case that you are unable to give valid consent. Where applicable, we will make an assessment about this based on the information we receive from your Service Provider. .

STORING DATA

Personal data is kept for no longer than necessary in order to fulfil the purpose for which it was collected (including the purpose of fulfilling our legal obligations). If we are processing your personal data on the basis of your consent it will be deleted if you withdraw your consent, unless we are required to retain the information to comply with applicable laws.

To determine the appropriate amount of time for which we will keep your personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where we have to retain your information for a minimum period required by law (such as retaining records for HMRC purposes) we comply with that minimum period plus a period of up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.

In the event that our service ceases to trade, any medical records including all identifiable data would be held for 24 months from the date the service ceases. After this date it will be securely destroyed, provided this is in line with applicable legislation.

Once personal data is no longer needed for the purpose it was collected we may anonymise the data and retain it for business development research into automised healthcare. Anonymised data can no longer be traced back to you, and we may use such data without further notice to you. Data which has been properly anonymised is not considered to be personal data and is not subject to the Data Protection Laws.

TRACING

In order to enable improvements to our services and your online experience, our software automatically collects information from your computer (or mobile device), your web browser, including your public IP address and domain name, cookie information, hardware properties (e.g. your device's ID), websites you have visited or been referred from, videos and images you have viewed on our website, URLs of the websites' referral traffic and after navigating to our websites, date and time of your visit and your geographical location. The data is collected in order to help us develop a better understanding of behavioural patterns and trends within our services. In order to do so, we use web logs or apps that recognise your computer and gather information about its activity online. We also work together with certain third parties in order to collect and analyse parts of this information.

We use both session and permanent cookies on our websites.

SHARING INFORMATION WITHIN DOCLY, WITH THIRD PARTIES AND TRANSFERS TO THIRD COUNTRIES

We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We employ a clinical team, who are part of Docly. They will need to access your medical records so that we can provide you with services, for example if you have a query or concern about your consultation or treatment, or if the information is needed to assist our Chief Medical Officer with quality assurance. Only those employees of Docly who need access to information in order to do their jobs are allowed access.

Your Service Provider is responsible for maintaining the privacy of your personal information. All Docly clinicians have to demonstrate they have completed training in personal information handling before they can start consulting with our patients.

As noted above, where applicable we also provide information back to your Service Provider we hold a sub-contract partnership with, so that they have a record of what we have done. That personal information will be handled in accordance with your Service Provider policies.

We may also use your information to help other organisations delivering care to provide you with services.

We also need to share information with partner organisations that help administer Docly accounts. For example:

  • Our IT suppliers, including suppliers of data storage services
  • Contractors who provide our telephone services
  • Suppliers of web hosting services
  • Organisations that we use to obtain feedback from patients who have agreed to do this

We have vetted these organisations to ensure that they will deal with your personal data responsibly.

We may also share information with our partner organisations who provide data analysis services, to help improve our services.

Sometimes we need to share information with regulators like the Care Quality Commission, the General Medical Council, NHS Digital, the Information Commissioner's Office and the Health Service Ombudsman.

With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity. We may share information with anyone you have given as an emergency contact, for example your next of kin. You can find out more by contacting us at support@docly.com or 020 3995 4945.

We may share your information with third parties for the purpose of providing the service to you including:

  • Service Providers we hold a sub-contract partnership with and any other referring healthcare organization ,from which you receive services via the Platform.

We may disclose your personal data to third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or
  • in order to enforce or
  • apply our terms of use and other agreements; for the purposes of fraud protection and credit risk reduction.

Where we share your information with third parties as data controllers they are responsible to you for their use of your personal data and compliance with data protection legislation.

If you object to our sharing or continuing to use your personal data with any specific third party please contact us at privacy@docly.uk.

The following activities are carried out by third-party service providers ("data processors") on our behalf:

  • IT support and maintenance;
  • hosting our website (including analytics);
  • marketing campaigns;
  • carrying out surveys and obtaining feedback on our services;
  • archiving and records management;
  • confidential waste disposal.

All our data processors are required to take appropriate security measures to protect your personal data in line with our policies.

We may share personal data with our data processors for the reasons given above. Some of these data processors may be established outside the European Economic Area (EEA). We ensure that the data processors we work with maintain an adequate security standard. In order to guarantee an adequate security standard, we only transfer information outside the EEA where adequate security measures are in place, such as adopting the EU Standard Contractual Clauses for the transfer of personal data, or (if data is transferred to the USA) by ensuring that the data processor is certified as Privacy Shield compliant.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS

You are entitled to withdraw your consent for the processing of personal data which is based on your consent.

You are entitled to information if we process your personal data, if such personal data is transferred to a third country and, if relevant, who has received your personal data.

You are entitled to have any incorrect information about you corrected. In certain circumstances, including when it is confirmed that we are processing personal data without legal grounds or if the processing is no longer necessary in order to fulfil the purpose, you will be entitled to have the data deleted (the right to be forgotten). If the accuracy of the personal data or the legal basis for data processing is questioned, you can request that data processing be restricted.

You are entitled to object to data processing that takes place on the basis of Docly's legitimate interests. In case of such an objection, we are obliged to show legal grounds for continued processing of the personal data.

You can state at any time that your data may not be used for marketing purposes and we will then cease to process it for such purposes.

You are entitled, in certain circumstances, to receive any of the personal data you have provided to us in a commonly used electronic format, and to request that we transmit this data directly to another controller. You are also entitled to transfer such data to another controller yourself.

We are obliged to conduct our activities in accordance with the principles as set out above in order to ensure that the confidentiality of your personal data is protected and maintained.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

CONTACT US

If you have any questions, want to exercise your rights or need further information about what we do with personal information, we can be contacted by email at privacy@docly.uk.

In order to update, correct or delete data we have about you, exercise your rights according to the above, or to get in touch with our personal data compliance officer, please contact us at privacy@docly.uk.

If you have any concerns regarding our processing of your personal data, or are not satisfied with our handling of any request made by you, or would otherwise like to make a complaint, please contact us at privacy@docly.uk so that we can do our very best to sort out the problem.

You can also contact the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk.

CHANGES TO THIS PRIVACY POLICY

We will take all measures necessary to communicate any changes to this privacy policy to you, and will post any updated privacy policies on this page.

This policy was last reviewed and updated in May 2020.

Please call 111 for urgent medical problems, or 999 for emergencies.

© 2020 Docly is part of Docly Healthcare AB