Privacy Policy
This privacy notice for Upvio (“we”, “us”, or “our”) describes how and why we collect, store, use and share your personal data when you use our software technology and services (together, the “Services”). It also explains your rights in relation to your personal data and how to contact us or supervisory authorities should you have a complaint.
We collect, use and are responsible for certain personal data about you. Upvio is a “controller” of your personal data. This is a legal term, and it means that we make decisions about how and why we use your personal data, and who has access to it. We are responsible for making sure your personal data is used in accordance with data protection laws.
Organisation’s that use, access, store, and transmit your personal data are defined as “processors”. We will therefore be a controller and a processor of your personal data. Anyone we share your personal data with have responsibilities under data protection laws as well as contractual obligations under terms that we will have put in place with them. We are responsible for the secure treatment of your personal data, and that at all times, anyone who accesses it does so in accordance with data protection laws.
When we collect your personal data, we will need to ensure that we comply with the data protection laws that apply in the country in which we provide you with our Services. Details about your rights and the laws that apply to our collection and processing of your personal data are set out in Schedule 1.
In summary…
- We collect and use your personal data strictly in adherence with data protection laws and only in order to provide you with our Services. This can include customer communications, complying with legal obligations, and to improve and monitor the performance of our software, apps, and Services as set out in Schedule 3
- You have a number of rights in relation to your personal data as set out in Schedule 1 under ‘Your rights’
- We comply with data protection laws that apply to the country in which you reside and where we provide our Services as set out in Schedule 1 under ‘Applicable data protection laws’
- We have appointed a data protection officer to monitor compliance of our practices. Please see Schedule 2 ‘Our Data Protection Officer’ for their contract details.
- We may disclose some of your personal data, to third parties in order to provide the Services to you.
- We do not routinely disclose sensitive data, called ‘special category personal data’ to third parties unless it is necessary to provide our Services to you.
- We have measures in place to safeguard your personal data when we transfer it to different parts of the world
- We take steps to minimise the amount of personal data we hold about you and to keep it secure
- We do not intend to collect and process any personal data of any person who is considered a child, and in all circumstances, where a person is under the age of 13 years of age.
- We delete your personal data when we no longer need it, and we have policies in place to govern when that is
- We are happy to answer your questions about any of the above – please send them to [email protected]
Key terms
It would be helpful to start by explaining some key terms used in this policy:
|
Term |
Meaning |
|
We, us, our |
Upvio Healthtech Pty Ltd of Level 8, 905 Hay Street, Perth, WA, 6000, Australia with company number ACN 657 030 192 |
|
Personal data |
Any information relating to an identified or identifiable individual |
|
Special category personal data |
Personal data revealing:
|
|
Data subject |
The individual who the personal data relates to |
Data Protection Officer
We are required to appoint a data protection officer to monitor our compliance with data protection laws in the countries where we collect personal data. We have appointed a data protection officer to ensure that our compliance with country specific data protection laws is maintained.
The details of our appointed data protection officer are set out in Schedule 2.
What types of personal data do we collect and where do we get it from?
We have developed and provide access to healthcare providers throughout the world our software known as Upvio, our software known as FaceVitals, and our mobile app. There may also be other Services we provide that are not listed here but where we do so, the provisions contained within this policy shall apply to our collection and use of your personal data.
We collect, use, store and transfer different kinds of personal data about you which is vital for us to provide you with our Services. For further information about the types of personal data we collect and where we obtain it from, please see Schedule 3.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we will not be able to provide our Services to you.
We will make it clear to you where disclosure of your personal data is optional. The provisions of this Privacy Policy apply when we obtain your personal information from other people or organizations (such as from public sources, or third-party service providers).
If any of the personal information that you have provided to us changes, please inform us by contacting [email protected]
Children’s personal data
Our Services are not intended for children, and we do not knowingly collect personal information relating to children.
If you have provided us with information relating to children, please contact us so that we can review the circumstances of such collection (or processing, as applicable).
How we use your personal data
We will only use your personal data when the law allows us to. We have set out the different purposes for which we process your personal data in Schedule 3 under ‘Legal purpose for processing personal data’.
Where our processing is based on your consent, you can withdraw your consent at any time by contacting [email protected]. Please note that if you do this, it won’t affect any of the processing we have already done prior to the withdrawal of your consent.
We also process certain categories of personal data where we have a lawful legitimate interest for doing so. Legitimate interest processing occurs when we have a business or commercial reason to use your personal data, you’re your interests and fundamental rights do not override those interests.
Special category personal data
We ensure that we comply with the applicable data protection laws within the jurisdiction in which such data is collected. As data protection laws differ country-to-country, we have outlined the specific rules that apply to you below, according to the country in which you receive our Services in Schedule 1. We have also outlined the types of special category personal data we collect in Schedule 3.
Use of the camera on any telecommunications device or mobile telephone
Permission will be requested to use the camera on your device or the device of your patients or the device in which you consume our Services in order to enable the biometric features on our software or app.
You may disable the app’s access to the camera on your device, although that will mean that the biometric features are no longer available.
The personal data we gather by using the camera is collected under your explicit consent, which you have given, by using our biometric features.
You may withdraw your consent at any time, by disabling the camera and also, by contacting [email protected]
You can also request that we do not store or process your biometric data, or request a copy of such by contacting [email protected]
What marketing activities do you carry out?
We do not use personal data of your customers or your end users to carry out any marketing.
If you are one of our business customers, we may use your personal data to send you updates by email, text message, telephone, or post about our Services, including exclusive offers, promotions, or new Services.
We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.
You have the right to opt out of receiving marketing communications at any time by:
- contacting us at [email protected], or
- using the ‘unsubscribe’ link in our emails if one is provided.
We may ask you to confirm or update your marketing preferences if you ask us to provide further Services in the future, or if there are changes in data protection laws or regulation within the country that you reside. We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.
Who we share your personal data with?
We only share personal data in accordance with data protection laws. We do not share special category personal data unless we have a lawful basis for doing so, or where such transfer is permitted under applicable data protection law.
We share personal data with:
- Companies within the Upvio group
- Our professional advisors (such as lawyers or auditors) and in each case, only where such disclosure is subject to the highest level of security and confidentiality
- Third parties we use to help deliver our Services to you, such as healthcare providers and hospitals that provide Services to you
- Law enforcement agencies, courts, tribunals, and regulatory bodies where we are compelled to do so to comply with our legal and regulatory obligations
- Our bank, insurers, and brokers, but only where it is absolutely necessary and required in order for us to continue providing Services to you
We will not share your personal data with organizations unless we are satisfied they take appropriate measures to protect your personal data. We impose contractual obligations (including standard contractual clauses or clauses designated by jurisdictional supervisory authorities) on organizations to ensure they protect your personal data. We will not share your personal data with any other third party who has not signed an agreement with us to protect your personal data.
Who we share your personal data with—in more detail
In providing the Services to you, we may share your personal data with the following who are subject to strict contractual obligations to ensure confidentiality and security:
- Amazon Web Services 410 Terry Avenue North, Seattle, WA 98109-5210, USA
- Heroku, 415 Mission Street, Suite 300, San Francisco, CA 94105, USA
- Cloudflare, 101 Townsend St, San Francisco USA
- Tawk.to Inc., 187 East Warm Springs Rd, SB298 Las Vegas, NV, 89119, USA
- Matomo, 150 Willis, Wellington, 6011, New Zealand
- InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand
- Auth0 (Okta, Inc.), 10800 NE 8th St, Bellevue, USA
- Google Inc., 1600 Amphitheatre Parkway in Mountain View, California, USA
- Stripe Inc., 354 Oyster Point Blvd South San Francisco, CA 94080, USA
- Hotjar Ltd, Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta
- Plivo, 601 S Congress Ave, Austin, USA
- Mailgun Technologies Inc., 112 E Pecan St. #1135 San Antonio Texas 78205 USA
- Bugsnag, 110 Sutter St, Suite 1000. San Francisco, CA 94104 USA
- Mongo DB, Paramount Plaza, 1633 Broadway 38th Floor, New York, USA
- Pipedrive Ireland Limited, 4th Floor, 7/8 Wilton Terrace, Dublin, Ireland
- Webflow, 398 11th Street, Floor 2, San Francisco, CA 94103, USA
- Papertrai Inc., 625 Broadway Suite 20-4242, Seattle, USA
- Advanced Health Intelligence Limited, 71-73 South Perth Esplanade Unit 5 South Perth, Western Australia 6151
Where do we hold or store your personal data?
Your personal data is securely held at our dedicated Amazon Web Services (AWS) data servers, which are located in the USA or, subject to our prior agreement, in a location according to your preference.
Storage for EU and UK data subjects
The transfer and storage of your personal data on AWS servers in the USA is compliant with both EU GDPR and UK GDPR following the European Commission adequacy decision published on 10th July 2023 and the UK-US data bridge effective from 12th October 2023. These decisions deem the USA as an adequate jurisdiction and therefore are permitted under Art.45 EU GDPR and UK GDPR following the enactment of Executive Order 14086 implementing the USA Data Privacy Framework. AWS are certified under the Data Privacy Framework which is a requirement for us to transfer and store personal data on AWS servers in the USA, in compliance with EU GDPR and UK GDPR standards (UK Extension to the EU.US. Data Privacy Framework).
How long will we keep your personal data?
We do not keep your personal data for longer than we need it for the purpose for which it is used.
Different retention periods apply for different types of personal data. For further information about the periods we retain your personal data, please see our Retention Policy.
Following the end of the of the relevant retention period, we will securely delete or anonymise your personal data.
Where in the world is your personal data transferred to?
We do not routinely transfer your personal data to anyone else once we have collected it unless it is necessary for us to provide our Services to you. In such circumstances, we transfer your personal data to recipients that are established in countries other than your own.
If you reside in the EU or the UK and it is necessary to transfer your personal data outside of the EU or the UK, we will not make the disclosure unless the following apply:
- The country to which the personal data is to be transferred ensures an adequate level of protection of your personal data
- We have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient alongside any additional documents (such as standard contractual clauses, international data transfer agreement, or an addendum, as applicable)
- The transfer is necessary for one of the reasons specified under data protection laws that apply, such as the performance of a contract between us and you
- You explicitly consent to the transfer.
A list of the organizations that we disclose personal data to in order to provide our Services is set out in the section ‘Who we share your personal data with—in more detail’ above.
If you would like further information about data transferred outside of the country we provided our Services to you, please contact us at [email protected]
What are your rights and how can you exercise them?
We have set out your rights in Schedule 1 under ‘Your rights’. You have these rights, and they apply as soon as we collect any of your personal information. Should you wish to exercise any of your rights, please contact us at [email protected]
How do we keep your personal data secure?
We have appropriate security measures in place to prevent personal data from being used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it and apply encryption to any special category personal data. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected or actual data security breach. In certain circumstances, we will notify you and any applicable regulator of a suspected or actual data security breach where we are legally required to do so.
How to raise a complaint
Please contact us if you have any queries or concerns about our use of your personal data.
You have the right to lodge a complaint with the supervisory authority responsible for the protection of personal data according to where you reside:
- Australia: Office of the Australian Information Commissioner (OAIC)
- United States: The relevant authority depends on the state in which you reside. Please contact us should you be unsure which data protection authority applies to you.
- United Kingdom: The Information Commissioner's Office (ICO)
- European Union: The relevant data protection authorities in each EU member state, with the lead authority being the one in the country where the main establishment of the data controller is located. The European Data Protection Board have oversight of each authority. Please contact us should you be unsure which data protection authority applies to you.
- New Zealand: Office of the Privacy Commissioner
- Singapore: Personal Data Protection Commission (PDPC)
Updates to this privacy notice
We may update this privacy notice from time to time to reflect changes to our processes, procedures, and categories of personal data. When we make material changes we will update you via email and we will publish revised versions of this notice on our website https://upvio.com
Do you need extra help?
If you would like this notice in another format (for example audio, large print, braille) please contact us at [email protected].
SCHEDULE 1
Applicable data protection laws
The below table outlines the data protection laws that apply according to the country in which you reside, and includes any successor legislation, and all other legislation and regulatory requirements in force from time to time in your country.
|
The country in which you reside |
Applicable data protection laws |
|
Australia |
|
|
New Zealand |
|
|
United States |
|
|
European Union* |
|
|
United Kingdom |
|
|
Singapore |
|
|
Rest of the world |
|
*consisting of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxemburg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Your rights
If you would like to exercise any of the rights applicable to you as set out in the table below, please contract [email protected]. Please note that your rights may be subject to limitations and conditions, as set out in the data protection laws within your jurisdiction.
|
The country in which you reside |
Your rights |
|
Australia |
|
|
New Zealand |
|
|
United States |
|
|
European Union* |
|
|
United Kingdom |
|
|
Singapore |
|
|
Rest of the world |
Your rights may differ depending on the country in which you reside, and we will abide by the rights afforded to you in your country under applicable data protection law. |
SCHEDULE 2
Our Data Protection Officer
We are required under data protection laws to appoint a Data Protection Office. We have set out the details of our nominated Data Protection Officer in the table below.
|
Data Protection Officer |
|
|
Name |
Marc Qualie |
|
Address |
Level 8, 905 Hay Street, Perth, WA, 6000, Australia |
|
Email address |
|
SCHEDULE 3
Categories of personal data
The types of personal data we collect depend on the specific Services we provide and your role. If you are a user of our FaceVitals product, a patient, a practitioner, or represent a healthcare provider who is one of our customers, we now store your personal data. In all other circumstances, we may collect some of the following information from you when you use our Services. The table below outlines the categories of personal data we may collect and the sources from which we obtain your personal data.
|
Types of personal data |
Where/Who we collect it from |
|
Your contact details, including:
|
|
|
Personal information, including:
|
|
|
Identity information, including:
|
|
|
Sensitive personal information (also known as special categories of personal data), including:
|
|
|
System and Platform usage and communication information, including:
|
|
|
Information collected during the administration activities of our business, including:
|
|
Legal basis for personal data processing
The table below delineates the legal foundation that permits us to process your personal data. While not all countries where we collect personal data adhere to the same legal standards, we uphold the highest possible safeguards to protect your data. Rest assured that whenever we process your personal data, we do so with a legitimate basis.
|
Purpose/Activity |
Lawful basis |
||||
|
Consent provided by you |
Necessary to perform a contract between us |
Necessary to comply with our legal obligations |
Necessary to protect your vital interests |
Necessary to comply with our legitimate interests or those of a third party |
|
|
Providing Services to you |
✔ (where your consent is required) |
|
✔ |
|
✔ |
|
To share your personal data with third parties where the sharing is required in order to provide the Services to you |
✔ (where your consent is required) |
|
|
|
✔ |
|
Conducting checks to identify you and verify your identity Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business |
|
|
✔ |
|
✔ |
|
To enforce legal rights or defend or partake in legal proceedings, including to respond to a request from any government body or regulator |
|
|
✔ |
|
✔ |
|
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies and our professional advisers |
|
|
✔ |
|
|
|
Ensuring business policies are adhered to, e.g., policies covering security and internet use |
|
|
|
|
✔ |
|
Operational reasons, such as maintaining records, improving efficiency, training, quality control and managing our staff |
|
|
|
|
✔ |
|
Ensuring the confidentiality of sensitive information |
✔ |
|
✔ |
|
✔ |
|
Statistical analysis to help us manage our business, e.g., in relation to the provision of mediation Services to our clients |
✔ |
|
|
|
✔ |
|
Preventing unauthorised access and modifications to systems |
|
|
✔ |
|
✔ |
|
Protecting the security of systems and data used to provide the Services |
|
|
✔ |
|
✔ |
|
Updating and enhancing your records |
|
|
|
|
|
|
Statutory returns |
|
|
✔ |
|
|
|
Ensuring safe working practices, staff administration and assessments |
|
|
✔ |
|
|
|
Preventing and detecting fraud against you or us
|
|
|
✔ |
|
✔ |
|
Collection, processing, storage, and transfer of any special category personal data |
✔ |
|
|
|
|
SCHEDULE 4
California Consumer Privacy Act of 2018 (‘CCPA’) Privacy Notice
The CCPA defines a "resident" as:
- every individual who is in the State of California for other than a temporary or transitory purpose, and
- every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose.
All other individuals are defined as "non-residents.”
If this definition of "resident" applies to you, we will adhere to the rights and obligations that you are provided under the CCPA regarding your personal data.
Verification Process for Individual Rights Requests
We have reasonable methods in place for verifying rights requests for individuals who choose to exercise these rights, such as a request to know or delete their personal data.
The process described here applies to our role as a business, not as a service provider to our customers. We are unable to respond to requests in our role as a service provider to our customers. We encourage you to submit any such requests directly to the business with whom you interact or have a direct relationship with to use our Services.
For requests we receive as a business, we will match the identifying information provided by you to the personal information we already maintain to verify your identity. At minimum, we will ask for your name, email address, country, and state or province.
When verifying requests, our verification standards vary depending on the sensitivity of the request. If we cannot verify your identity, we may deny your request. In some cases, we may require additional information, in which case we will contact you.
If you are an authorized agent making a request to know or delete, we also require you to email [email protected] to:
- provide us with a copy of your written authorization to confirm your right to make the request and direct the requesting individual to verify their identity directly with us or, if applicable
- provide a copy of your power of attorney to exercise these rights on behalf of another.