What is a Privacy Notice?

A Privacy Notice is a document that explains to people how their personal data will be used and protected.

Who are we and what do we do?

Healthy.io (UK) Limited, a company registered in the UK (together with its parent company, affiliates, and/or related companies (Companies House registration number: 10996079). (“Healthy”, “Healthy.io” “we”, “our” or “us”) prioritises the safe processing and proper use of personal data. Our data practices are properly communicated to our service users and our potential service users.

Healthy.io are a global company and comply with all applicable laws, for the purpose of the UK GDPR and EU GDPR:

• If you are an UK citizen: Healthy.io (UK) Limited has been designated as Healthy.io’s representative in the United Kingdom for data protection matters, this is in line with Article 27 of the UK GDPR.
• If you are an EU citizen: We have appointed Maetzler Rechtsanwalts GmbH & Co KG (Prighter) as Healthy’s representative in the European Union for data protection matters pursuant to Article 27 of the EU GDPR.

Please refer to section “how can you contact our Data Protection Officer?” for our Data Protection Officer’s contact details.

This Privacy Notice describes how we collect, store, use and disclose personal data relating to any individual (“user(s)” or “you”) in relation to following-up with service users about the Healthy.io services.

You can find out more about our mission, to deliver healthcare at the speed of life, on the About Us page of our website.

Healthy.io has four services that are supported by mobile apps:

• Minuteful 10
• Minuteful for Wound
• Minuteful Kidney
• Minuteful UTI

You can find out more about the way each of these services and apps process your personal data by reading their individual Privacy Notices.

What is the purpose and legal basis for processing your data?

When we collect feedback from service users about our products, we use personal data.

Please see below for an outline of the personal data processed, purpose and legal basis for processing.

What personal data items are obtained?

• Name, age, location, contact details (phone number and email), your feedback about Healthy.io products and services.

Is special category data processed?

• For this purpose, we do not directly process special category data but as a result of providing feedback about our products or services, processing of special category data may be indirectly implied.

What is the purpose of the processing?

• To collect feedback about our products and services.
• To contact you to collect further feedback.
• Market research.
• Written review which may contain personal data relating to you (such as your name), including personal data that may be considered sensitive personal data (such as the fact you used a Healthy.io product or service).

What is the lawful basis under the UK General Data Protection Regulation (GDPR)?

• Personal data: Article 6, 1 (a) Consent
• Special category data: Article 9, 2 (a) Explicit consent

Explicit consent may be obtained by signing a document (electronically or manually), ticking a consent box, or verbally when we speak with you. We keep a record of consent as required by law and in line with the Information Commissioner’s Office guidance.

Who is the Data Controller?

A Data Controller determines the purposes for which and the means by which personal data is processed.

For the purposes of this processing, which is to collect feedback from service users about our services, Healthy.io is the Data Controller.

We are registered with the Information Commissioner’s Office (ICO), our Data Protection registration reference is ZA289700.

How do we obtain your personal data?

We obtain your personal data when you interact with one of our products or services, we may also collect personal data when we contact you to collect feedback about our services.

The personal data collected is stored separately from the product database. Only authorised staff access the product database. When you give consent to participate in the collecting of feedback, staff with authorised access to the product database will share your personal data items outlined in the “what is the purpose and legal basis for processing this data?” with staff who are involved in collecting feedback.

Sharing with other organisations

When you grant permission to share the feedback you have given, we will share it along with personal information such as your name, age and location. We will never share your personal information with any third parties for other purposes, such as companies that conduct direct marketing.

We use third party Data Processors to provide elements of services (such as data hosting). We have contracts in place with our Data Processors which ensures appropriate use of your data.

Your personal data may be shared between Healthy.io’s group companies in the UK and Israel, provided that such transfer complies with applicable Data Protection Legislation.

In some circumstances we are legally obliged to share information. If we do need to share personal data with other statutory organisations, we do this in line with the Data Protection Act 2018, the UK GDPR and relevant legislation or court order and we share the minimum amount of information required.

Do we process personal data outside the UK?

We work with trusted Processors to deliver our products and services. The Processors that we use are:

Name: Google

• Relationship to Healthy.io: Data Processor
• Purpose of processing: Hosting, Storage, Database, Networking
• Type of data: Personal data
• Location of processing: UK and EU
• Safeguards: Data Processing Agreement. More information on safeguards is provided in section "how do we protect your information?" further down.

Name: Healthy.io Ltd.

• Relationship to Healthy.io: Data Processor
• Purpose of processing: Support
• Type of data: Personal data
• Location of processing: *Israel
• Safeguards: UK Adequacy Regulation. More information on safeguards is provided in section "how do we protect your information?" further down.

*Healthy.io (UK) Limited’s parent company, Healthy.io Ltd., is headquartered in Israel; Israel is amongst a few countries or territories that are covered by UK “adequacy regulations” set out in law that the legal framework in that country, territory, sector or international organisation has been assessed as providing ‘adequate’ protection for individuals’ rights and freedoms for their personal data.

How long will we keep your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for and in line with our Data Retention, Archiving, Destruction and Restitution Policy.

To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered. For the purpose of this processing, your data may be kept until you withdraw consent.

When personal data is no longer required, we delete or anonymise data in line with Data Protection Legislation.

How do we protect your information?

In order to protect your personal data, we and our Processors use all reasonable industry-standard physical, procedural and electronic security measures (such as access control, secure servers, firewalls, internal policies, encryption, database backup etc.). We cannot and do not guarantee the absolute safety of any Personal Data stored with us or with any third-party.

We are committed to complying with information security industry standards such as:

• Data Security and Protection Toolkit (DSPT): Reference 8KC08
• ISO 27001
• Cyber Essentials

More information about information security can be found on the Trust Centre webpage of our website.

Your rights, including your right to object and to withdraw consent

The below summary is intended as a general guide to show the individual rights that are available in line with the UK GDPR lawful basis for the data processing (in this case the lawful basis is consent). The specific circumstances may affect the scope of your rights.

Your right of access

• You have the right to ask us for copies of your personal information. This right always applies.

Your right to rectification

• You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

• You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

• You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing and withdraw consent

• As the lawful basis used for this processing is consent, the right to object does not apply. However, you should be aware that you have right to withdraw consent and if you withdraw your consent, we will stop processing (using) your data for the purpose outlined in this Privacy Notice.

Your right to data portability

• This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

Do we carry out automated decision making or profiling? • We do not carry out automated decision making or profiling in relation to collecting feedback from service users about our services.

You can contact Healthy.io’s Data Protection Officer regarding your rights: [email protected].

How can you contact our Data Protection Officer?

If you have any questions or queries regarding our Privacy Notice, or if you have any concerns regarding your personal data processed by us, please contact Healthy.io’s Data Protection Officer at [email protected].

How can you make a complaint?

You have a right to make a complaint if you are unhappy about how we process your personal data.

Please note that the Information Commissioner's Office (ICO) will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the ICO website (link below) for further advice.

To raise a concern with Healthy.io please contact [email protected].

If you remain dissatisfied, you may wish to contact the ICO:

• Website: https://ico.org.uk/make-a-complaint/

• Post:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

• Telephone: 0303 123 1113