Privacy Policy

Last modified: 20 November 2023

The Clinician is committed to respecting and protecting the privacy of the individuals and organisations who use our services. The Clinician (‘we’, ‘us’ or ‘our’) means The Clinician Holdings Limited and its wholly owned subsidiaries. 

The purpose of this Privacy Policy (the ‘Policy’) is to inform you how information may be collected from you and how it may be used and protected by us. This Policy applies across all websites we own or operate and all services we provide, including the websites and apps we offer, which for the purposes of this Policy will collectively be referred to as our ‘Services’. Accordingly, this Policy is intended for all users of our Services, including our customers and the affiliates of our customers (such as our customer’s employees and patients). However, this in no way means we are responsible for the privacy or data security practices of our customers and how they use our Services. 

We keep our privacy notice under regular review to ensure it is up to date and accurate.

By using any of our Services you agree to this Policy. If you do not agree, you may and should not use our Services.


Definitions

Personally Identifiable Information (PII): information which relates to an individual who is identifiable or reasonably identifiable from that information alone or with other information that is either present or accessible by us. 

Personal Health Information (PHI): health information pertaining to individuals comprising identifiable and sensitive data. 

Aggregate data: a dataset containing multiple records from same or different individuals and can be personally identifiable, deidentified or anonymised.

Deidentified data: a dataset stripped of personally identifying identifiers (e.g. national identifiers, insurance numbers etc.) and data elements (e.g. date of birth, address, email, phone numbers etc.) which can be used to re-identify individuals. However a mapping exists elsewhere to match records to such identifying information so re-identification is possible.

Anonymised data: same as deidentified data except a mapping doesn’t exist so it is not possible to re-identify individuals using reasonable computing resources, know how and availability of additional data which can be linked.

Derived data: data and information that is derived from your, or any of our clients’ use of our Services (in combination with similar data and information obtained from any of our other clients) and is anonymised and aggregated so that the identity of any client or patient cannot be ascertained from any disclosure by any third party.

How we collect your information

The ways in which we collect your personal information can be broadly grouped into:

Information we collect directly from you

When accessing and using areas of our Services, we may ask you to provide personally identifiable information, for example when you register for a free demo, subscribe to our Services, contact us with questions or request support. This PII may include, but is not limited to:

  • Name

  • Contact information (including email address and phone numbers)

  • Position (i.e. if acting on behalf of a company, your role at this company)

  • Billing and purchase information 

If you are accessing our Services through one of our customers (such as your health provider), we may collect identifiable personal health information from you which may relate to any of the following:

  • your past, present or future physical or mental condition;

  • your past, present or future experience of healthcare treatment; or

  • your past, present or future payment for healthcare treatment.

We collect and use this information only for the purposes of providing the Services requested by our customers (i.e. your health provider). As part of these Services we may share the PHI you provide us with your health provider, this may be as personally identifiable or deidentified analytics and reports.

You are not required to provide us with any of your personal information, but doing so may mean we cannot provide you with all or some of our Services.

Information we collect automatically 

We collect some information from you automatically when you access and use our Services. This information may be collected through cookies, log files, audit logs and other tracking technologies and may include details of your visits and use of our Services (e.g. timezone, preferred languages) and details regarding the device you use to access our Services (e.g. browser type, IP address). 

We collect this information to help us understand how our Services are used by you so that we can continue optimising those Services to better cater to you.

You may opt-out from the collection of cookies by managing your cookie settings on your web browser however, doing so may impact the functionality of our Services.

Information we collect from other sources

If you are an affiliate of one of our customers (i.e. a patient or employee) we may collect your personal data from that customer at their discretion. We collect and use this data only to facilitate the provision of the Services our customer has requested. By providing us your personal data, our customers represent they have the authority to do so, and where required have obtained your necessary consent, and acknowledge that it may be used in accordance with this Privacy Statement.

How we use your information

We use your personal data for the purpose of operating, improving and providing you our Services. Depending on how you access or use our Services, this may include the following:

Provision of Services: to enable you access and use of our Services, including the various applications provided through our ZEDOC Platform. For example, this may include:

  • user registration emails/SMS for setting up accounts

  • survey invite links sent via SMS/email to patients


Communication: this may include,

  • providing you with information regarding our Services, such as instruction manuals or any updates to our Services (including security updates)

  • operational communications, such as informing you of changes to our terms, conditions, or policies, and other administrative information

  • marketing communications relating to ZEDOC or other The Clinician and third party product or services we think you may be interested in

Analysis and reporting: we may use deidentified personal data of you and other users’ of our Services (whether obtained directly or from third parties (including our customers)) in analysis, to produce aggregated and anonymised analytics and reports, which we may share with our customers. If you are a patient of one of our customers, we may also use your deidentified personal data to produce personally identifiable analytics and reports which will only be shared to our customers with limited access at their discretion (i.e. to your care team or other authorised users). 

Optimising and expanding our Services: we may use your personal data and more specifically technical information collected through tracking and monitoring your use of our Services, for improving your user experience and providing you with new or enhanced features throughout our Services.

 

Product development: we may use Derived Data, that is anonymised and aggregated for the purposes of:

  • generating analytical data for our internal research and development, to conduct statistical analysis and identify trends and insights; and

  • benchmarking, product improvement, product development and any other lawful purpose.


Support: to assist you with the resolution of technical issues or other issues relating to our Services and to assist you with any questions or inquiries relating to our Services, including the correction of personal information.

Protect: to detect, prevent and address any fraudulent, malicious or other activity which does not comply with our marketing website’s terms of use or other terms entered into upon agreement for the use of our Services. If we believe necessary or appropriate, we may disclose your personal data in the following circumstances: 

  1. as required under applicable law, including laws outside your state or country of residence;

  2. to comply with legal process;

  3. to respond to requests from public and government authorities, including public and government authorities outside your state or country of residence; 

  4. to enforce our terms of use or other terms entered into upon agreement for the use of our Services; 

  5. to protect our operations or those of any of our affiliates; 

  6. to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and 

  7. to allow us to pursue available remedies or limit the damages that we may sustain.

We will only retain your personal data for as long as we have a legitimate interest to do so. This includes for as long as we reasonably believe necessary to fulfil any Services we have been requested to provide, comply with any laws or regulations, resolve disputes or enforce any of our agreements.

Sharing of Information

At times we may share your personal data with the following third parties:

  • third party service providers who assist and enable us to support delivery of our Services to our customers and users

  • regulators, law enforcement bodies, government agencies, courts or other third parties where we believe it’s necessary or appropriate to comply with applicable laws or regulations, to exercise, establish or defend our legal rights, or to prevent or lessen serious threats to the health or safety of individuals. Where possible and appropriate, we will notify you of this type of disclosure

  • any other third parties where we have your consent

The Clinician does not disclose any personal health information to any third party we have not specified within this Policy without your authorisation, unless required by law or is necessary to prevent or lessen a serious threat to public health or safety or the health and safety of you or another individual. 

International Data Transfers

To facilitate the provision of our Services, we may transfer, store or process your personal data in locations outside of your jurisdiction – including locations where our data hosting provider’s servers are located. Data protection laws in countries where your data is transferred may differ from those of your jurisdiction. When transferring data, we will follow applicable data protection laws and standards specified in agreement with our customers. 

For individuals in the European Economic Area (EEA), your personal data may be transferred outside of the EEA. We will only transfer your personal data outside the EEA in accordance with the requirements of the General Data Protection Regulation (GDPR). For instance, we will only transfer EEA personal data to jurisdictions identified by the EU Commission as providing adequate protection or will complete the transfer subject to appropriate safeguards under the GDPR. 

 

Protection of Information

The Clinician is committed to protecting the security and privacy of your information through all levels of collection, processing, transmission, and storage. In achieving this, The Clinician maintains an information security management system (ISMS) which complies with the policies, procedures and forms required by the industry information security standard ISO/IEC 27001:2013. This is reflected by our ISMS being ISO/IEC 27001:2013 certified.  

We keep your information safe by implementing strict data security practices to prevent unauthorised access, use, disclosure, alteration or deletion of any and all information collected and stored in our systems. We use industry standard encryption for storing (AES 256 bits) and transmission (TLS 1.1 and TLS 1.2) and limit access to only authorised users. However, under this Policy you acknowledge, that no such effort can completely guarantee the security of the stored or transmitted data and that breaches of security are still possible regarding both our systems and that of a third party’s systems (for example, ISP’s and hosting services providers). For this reason, we do not warrant or ensure the integrity and security of the data stored in our or a third party’s systems, including without limitation your information.

Your Privacy Rights

If you have voluntarily provided personal information, you are entitled to the following rights over your information:

  • request confirmation that we do indeed hold any personal information regarding you;

  • request access to the personal information we hold about you;

  • request the correction and/or deletion of your personal information;

  • request information regarding how your personal information has been used or disclosed within a year from the date of your request; or

  • withdraw consent to the holding, use, processing, or disclosure of your personal information.

If you would like to exercise your rights, please contact us using the contact information set out in the How to Contact Us section below.

GDPR Notice

General Information

Responsible Person

Terence Ng, Director of Security and Compliance, terence@theclinician.com, +6587777188 has been assigned responsibility for overall oversight of The Clinician Holdings Ltd's GDPR compliance program.

Data Protection Officer

The Data Protection Officer (DPO) shall have the responsibilities set forth in this Policy and GDPR Article 39. The DPO is tasked with daily and ongoing oversight and management of The Clinician Holdings Ltd's GDPR Compliance Program, which includes the following responsibilities:

  • Monitoring The Clinician Holdings Ltd's internal compliance with GDPR

  • Providing guidance at the earliest stage possible on all aspects of data protection

  • Keeping The Clinician Holdings Ltd stakeholders appraised of changes to GDPR and other relevant laws and regulations

  • Assisting the controller or processor in monitoring internal compliance with the Regulation, including:

    • Collecting information to identify processing activities

    • Analysing and checking the compliance of processing activities

    • Informing, advising and issuing recommendations to the controller or the processor

  • Acting in an independent manner, and ensuring there is no conflict of interest in other roles or interests that the DPO may hold

  • Maintaining inventories of all personal data stored on behalf of the data controller or processor

  • Responding to security, privacy, and data access requests and complaints from data subjects

  • Managing data security and critical business continuity issues that could impact personal data

  • Providing guidance, as requested, to the data controller to complete a data protection impact assessment (“DPIA”)

  • Providing guidance on responding to accidental or malicious activity that could impact personal data

  • Cooperate with the supervisory authority as needed

  • To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter

The Data Protection Officer is: Terence Ng, Director of Security and Compliance, terence@theclinician.com, +6587777188

Article 27 Local Representative

For entities operating outside of the EU, Representatives must be named (a Representative is defined in Article 4 as “a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.”). Representatives must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. Companies operating in the UK must also appoint a UK Representative. Primary responsibilities include:

  • Serving as the contact point for all issues related to the company's processing of personal data under the GDPR, including as a contact point for supervisory authorities

  • Understanding current data protection laws, legal or compliance requirements, and interfacing with regulatory authorities

Representative(s) is/are:

EU Representative: Instant EU GDPR Representative Ltd, Adam Brogden, contact@gdprlocal.com, + 353 15 549 700, Ireland

Subject Access Request (SAR) Policy - General Data Protection Regulation (GDPR)

This policy outlines how you can exercise your rights under the General Data Protection Regulation (GDPR) to make a Subject Access Request (SAR).

What is a Subject Access Request (SAR)?

A Subject Access Request (SAR) allows you to request access to the personal data we hold about you. This includes information about how we collect, process, and store your data. SARs are an essential part of your data protection rights and allow you to verify the lawfulness of our data processing activities.

Making a Subject Access Request

To make a SAR, please follow these steps:

  1. Identity Verification: To ensure the security of your data, we require you to verify your identity. You can do this by providing a copy of a valid identification document (e.g., passport, driver's license) along with your SAR.

  2. Submit Your Request: You can submit a SAR by sending an email to support@theclinician.com. Please provide as much detail as possible to help us locate and provide the requested information.

  3. Information Required: In your SAR, please include:

    • Your full name and contact details.

    • A description of the personal data you are requesting.

    • Any relevant time periods or specific details to help us locate your data.

Response Time

We will respond to your SAR without undue delay and within one month of receiving your request and verifying your identity. In some cases, particularly if your request is complex, we may require an additional two months to respond, but we will inform you of any such extension.

No Fee

In most cases, we do not charge a fee for fulfilling a SAR. However, if your request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to respond. We will inform you of any charges before proceeding.

Exemptions

Please be aware that certain exemptions may apply under the GDPR, which might prevent us from fulfilling your SAR. These exemptions include cases where fulfilling the request would adversely affect the rights and freedoms of others or where the data is subject to legal privilege.

Contact Us

If you have any questions about making a SAR or if you would like more information about our data processing practices, please contact our Data Protection Officer at terence@theclinician.com.

Changes to the Privacy Policy

This Policy may be revised from time to time at our sole discretion. When the Policy was last updated will be reflected by the date at the beginning of this document. You should visit this page regularly to ensure you have read and understand the latest version. Continuing to use our Services continues your acceptance of any changes.

How to Contact Us

If you have any questions or concerns regarding this Privacy Policy, or would like to exercise your rights over your personal data, please contact us using the following contact information.

Email: support@theclinician.com

Phone: 0800 102 647 (NZ)

Mail: 84 Newton Rd, Eden Terrace, Auckland 1010, New Zealand