Privacy Policy

1. Our commitment

1. We will collect and use personal information only for the reasons we will have given, or for other purposes consistent with these reasons, unless consent is obtained from the individual concerned or as required by law.
2. We retain personal information only as it is necessary to fulfill the identified purposes.
3. We will collect personal information by legal and fair means and, where appropriate, with the knowledge or consent of the person concerned.
4. We will process only personal information relevant to the purposes for which it is to be used and, to the extent necessary for those purposes.
5. We will protect personal information by reasonable security measures against loss or theft, as well as unauthorized access, disclosure, reproduction, use or modification.
6. We will make available to customers information about our policies and practices related to the management of personal information.
7. We are committed to conduct our business in accordance with these principles in order to ensure that confidentiality of personal information is protected.
8. We reduce to its minimum the use of third-party solution; only when required to deliver you the Services.
9. We do not resell any personal and sensitive data for marketing or profiling activities.

2. What are your rights?

Regarding your personal information, you have the following rights:

• The right to be informed about what happen to your data
• The right to access your data
• The right to correct your data
• The right to delete your data
• The right to restrict the processing of your data
• The right to export and use your data
• The right to object data processing
• The right not to be profiled and contacted for marketing.

Our Privacy Policy is compliant with the European General Data Protection Regulation (GDPR) of the European Parliament.

Our Privacy Policy will explain you how your right are preserved when you use the Services.

3. Who is the data protection officer?

Owner: digitalMedLab Ltd, Konradstrasse 17, 8005 Zurich, Switzerland
Registration Number: CHE-331.378.890
Data Protection Officer (DPO): Dr. med. Patricia Sigam, legal@digitalmedlab.com

4. What data are being collected?

4.1 Technical information when you use the Services

When you use the Services, we automatically collect information such as unique identifiers to check user identity, provide custom information and use them as account numbers in our registration system.

During your visit, certain information are created and logged automatically.

• Log data: information automatically send from browser or mobile app when you are using it.
  When you use our Services, our servers automatically record certain log file information, including your web request, Internet Protocol ("IP") address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Services, domain names, landing pages, pages viewed, and other such information. We may also collect similar information from emails to track which one are opened and which links are clicked by recipients. The information helps us improve the Services.
• Cookie data: small text files sent by computer or mobile device each time you visit a website. The cookies are unique to your account or your browser.
  Your language for example or other settings are stored in cookies, so that you don’t have to set them up any time you use the Services. Some cookies may contain personal information such as email address.
  More information and how to opt-out of cookies you will find in our Cookies Policy.
• Device information: information about the device you are using including type of device, operating system, settings, unique device identifier and crash data.
  The type of data we collect depends on what type of device you are using and its settings. If you want to know more about how you can define the settings of your device, please consult the information provided by the device manufacturer or software provider.
  When you use a mobile device like a tablet or a smartphone to access the Services, we may access, collect, monitor, store data on your device, and/or remotely store one or more "device identifiers."
  Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identify your mobile device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device`s operating system or other software, or data sent by Us to the device.
  The use of device identifier helps us keep your account secure by providing accurate monitoring and reporting of the activity related with your account. You will be automatically informed for any access to your account from an unknown or suspicious device.

We automatically collect: IP address, browser information, browser settings, and devices information. This information are used to keep your account safe.

4.2 Personal information you provide to us

When you use the Services, you share with us Personally Identifiable Information (PII) like name, contact information, email address, professional information, organisation information, payment information. This Personally Identifiable Information is data that identify you or your patients.

We do not sell or lease out any personal information.

4.3 Patient information

When you use the Services, you may also share with us Patient Medical Information (PMI) including patient identifier, past and current medical history, medication, consultations etc.

You may also share sensitive patient information that needs to be kept with the highest security and privacy level.

5. How do we use the information we collect?

The legal basis for the process of your data is the consent that you give us when you sign up for the Services and explicitly accept, by checking a checkbox inside the form, this Privacy Policy which explains how your data is processed, which you must have read and understood before.

5.1 Data that could identify you

We may use your personal information for the following purposes:

• To provide you information, products or services you have requested or purchased as otherwise may be necessary to perform the contract between you and Us, to ensure the functionality and security of the Service, to identify you as well as to prevent and investigate fraud and other misuse.
• To better understand your needs or interests, but also to improve the Services.
• To communicate with you for customer related purposes, to send critical alerts and other such notices relating to the Services, to invite you to participate in surveys or research projects.

We use personal information for the communication with you and to prevent data misuse and data disclosure.

5.2 Data that does not identify you or your patients

De-identified data: personal information processed in order that it is not possible to associate the data back to a person or a group of person.

If you and/or your patient consent to, we will use de-identified data for clinical research. To-do so we take all needed legal and technical measures to ensure that the data does not identify you or your patients and can not be associated back to you or your patients. The aggregated data are useful to help us understand medical conditions and treatment effectiveness.

The usage of de-identified data is based on a consent that can anytime be redrawn by activating the corresponding box in the settings or in the patient profile. By deactivating the box, your data or the data of your patient would automatically be excluded from the de-identified data pool. When you don’t see any information about de-identification in your profile page, it means that the Services you are currently using does not process de-identified data at all.

If you give us the consent, we use de-identified data for clinical research. You can redraw your consent anytime, without any consequence.

6. Do we share Personal Information?

We do not sell, lease, rent or otherwise disclose your personal and patient data to third-parties unless otherwise stated below.

6.1 Authorized third-parties

Authorized third-parties are companies that process personal information on behalf of Us for the purposes described in this Policy. This may include for example order fulfillment, email management, credit card processing, customer services or surveys. When you purchase the Services delivered with a partner provider, we may need to exchange information with the partner to provide you with the product or the service.

6.1.1 Third-party Services:

To support +WoundDesk in delivering the Service, we may engage third-party service providers to assist Us with data processing activities. When we work with these service providers in our capacity as a data processor, the third-party service provider is a sub-processor of +WoundDesk. For more information please visit our list of Sub-processors.

6.1.2 Data hosting:

The security and privacy of data is key. To insure the highest privacy and avoid data disclosure, we partner with data hosting provider who process data in compliance with medical regulations. The way and the location of the data hosting is based on your subscription plan and your country settings.

These authorized third-parties are not permitted to use your personal information for any other purpose. We require them to act consistently with this Policy and to use appropriate security measures to protect your personal information.

We share personal information with other companies only for the purposes of the Services and we select third-parties that sign a contract with us to protect your data.

6.2 International transfers of personal information

The Services may be provided using resources and servers located in various countries around the world. Therefore your personal information may be transferred across international borders outside the country where you use the Service, including countries outside the European Economic Area (EEA) that do not have laws providing specific protection for personal information or that have different legal rules on data protection, for example, the United States of America. In such cases we ensure that there is a legal basis for such a transfer and that adequate protection for your personal information is provided as required by applicable law, for example, by using standard agreements approved by relevant authorities (where necessary) and by requiring the use of other appropriate technical and organizational information security measures.

Personal information could be processed outside the EU only if the same level of security and privacy is insured.

6.3 Mandatory disclosures

We may be obligated by mandatory law to disclose your personal information to certain authorities or other third-parties, if we believe, after due consideration, that doing so is reasonably necessary to comply with law, regulation, or valid legal processes. If we are going to release your data, we will do our best to provide you with notice in advance by email, unless we are prohibited by a court order from doing so or where the request or legal process is directly related to a regulatory investigation. In the later case, we will ensure user information we disclosed is treated as confidential. We may also disclose and otherwise process your personal information in accordance with applicable law to defend Our legitimate interests, for example, in civil or criminal legal proceedings.

We may disclose your personal information to comply with law, regulation, or valid legal process.

6.4 Mergers and Acquisitions

If it is necessary in connection with the sale, merger, bankruptcy, sale of assets or reorganization of our company, your personal information can be transferred as part of that transaction as permitted by law. The promises in this Privacy Policy will apply to your data as transferred to the new entity.

If we sell the company, your personal information are transfer to the new company under the same privacy principles and rules.

6.5 Research Institutions

If we have your and the patient’s consent to do so, we may share or sell aggregated, de-identified data with public or private research institutions. To-do so we take all needed legal and technical measures to ensure that the data does not identify you and your patients and cannot be associated back to you and your patients. The aggregated data are useful to help understand and optimise medical conditions and treatment effectiveness.

The usage of de-identified data is based on a consent that can anytime be redrawn by activating the corresponding box in the settings and/or patient profile. By deactivating the box, your data or the data of your patient would automatically be excluded from the de-identified data pool. When you don’t see any information about de-identification in your settings and patient profile page,it means that the Services you are currently using does not process de-identified data at all.

If you and the patient consent to, we can use de-identified data for research to optimize the treatment of chronic wounds.

7. How is my information protected?

We know the importance of keeping your personal information safe. We have implemented administrative, technical and physical security controls to protect your personal information.

However, despite our efforts, no security control is 100% effective and We cannot guarantee the absolute security of your personal information and consequently, the violation of data through fraudulent access by hackers and other third parties with malicious intentions. We also employs a Secure Socket Layers (SSL) security protocol which is used to provide data encryption on pages and areas where personal data are collected and transmitted to our Services.

At the moment that there is a security incident and We are aware of it, we will notify you immediately and we will give you all the information related to the security incident that is known at that moment, or when you require it.

For more information about our security settings please visit Security at +WoundDesk.

8. How long do you save my personal information

Due to the medical aspect of the collected data, we keep it in compliance with the country health legislation where the data is stored, but at least for a period of 10 years.

We apply following principles when hosting and archiving your data:

• Legality, loyalty and transparency: We will always ask for your consent for the processing of your personal information for any specific purpose that we will explain in full transparency.
• The minimisation of data: We are only going to request the data strictly necessary in relation to the purposes for which we require them, and that will always be the minimum possible.
• Integrity and confidentiality: Your data is processed in such a way that an adequate security of such personal information is guaranteed and confidentiality is guaranteed. We insure that the necessary precautions are taken to prevent unauthorised access or improper use of the data by third-parties.

We keep the data in compliance with the medical regulation of your residence country but at least for a period of 10 years.

9. How to modify my personal information

You can anytime access all your data inclusive personal information by signing in to your account on the web-based +WD Administration. If you remove data from your account, they are deleted and will no longer appear on the Service. Nevertheless, they will remain in the pre-existing security backups. The changes made cannot be implemented in the already existing backups and the data will remain unchanged on our backup servers.

You can anytime add, edit and delete your personal information using the web-based +WD Administration.

10. How to export my personal information

With the web-based +WD Administration you can easily export your all the data you have collected using the Service. A special functionality on the settings page allow you to transport your data in a portable CSV format and use them with other software. The images are exported in JPG format, a standard format for images.

You are the owner of your data. You can export and use them in other systems.

11. How to delete my personal information

You can anytime delete your registration and deactivate your account using the web-based +WD Administration. When you do so, we give you 30 (thirty) days to export all your data. After this 30-days delay, your data will be removed permanently from the Service. This can not be undone. Backup copies of this data will be kept in compliance to applicable regulations (see section 7: How long do you save my personal information).

You can anytime delete your account. Medical records will be kept in accordance to applicable regulation.

12. How can I restrict processing?

You can ask for a restriction of data processing by writing to our data protection officer at legal@digitalmedlab.com. We will automatically restrict the processing upon request and inactivate the account to be restricted, unless there are no legitimate grounds for processing the personal information in question.

We also restrict processing if we are have concern on accuracy or validity of data.

To restrict personal information processing, please contact our data protection officer.

13. Children’s Privacy

We do not knowingly allow anyone under the age of 13 to register for the Service. The Services and its content are not directed at children under the age of 13. In the event that we learn that we have registered a child under age 13, we will delete that information as quickly as possible. If you believe that we might have registered a child under 13, please contact us at legal@digitalmedlab.com

Even if the Services could not harm children, it is not intended to be used by children under 13.

14. Will you contact me?

From time to time, we may want to contact you via email with information about product announcements, software updates and special offers. You can anytime stop the mailing by selecting “Unsubscribe” in the mail footer. You can also use the settings page on the web-based +WD Administration. In case that you select not to receive our emails, you will continue to receive the important security information, alerts, account related notifications and mandatory information, even if you drop out of the mailing list.

You can decide if you want to be contacted or not.

15. Changes to this Policy

We may change this Policy from time to time, for example to respond to changing technical and security landscape, to respond to new laws and regulations or as circumstances may otherwise warrant. We will post such changes along with their effective date on our website and/or inform you by email. You should read this Privacy Policy again from time to time to see if there have been any changes that affect you.

Your use of the Service, including the permanent storage of your personal information on our systems, following any such change constitutes your agreement that all information collected from or about you through the Services will be subject to the terms of the revised Policy. The date at the top of this Privacy Policy indicates when it was last updated.

We will inform you if we make changes to the Privacy Policy.