Our Path Ltd ("we") are committed to protecting and respecting your privacy. We are registered with the UK Information Commissioner's Office as a Data Controller (Reg No. ZA148098), and have in place a comprehensive Company data protection policy and code of practice.
OurPath provides you (the "User") with access to the online and mobile services including but not limited to, ourpath.co.uk and all associated subdomains (the "Website"), the OurPath mobile application (the "App"), and any provided healthcare tracking technology, collectively the "System".
We may collect and process information provided by filling in forms on the Website or App, including information provided during completion of surveys and other online tools, posting of comments in the Community or requesting further services, and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence. OurPath also collects and processes data with the health tracking technology with provide you as part of the System, such as wireless weighing scales (which track your weight) and activity trackers (which track your steps and sleep).
Throughout your use of the System we may collect and process information such as: personal information (name, date of birth, address, email, phone number, height, weight, steps per day, sleep); lifestyle (body mass index, ethnicity, smoking status); other health profile information and details of your visits to the System and the resources that you access (including, but not limited to, traffic data, location data, weblogs, other communication data, and the resources that you access).
Your data (steps per day and weight) may also be collected via Apple HealthKit or Google Fit upon installing our iOS and Android apps. This consent will be explained and obtained from you within the app and you may revoke this access at any point within your phone's operating system settings.
Your data (name, weight, email, phone number) may also be provided to us by an electronic patient record in order to refer you to the System, e.g. provided through your GP or local NHS service. If this is the case, this consent will be explained and obtained from you separately.
The information described in this Policy that is collected through either the System, Apple HealthKit / Google Fit, or your electronic patient record is known as "personal data".
But don't worry, we are required by law to maintain the privacy of your personal data and to provide you with this notice of our legal duties and privacy practices with respect to your personal data. When we use or disclose your personal data, we are required to abide by the terms of this Policy (or other Policy in effect at the time of the use or disclosure).
OurPath provides the System to referrals provided through the NHS. As such, we are Information Governance Toolkit Level 2 accredited, which has been independently audited – our organisation code is 8JF17.
We may collect information about your device, including where available your IP address, operating system, browser type and screen size for use in system administration, to tailor your experience of the System, provide you with customer support and to report aggregate information internally.
For the same reason, we may obtain information about your usage of the System by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us: To recognize you when you return to our site. To maintain data you have entered e.g. during completion of a survey. To speed up your searches. To estimate our audience size and usage pattern. To store information about your preferences, and so allow us to customize our site according to your individual interests.
Both OurPath and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) to inform, optimize, and serve ads based on your past visits to the Website on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.
OurPath is dedicated to maintaining the privacy and integrity of your personal data. As such, we have policies and procedures and other safeguards to help protect your personal data from improper use and disclosure.
The lawful basis for which OurPath processes personal data is consent.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable information is minimized. The following categories describe different ways that we use your personal data within OurPath and disclose your personal data to persons and entities outside of OurPath. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
How much personal data is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
All information and data you provide to us is stored on secure servers with trusted 3rd party suppliers, Amazon Web Services ('AWS') within the European Economic Area ('EEA'). AWS complies with EU Data Protection Directive ('Directive 95/46/EC'), which sets out several data protection requirements, which apply when personal data is being processed. AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepaper:https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
All passwords are stored in encrypted form and all traffic is transmitted securely via SSL by default. However, it may be possible that your anonymised data is transferred to, and stored at, a destination outside the EEA – such as Google Analytics. By submitting your personal data, you agree to this transfer, storing or processing.
Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the System, and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, and responsibilities as a registered Data Controller in the UK.
You have certain rights with respect to your personal data. If we do not agree to a request by you with respect to your personal data, please consult the OurPath Privacy and Security Officer whose contact information is below.
If we do not comply with any of the below, you have the right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month.
As per the ICO's 'Principle 5', we retain personal data no longer than is necessary for the purpose we obtained it for. With the context that your personal data may be used for research purposes (as covered in section 3), OurPath will retain any information held on an individual for up to 10 years after that individual has ceased use of the System. At that point, the individual's information will be deleted. As covered in section 5, you may request that we delete your data at any time.
OurPath's information systems are highly protected, encrypted, and secure - but no system is completely impenetrable. OurPath has procedures and and tools in place to detect, report, and investigate a data breach. When a breach may result in a high risk to your rights and freedoms, we will notify both you and the ICO of this.
If you believe that any of your rights with respect to your personal data has been violated by us, our employees or agents, please communicate with the OurPath Privacy and Security Officer at: firstname.lastname@example.org
We reserve the right to revise this Policy and to make the revised Policy effective for all personal information that we created or received prior to the effective date of the revised Policy. If you are a registered user, we will notify you of changes by the email address we have for you on file.
Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is above. This Policy will be promptly revised if there is a material change to a policy described herein.
Effective Date: This Policy is effective as of March 1st 2017.