Effective Date – 03/08/2023
This privacy notice for ORCHA Health Inc. (“Company”, “we”, “us”, or “our”), describes how and why we might collect, store, use and/or share (process) your information when you use our services (“Services”), such as when you:
- Visit our website at acplibrary.orchahealth.com, or any website of ours, that links to this privacy notice
- Engage with us in other related ways, including any sales, marketing, or events.
For the purpose of this privacy notice, we are the Data Processor and ACP is the Data Controller.
Reading this notice will help you understand your privacy rights and choices. If you do not agree to our policies and practices, please do not access our services. If you have any questions or concerns, please contact us at email@example.com.
This summary provides an overview of the key points from our privacy notice. However, you can find out more information by clicking on the linked title for each topic in this section or in our table of contents below.
What personal information do we collect and/or process? When you visit, or use our Services, we may process your personal information, depending on how you interact with us and our Services, the choices you make, and the products and features you access.
Do we process any sensitive personal information? We may process sensitive personal information, when necessary, with your consent, or as otherwise permitted by applicable law. In particular, we are likely to process some Protected Health Information (PHI), through your physician’s and your use of our Services.
Do we receive information from third parties? We will receive anonymized information from third parties that collect and report site activity. We will also receive information from ACP and their registered users of Pro Accounts when they use our services to recommend digital health products to you.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information only when we have a valid legal reason to do so.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties.
How do we keep your information safe? We have organizational and technical measures and processes in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% safe, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to improperly collect, access, steal, or modify your information.
What are your rights? Depending on where you are geographically located, the applicable privacy laws may mean you have certain rights regarding your personal information.
How do you exercise your rights? The easiest way for you to exercise your rights, is by contacting us at firstname.lastname@example.org. We will consider and act upon any request in accordance with applicable data protection laws.
Table of Contents
- What Information do we collect?
- How do we process your information?
- When and with whom do we share your personal information?
- Is your information transferred internationally?
- How long do we keep your information?
- How do we keep your information safe?
- What are your privacy rights?
- Updates to this privacy notice
- How to contact us about this notice
1 – What information do we collect?
Information Collected From You
We collect information about you when you voluntarily provide it to us, such as when registering for our Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. We may also receive information about you from ACP, when they use the platform to provide you with recommendations.
Personal information provided by you. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:
- Mobile Number
- Email Address
- Organisation you work for (Pro Account)
- Profession (Pro Account)
Sensitive Information. When necessary, with your consent, or as otherwise permitted by law, we process the following categories of sensitive information:
- Health Information (This information is only inferred through recommendations you receive from a Pro Account user, as opposed to directly related to you)
Information Automatically Collected
2 – How do we process you information?
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, access more of our Services and to keep your account in working order.
- To deliver and facilitate delivery of our Services to you. We may process your information to provide you with the services you have requested from us.
- To request feedback. We may, from time to time, request feedback from you about your experience using our Services and the products you have accessed via our Service.
- To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
- To identify usage trends. We may process information about how you use our Services to better understand how they are being used and work on improving your experience.
- To act on an individual’s vital interests. We may process your information, when necessary, to protect an individual’s vital interest, such as to prevent any risk of harm.
3 – When and with whom do we share your personal information?
We may share your data with certain third parties set out below for the purposes described in the section above:
- Service providers (acting as data processors) who provide IT and system administration services in connection with our business and the manner in which we provide our products and services. These include (but are not limited to) third parties who support and maintain our website, webchat functionality, and customer relationship management system
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
- ORCHA reserves the right to share your information with other companies that we own or other companies that help us provide any of our services.
- We may be required to share your personal information with agencies to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
There may be rare occasions where information gathered through the day-to-day collection of ORCHA data identifies a clear need to safeguard the welfare of the individual and/or his/her family and, on those occasions, it may be necessary to contact relevant authorities to address this. ORCHA will only undertake these actions in line with appropriate legal guidelines and using formal, recognised, and auditable processes.
Cookies are small text markers stored on your computer that enable us to understand how people use our website.
No personally identifiable information is stored in ORCHA’s cookies. In common with many similar websites, ORCHA uses them to help remember preferences and for anonymous statistical measurements – for example so we know how many “visits” a page has had.
- Remember certain information about users so they don’t have to repeatedly provide that information
- Recognise if users are already logged in to certain areas of the website
- Measure how people use our website so we can continually improve how information is provided
- Serve certain types of ads relevant to your interests.
5 – Is your information transferred internationally?
Where possible, we will always store your personal information on servers in the country you reside. When this is not possible, your data will be transferred to servers in the UK.
Our sharing of your personal data with the third parties identified above may result in the transfer of your personal data to locations outside of your jurisdiction. Whenever we transfer your personal data, we ensure a similar degree of protection, to that required in your jurisdiction is afforded to it by ensuring at least one of the following safeguards is implemented:
- Where possible, we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- Where we share personal data with certain service providers, we will implement safeguards using the Standard Contractual Clauses. These clauses require all recipients to protect all personal information that they process to the same standards we do.
6 – How long will we keep your data?
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice unless we are required or permitted by law to retain it for a longer period. We will retain any personal data that is captured for the duration of a registered relationship with you. Once this formal, contractual relationship has ended we will maintain the personal data for a period of two years to support operational management, or legal requirements that may arise.
After this period, ORCHA converts any personal information into anonymous data, with all personally identifiable elements being destroyed using industry best practice deletion standards.
7 – How do we keep your information safe?
ORCHA implements a range of measures to ensure that any personal information that you provide to us is kept secure, accurate and up to date.
ORCHA’s protective measures include:
- Regular reviews of data capture processes to ensure only data that is necessary to support the delivery of ORCHA services is captured
- The implementation of transparent, informative consent capture mechanisms to ensure that all ORCHA service users understand why ORCHA collects their data and how ORCHA manages that data. In addition, ORCHA consent processes allow users to monitor and amend their consent preferences should their preferences change
- The encryption of data in transit between the ORCHA sites/Apps to the secure data storage facilities
- The maintenance of secure data management environments through strong application of Data Warehousing standards and role-based access controls for authenticated and accredited users. Access to the raw data collected through ORCHA interactions with end users of our services is limited to only those with the appropriate administrative permissions
- ORCHA only keeps personally identifiable data for as long as it is needed and only for the purposes for which our end users have agreed we can use it.
Access to this data is limited to accredited ORCHA staff and access is managed using role-based access controls.
The data that is captured through your interactions with ORCHA are stored securely in a protected data warehouse and are only accessible to accredited administrative users with specific access permissions. Data in transit between webpages and the data store are fully encrypted in transit, in line with best practice encryption methodologies to minimise the risk of interception.
8 – What are your privacy rights?
You have the right to delete or request that we assist you in deleting the Personal Data that we hold about you. Our service may give you the ability to delete certain information about you from within your user account.
You may update, amend, or delete your information at any time by signing into your account, if you have one, and visiting the account settings. You may also contact us to request access to, correct, or delete any personal information that we hold about you, by using the contact details at the end of this notice.
Please be aware, however, that we may need to retain certain information when we have a legal obligation or lawful basis to do so.
Depending on the state in which you reside, you may have additional rights under applicable laws. The easiest way for you to exercise your rights, is by contacting us at email@example.com. We will consider and act upon any request in accordance with applicable data protection laws.
9 – Updates to this notice
This privacy notice may be updated from time to time. The updated version will be effective as soon as it is available. If we make any material changes to this notice or how we process your data, we may inform you of these changes by posting a notice of these changes on our websites or by contacting you directly by email.
We encourage you to regularly review this notice to make yourself aware of any changes and how we are protecting your information.
Where we have relied on consent as for processing your personal information, and the changes we wish to make significantly differ from the processing purposes you consented to, we will need to reobtain your consent, before processing your data for our new intended purposes.
10 – How to contact us about this notice
If you have any questions about this privacy notice, you may contact our Data Protection Officer (DPO), John McGovern, by email at firstname.lastname@example.org, by phone at +441925606542, or by post to:
ORCHA Health Ltd. John McGovern Violet 2 Sci-Tech Daresbury Daresbury United Kingdom WA4 4AB
ORCHA Health Inc. CIC Boston, 50 Milk Street, 16th Floor BOSTON MASSACHUSETTS 02109 UNITED STATES