LumiraDx Care Solutions UK Ltd
Mobile application privacy policy

Version 8.0

Welcome to LumiraDx Care Solutions UK Ltd’s privacy policy. LumiraDx Care Solutions UK Ltd (“We“) are committed to protecting and respecting your privacy.

This privacy policy (together with our end-user licence agreement (“Engage EULA”) and any additional terms of use incorporated by reference into the Engage EULA) applies to your use of:

  • the mobile application known as Engage and any updates or supplements to it (the “Engage App”) once you have downloaded or streamed a copy of the Engage App onto your mobile telephone or handheld device (“Mobile Device”) or computer; and
  • any services accessible through the Engage App (the “Services”), unless it is stated that a separate third party privacy policy applies to a particular Service, in which case that privacy policy will apply,

and sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This privacy policy also tells you about your privacy rights and how the law protects you.

By downloading the Engage App, you consent to the collection, use and transfer of your personal data in accordance with this privacy policy. If you do not accept and agree with this privacy policy, you must not download the Engage App.

Personal data

You may be asked to provide personal data whilst you are in contact with us. Personal data is information that can be used to identify or contact you. You do not have to provide the personal data that we request, however, if you choose not to, we may not be able to provide you with the services that you have requested.

If we combine personal data with non-personal data, the combined information will be treated as personal data for as long as it remains combined. Personal data does not include data where the identity has been removed (anonymous data).

For the purpose of the General Data Protection Regulations ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation and the Data Protection Act 1998 (“Data Protection Legislation”) the data controller is LumiraDX Care Solutions UK Ltd a company registered in England and Wales with company registration number 03473597 whose registered office is at c/o Francis Clark LLP, Lowin House, Tregolls Road, Truro, Cornwall TR1 2NA. Our Data Protection Registration Number is Z2996445.

Information we may collect from you

We may collect and process the following data about you:

  • Data you give us (Submitted data). You may give us information by filling in forms in the Engage App, submitting your test results or any other data via your device(s) and/or component to be used for patient self-care (“PSC Device”) or by corresponding with us (for example, by email). This includes information you provide when you enter your shipping address for a PSC Device, register to use the Engage App, download the Engage App, subscribe to any of our Services, complete training exercises, participate in surveys, and when you report a problem with the Engage App or the Services. The information you give us may include your name, address, date of birth, NHS number, email address, mobile device telephone number, username, password and other registration information.
  • Data we collect about you, your Mobile Device and/or computer. Each time you use the Engage App we may automatically collect the following data:
    • Mobile Device and/or computer data: technical information about the type of Mobile Device and/or computer and PSC Device you use, a unique device identifier, the Internet protocol (“IP”) address used to connect your computer to the Internet network information, your operating system and the type of browser you use;
    • Content data: we may collect information stored on your Mobile Device and/or computer, including login information;
    • Log data: we may collect details of your use of the Engage App (i.e. the frequency of use, length of login periods) and the resources and Services that you access;
  • Data we receive from other sources (Third Party Data). We may receive personal data about you from various third parties and public sources. We work closely with third parties such as clinicians and other healthcare professionals, suppliers of PSC Devices, courier services and support services as well as have access to publicly available sources. Where necessary, we will notify you when we receive data about you from them and the purposes for which we intend to use that data.

Where we store your personal data

Some of the third parties which we work closely with are based outside of the EEA so their processing of your personal data will involve a transfer of data outside of the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe;
  • where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Where we have given you (or where you have chosen) a password which enables you to access certain parts the Engage App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Engage App; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Processing your data

We may use data held about you in the following ways:

  • Submitted data: We may use this data:
    • to carry out our obligations arising from any contracts entered into between you and us (or about to be entered into between you and us) and to provide you with the information, products and services that you request from us;
    • to ensure that content on the Engage App is presented in the most effective manner for you and for your computer and/or Mobile Device;
    • to contact you by email, telephone, text message or Mobile Device notifications with notices, reminders and information relating to your use of the Engage App, Services or PSC Devices;
    • to provide you with information about applications and services that are similar to those that you already use or we feel may interest you. We will only contact you by electronic means (e-mail or text) with such information. If you do not want to be contacted in this way, you can opt out at any time by contacting us or by changing your settings in your communication preferences area of the Engage App;
    • to improve the understanding, treatment, outcomes and choices for you and your clinician;
    • to provide you with information from your clinician covering your treatment, medication, appointments or other data your clinician needs to provide to you that relates to your health and medical condition;
    • support, maintenance and your safety (including the investigation of faults);
    • to provide services to your clinician, including updating your clinician with information about your use of the Engage App, Services and PSC Device;
    • to provide you and your clinician with feedback and to improve the performance of the services that your clinician provides you;
    • to notify you about changes to the Engage App, Services and PSC Device;
    • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
    • where we need to comply with a legal or regulatory obligation.
  • Device data: We may use this data to maintain, protect, improve and develop the Engage App, Services and our software and to ensure you are using the correct version of the Engage App.
  • Content data: We may use this data to update your clinician about your use of the Engage App and Services.
  • Log data: We may use this data to ensure that content on the Engage App is presented in the most effective manner for you and for your computer and/or Mobile Device.
  • Third Party data: We may combine this data with data you give to us and we collect about you. We may use this data for the purposes set out above (depending on the types of data we receive).

You have the right to withdraw your consent to us using your personal data (and to request that we delete it) at any time by contacting us.

Cookies

A cookie is a small file of letters and numbers that is stored on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive.

The Engage App does not currently use cookies.  However, if we choose to use cookies in the future, we will change this privacy policy and inform you of the types of cookies used and the purpose for which we use them.

Please note that third parties may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

Change of purpose

We will ask for your consent before using personal data for a purpose other than those set out in this privacy policy, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you would like further information on purpose compatibility, please contact us.

Disclosure of your data

You agree that we may disclose your data (including personal data) to the following categories of third parties:

  • suppliers and sub-contractors for the performance of any contract we enter into with them or you;
  • courier services providers for the purpose of providing you with a PSC Device;
  • clinicians and healthcare professionals for the purpose of providing them with information relating to your use of the Engage App and Services to assist with your continuing treatment and to improve the performance of the service that they provide to you;
  • other companies within our group for the provision of parts of the Engage App and Services including data storage and software hosting services;
  • approved third party application providers to provide other healthcare applications, training and Services through the Engage App; and
  • marketing service providers to assist us with our electronic marketing.

Your personal data will not be shared with third parties for third party marketing purposes unless you have provided your express consent to this in the communication preferences area of the Engage App.  If you do not want to be contacted with third party marketing information, you can opt out at any time by contacting us or by changing your settings in your communication preferences area of the Engage App;

We may disclose your personal data to third parties:

  • where we have your consent to do so;
  • to provide and/or improve the Engage App and/or our Services;
  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if LumiraDx Care Solutions UK Ltd or substantially all of our assets are acquired by a third party, in which case personal data held by us about you will be one of the transferred assets; and
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights of LumiraDx Care Solutions UK Ltd, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Your rights

Under Data Protection Legislation, in certain circumstances you have the following rights in relation to your personal data:

(a) Right to access. You have the right to request access to information held about you. We will provide you with a copy of your personal data held by us free of charge (providing your request is not excessive or for multiple copies, in which case we may charge a reasonable fee to cover our costs) and certain information about the processing of your personal data and the source of such data (if not directly collected from you by us). You also have the right to request that your personal data is transferred to a third party.

(b) Right to object to data processing. You may withdraw your consent to the processing of your personal data at any time by contacting us. Upon receipt of your notification, we shall promptly stop any processing of your personal data and (if requested by you) erase such information if we are not required to retain it for legitimate business or legal purposes.

(c) Right to restrict processing. You may ask us to suspend the processing of your personal data in the following circumstances:

  • if you do not think your personal data is accurate;
  • where we are found to be processing unlawfully but you do not want us to erase your personal data;
  • where you need us to continue holding your personal data to establish, exercise or defend legal claims; or
  • you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

(d) Right of rectification and right of erasure. You have the right to request that we correct any inaccuracies in your personal data if such information would be incomplete, inaccurate or processed unlawfully. You also have the right to request that your personal data be erased providing that we no longer have a lawful reason for processing your data.

Where we are relying on consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

You can exercise these rights at any time by contacting us via email at hello@lumiradx.co.uk. We may reject requests that are unreasonable or require disproportionate effort (for example, such a request would result in a fundamental change to our existing practice) or risk the privacy of others.

The Engage App may, from time to time, contain links to and from third party applications.  If you follow a link to any of these applications, please note that these applications have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these applications.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Personal data retention

We may retain information about you, including personal data, for the period necessary to fulfil the purposes for which it was first collected unless a longer retention period is required or permitted by law. In determining data retention periods, we take into considerations contractual obligations, legal obligations and the expectation and requirements of our customers. When personal data is no longer needed, we will securely delete or destroy it.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Changes to our privacy policy and your duty to inform us of changes

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Contacting us

If you have any questions, comments or requests regarding this privacy policy or data processing or you would like to make a complaint, please contact us via email at hello@lumiradx.co.uk, by telephone on +44 (0)1209 710 999 or by post to:

FAO: Data Protection Officer
LumiraDx Care Solutions UK Ltd
1 North Crofty
Tolvaddon Energy Park
Cornwall
TR14 0HX

If you have any cause for complaint about our use of your personal data, please contact us using the details provided above and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

Last updated: [•] 2018