Xmed Privacy Notice
Hello and welcome to the Xmed Privacy Notice. This policy relates to the processing activities carried out by Xmed, a subsidiary of YouHealth SAGL. The Xmed iOS App (“the App”) relies on personal data in order to provide many of its services and features. It is important to us that our users understand exactly how we collect, use, share, store and process information. Xmed processes its data in accordance with the General Data Protection Regulation (GDPR). Xmed does not sell or trade your personal data with third parties. If you disagree with any of the processing activities detailed in this Privacy Notice, please delete your account and uninstall the app.
This statement provides the following important information;
- What information do we process & why?
- Access and disclosure to Third Parties
- Your rights
- Security of your data
- Processing of children’s data
- International data transfers
- Duration of processing
- What can I do?
- Xmed Contact details
‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
What information do we process, and why?
When you register an account with us, we ask you to provide the following information; First name, Last name, Email address. We use this information to; create your account, deliver content to you and administer your account.
In order to use some of our features, Guests and Account holders are requested to enter; Age, Sex, Weight, Height, Visited Countries, and Risk Factors. Risk factor information may relate to a) Current health status (e.g. high-blood pressure, presence of Diabetes), b) Lifestyle information (e.g. Smoker/non-smoker, alcohol consumption), c) other health influencers (e.g. Pregnancy) and Symptoms.
This information is required for the functioning of these features (for example; Sickness Detection feature, Sickness Tracking feature). This information represents sensitive health data, which we will only process with your explicit consent. If we want to process your sensitive personal data for any other future purposes, we will request separate consent from you, after informing you of the new purpose or purposes.
Medical Expert data
If you are a medical expert registering with Xmed, we will request the following information: Medical License Number, National Provider Identifier, State of Office, Office city location, Office city zip code, Office phone number, Office address line, Medical expertise, Affiliated hospitals, Medical school attended. This information is requested in order to verify your credentials as bona fide medical professionals. This information is requested in order to verify your credentials as bona fide medical professionals. We process this personal data under (Article 6(1)b) GDPR, ‘processing is necessary for the performance of a contract’.
Communications with us
When you email us, we will use this communications data in order to provide you with support through our customer service channels. We may contact you with the information you have provided us. This information allows us to manage your account, fix problems and to improve your experience of the App. We process this personal data under (Article 6(1)b) GDPR, ‘processing is necessary for the performance of a contract’.
Face ID and Touch ID
These are settings activated via your mobile hardware. You can review your privacy settings on the Apple website for information about how this information is processed. If you wish to alter these settings in the App, you can do this under Settings → Privacy → Login Pin and Face ID. Xmed uses Apple’s system-provided API to ask the user to authenticate using Touch ID or Face ID or a passcode. If you use Touch ID or Face ID, Xmed is notified only as to whether the authentication was successful and it cannot access Touch ID, Face ID, or the data associated with the user. Apple does not store this biometric data, this is kept on a ‘secure enclave’ on your device. These options can provide an additional level of security for your personal and sensitive personal data.
For more information about how Apple uses these authentication technologies to secure your data, please read: https://www.apple.com/business/docs/iOS_Security_Guide.pdf, Touch ID: https://support.apple.com/en-us/HT204587, FaceID: https://support.apple.com/en-us/HT208108.
Xmed features a message board area where users can have discussions about all topics, including and largely on the topic of their personal health, with other users and with medical experts. These message boards are open to the public and should not be considered private.
We collect IP addresses provided by your mobile device to deliver the service to your device. We process this personal data under (Article 6(1)b) GDPR, ‘processing is necessary for the performance of a contract’.
We do not sell or trade your data. We only share your data in the limited circumstances as detailed below:
Xmed uses trusted external service providers for certain technical data analysis, processing and/or storage offerings for the Xmed App. These third-party service providers have access to personal information needed to perform their functions but may not use it for any other purposes. Third party processors and sub-processors must process your personal data in accordance with this Privacy Notice and as permitted by applicable data protection law. Key service providers to Xmed include;
Amazon AWS Your information is stored on Amazon AWS hosting service. For information about Amazon AWS keeps this data secure, please visit: https://aws.amazon.com/security/
In rare circumstances, we may disclose information about you to comply with a regulation, law, legal process, or governmental request, to assert legal rights or defend against legal claims, or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the App or the physical safety of any person.
Change of ownership
To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings). Any third party to which Xmed transfers or sells its assets will have the right to continue to use the Personal Information and other information that you provide to us, but they will still have to honour the commitments we have made in this Privacy Notice.
Security of your data
We apply security measures to protect against the loss, misuse, or alteration of personal information under our control. Xmed employs technical and organizational measures to ensure an appropriate level of security for your personal data. SSL is used to encrypt data whilst in transit. We also request that suppliers who process personal information on our behalf take a range of security measures designed to help protect your personal information and maintain an appropriate level of security.
Your rights under GDPR
Under the GDPR, you have several rights in relation to your personal data. We have designed the Xmed app to allow you to exercise many of these rights independently from within the app. However, if you wish to exercise rights that are not actionable within the app, please do not hesitate to contact us at email@example.com.
Data Access: You have the right to know information that the Xmed App processes about you and have access to this information. Some of your personal data will be viewable on the App itself. We will reply to your request within one month of request, this one-month deadline is activated a) upon receipt of verification of your identity, and/or b) in such cases where we are unclear as to the information you have requested and we request further information, upon receipt of your clarifying response. If we are unable to provide you with information you request, we will explain to you why.
Data Portability: You have the right to have your data exported to you in a machine-readable format, and/or to have this transferred to a third-party service provider. To export your data within the App, you will find this option under Settings → Privacy → Export data. If you would like us to provide this exported data directly to a third party, please contact firstname.lastname@example.org.
Data Rectification: You are able to edit your personal data within the App at any time.
Data Erasure: You have a right to request erasure of the personal information that we hold about you and to have your request responded to within one month of request. We will retain your information to the extent necessary for maintaining financial records, protecting or enforcing legal rights, maintaining marketing suppression lists or for technical reasons such as maintaining technical security or our database integrity. If we cannot fulfil your request we will explain why.
Delete your data: If you would like to delete your account and account data, you can do so either by selecting: Settings → Privacy → Delete Account in the App. If you would rather not lose all of your data after closing your account, you can tick ‘I’d like to save my personal data’ which appears below the option for ‘Delete Account’. This will allow you to export all of your data in a machine-readable format (.CSV) file.
You have the right to withdraw consent for processing. You may action this by selecting Restrict Processing Mode: Settings→ Privacy → Restrict Processing Mode. If you select this option, you will only have access to features that do not require processing of sensitive data.
Right to object: You have the right to object to the processing of personal data about you.
If you have selected to receive direct marketing communications from us, and no longer wish to receive these, please opt-out by following the unsubscribe link in the email or communication.
Processing of children’s data
Persons under the age of 13, or any higher minimum age in the jurisdiction where that person resides, are not permitted to create accounts unless their parent has consented in accordance with applicable law. If we learn that we have collected the personal information of a child under the relevant minimum age without parental consent, we will take steps to delete the information as soon as possible. Parents who believe that their child has submitted personal information to us and would like to have it deleted may contact us at email@example.com.
International data transfers
Some of our data processors store or process personal data outside of the EU/EEA. All vendors used by Xmed have one or more of the following international data transfer mechanisms in place:
- Standard Contractual Clauses (Model Clauses)
- Adequacy decision from the European Commission
- Certification under the EU/US Privacy Shield, Swiss-US Privacy Shield
Your data is stored outside of the EU/EEA with Amazon AWS. Xmed has signed a Data Processing Agreement with Amazon AWS, which covers Model Clauses. Amazon also has the Privacy Shield which legitimises transfers from the EU/EEA to the US. Please see their website if you would like further information: https://aws.amazon.com/privacy/, https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/.
Duration of processing
We will process your personal data in accordance with this Privacy Notice for as long as your account is active or you delete your account with us. If your account is inactive for 18 months, we will delete your account data automatically.
What can I do?
By keeping devices secure and backed up, users of the Xmed App may in some cases be able to prevent a data breach from occurring. Provided your mobile device has the functionality, consider using the following privacy-enhancing options;
Activate a unique PIN code or TouchID both for unlocking your device, but also for use within the app. This can significantly reduce the likelihood of unauthorized access to your account.
Set up a remote wiping function on your device. In the event that your device is lost or stolen, this will give you the option to delete all of your data without having the device in your possession. For iOS, this can be achieved by selecting ‘Find My IPhone’ through iCloud and enabling ‘Erase your device’. For Android, download and set up ‘Find My Device’ from Google Play Store, and if needed, use the connected interface to lock or wipe your phone.
Back up your data. For iOS, you can do this by using Apple’s backup solution via iTunes or iCloud.
Please let us know if you have any queries or complaints in relation to the processing of your personal data. Our contact details are provided below.
If you are based in the EU/EEA, you have the right to file a complaint with the Supervisory Authority in your country. To find your Supervisory Authority, please follow this link to the website of the European Commission, where you can download a directory: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
Via Guidino 7
This Privacy Notice was most recently updated on 8th August 2018.