1. General provisions
1. 2 App. The App connects users applying for in vitro fertilization with the Clinic as well as it allows the applicants to share the information about their health and fertility issues with the Clinic. The App also allows users to track data about their health information and procedures related to the IVF and further works as a decision support tool throughout the IVF healing process.
2. Controller of the personal data
2. 1 Controllers. We are the controller of your personal data, together with our UK subsidiary Cognitive IVF UK LTD, a private limited company with its seat at 71-75 Shelton Street, Covent Garden, London, England, WC2H (hereinafter referred to as “Cognitive IVF UK”). We and Cognitive IVF UK act jointly as a joint controllers in accordance with art. 26 of GDPR (joint controllers hereinafter referred to as “we”, “our”, “us”). Any data transfers between us as a data exporter and Cognitive IVF UK as a data importer are based on the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation. We are also authorised representative of Cognitive IVF UK in the European union under the Art. 27 of the GDPR.
2. 2 Contact Details. You may reach us directly at our e-mail firstname.lastname@example.org or on our address (hereinafter referred to as “Contact details”).
2. 3 Data Protection Officer. Joint controllers have appointed an external data protection officer for you to contact if you have any questions or concerns about our personal data policies or practices. You may contact DPO at email@example.com, telephone number +420 777 118 385, or at:
ARROWS advokátní kancelář s.r.o.
150 00 Prague
2. 4 Clinic. With your consent given through the App, your personal data are also accessed and processed by the Clinic, which acts as a separate data controller and may be reached at e-mail DPO@grupoasisa.com.
3. 1 Personal data - means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, date of birth, location data, e-mail.
3. 2 Processing of personal data - means any operation or set of operations which is performed on your personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. 3 Controller - means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
3. 4 Processor - means a natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller.
3. 5 Purpose - means the reason why the controller is processing your personal data.
3. 6 Recipient – means the person that receives the personal data.
3. 7 Consent - freely given, specific, informed and unambiguous indication of your wishes, by a statement or by clear affirmative action, which signifies agreement to the processing of personal data relating to you.
4. Data processed, purposes, method and period of time of processing the personal data
4. 1 Scope of data processed.
4. 1. 1 Sources of the personal data. We and the Clinic receive your personal data from various sources, which are in particular:
- when you register in the App;
- when you use our Services;
- when you participate in the clinical study which uses our App;
- when the Clinic provides us the data about you.
4. 1. 2 Data collected. We and the Clinic only process such personal data that are provided to us from you via the sources as described above. In particular, we process the following personal data:
- Account data: name and surname, e-mail, telephone number, the address of permanent residence, date of birth and state of nationality, gender, password or passcode, ID (for limited purposes).
- Health data: you may choose to provide personal information about your health and well-being such as: weight, body temperature, basic medical history, health conditions & diseases, menstrual cycle dates, various symptoms related to your menstrual cycle and health, other information about your health (including sexual activities, tests & exams, vaccination, family history, test results, diet, daily routine), previous pregnancies, physical attributes, anamnesis with a focus on diseases that may affect the ability to conceive and deliver a child, well-being, and related activities, including personal life, sexual orientation and health of your partner. These data may also include personal data collected in the course of research or study which you decided to participate in. These personal data will only be processed with your consent.
- Payment data: the information on your bank or credit card details, the Services you have ordered, your payments, invoices with your personal details, etc.
- Logged activities: You also may give us the ability to import into the App personal Data about your health and activities from third-party services such as Oura, Apple HealthKit, GoogleFit, Garmin connect, Strava etc. Such imported personal data may include sports activities, weight, calories burnt, heartbeat rate, number of steps/distance travelled, and other data about your health. These personal data will only be processed with your consent.
- Other persons data: When you set up your profile in the App, you may also share with us data of your spouse or partner, as well as their Health data related to the conception and further development of a baby. We will require this other person to confirm their acknowledgement of the way how we process their personal data. For this reason, we will ask you for their e-mail address or telephone number.
4. 1. 3 Cognitive IVF’s purposes of the processing. We process your personal data for the following purposes:
- Provision of Services. We process the personal data described above for the purpose of the provision of Services to you, including sending the reminders on payment, handling potential complaint proceedings. This may also include, with your specific consent, transferring your data to third persons participating on provision of Services, especially to the Clinic and other health professionals, such as collaborating physicians, and receiving data from these third persons. We process these personal data for the duration of the contractual relationship we have with you. For this purpose, the legal title for processing is necessity for the performance of the contract and the exception for processing your health data is your consent.
- Research or study. In some cases and with your previous consent, we also process data collected during your participation in health research or study, based on your consent or other legal title. These data may also be shared with study sponsor, investigator and relevant research institutions. Personal data will be provided directly by you, observed, measured or inferred in the research or study, or provided to us by the third parties, for example manufacturers of devices which measure your data. We may also receive data for the research or study from the Clinic and give it your data from the research or study for the purpose of healthcare services provision by the Clinic. Specific information about processing of your data for this purpose, including scope of data processed, recipients of data, duration of processing, involved entities etc. was presented to you in the informed consent with participation in relevant research or study and in detailed form in the specific information about processing of personal data in the respective research or study.
- Further development of Service and increasing accuracy of recommendations with the use of health data. With your consent, we use your personal data, including health data, to increase accuracy of recommendations from our Services with the use of health data. The legal basis and exception for the use of health data is your consent. For this purpose, we process your personal data for the period of 5 years since their collection, but in case no longer than until the consent is revoked.
- Further development of Service without the use of health data. We also use some personal data to improve our Service and App, especially to train the AI algorithms that run the App to make your experience with our services even more enjoyable on the basis of the legitimate interest consisting of further improvement of our services.
- Performance of general legal duties. We also process your account data and payment data in accordance with the relevant accounting acts or acts on value-added tax, as we are obliged to store those documents for a certain time period (this specific time period may differ according to applicable law in each country). If there is such a legal obligation, we store the concerned documents together with your personal data for the time period as stated by the applicable law.
- Protection of our rights and legitimate interests. Further, we process your personal data described above on the basis of the legitimate interest consisting of recovery of our claims against you and/or to protect and enforce our claims and the exception for processing your health data is establishment, exercise or defence of our legal claims. For this purpose, we process your personal data for the period of time corresponding to the statutory limitation period.
- Promotion of Services and our other products. If you use the Services, we also use your personal data described above, with the exception of health data and logged activities, to promote our products and services, including sending of promotional communications. Legal basis for this processing is our legitimate interest of promotion of our activities and we process your personal data for the duration of the contractual relationship and 2 years after.
- Receiving newsletters. We may also use your e-mail address for the purpose of sending newsletters to which you subscribed, on the basis of your consent. For this purpose, we process your personal data until you revoke this consent.
4. 1. 4 Data Anonymization. We will anonymize the data processed for the purposes defined above during the processing. These anonymized data cannot be linked, without taking additional steps, to any individual to whom such data may relate. Anonymized data will be used especially for the further development of Service and increasing accuracy of recommendations. Appropriate technical and organizational measures are used to safeguard individuals’ rights and freedoms and to prevent any reidentification of data subjects. We will not try to re-identity the individual to whom the anonymized data relates.
4. 2 Means of data processing. Your personal data are processed, in the scope and for the purposes described above, by automated means, which also includes using statistical methods. In certain cases, your personal data may also be processed manually.
4. 3 Children data. We and the Clinic do not knowingly collect or solicit personal information from anyone under the age of 18. If you are under 18, please do not attempt to apply for the Services or send any personal data.
4.4 Consequences of failure to provide data. The provision of your personal data is a requirement necessary to enter into contract for provision of our Services. In case these data are not provided, we would not be able to provide you with our Services.
5. Transfer of the personal data to third persons and the beneficiaries of the personal data
5. 1 Data Transfers. We are authorized to transfer the personal data we collect by the means described above to third persons, other than the Clinic, who ensure some services relating to the provision of our Services, including administration or IT support, organization and storage of the personal data etc. These subjects are in the position of processors or controllers of your personal data.
5. 2 Recipients. We may share the collected personal data in particular with the following recipients:
- our suppliers of IT systems, who may have in specific cases access to your personal data and act as data processors;
- our external providers of accounting services that are necessary for fulfilling our legal obligations and act as data processors; and
- our external providers of legal services that are necessary for the enforcement of our claims and for protection of our legal entitlements and act as data processors or data controllers;
- our sister companies and other subsidiaries such as Cognitive IVF UK LTD, who act as data processors or data controllers;
- collaborating physicians of your choice participating on provision of the Fertility Report Service, who act as data controllers; we have taken steps to ensure that all collaborating physicians are bound by the same strict data protection requirements.
You may also instruct us to share your personal information with providers of health services, physicians, fertility clinics, other than the Clinic, etc., who act as data controllers, especially in the case you choose to use the services of the provider of health services recommended by the App.
5. 4 Confidentiality and Exceptions. We, including the processors and controllers, are obliged to keep all the personal data confidential. The exception is the duty to report your personal data to the designated public authorities and other entities who are entitled to request the personal data by the law (i.e. Police, Tax authority etc.).
6. Security of your personal data
6. 1 Security Measures and Policies. We have introduced to our system such necessary technical and organizational measures of internal control and processes of the safety of the information that follows best practice corresponding to the potential risk to you. At the same time, we take into consideration the perspective of future technological progress in order to protect your personal data from unauthorized disclosure, access or its loss. These measures include, but are not limited to, employees’ data protection training, regular backups of the data, the data recovery procedure, and mechanism of responsibility for an infringement of protected data, software and hardware protection. We also adhere to strict policies and procedures when using or disclosing protected health information under the HIPAA, especially the Privacy Rule Policies, Security Rule Policies and the Breach Notification Policy, and have appointed a Security Officer.
6. 2 Health Connect. The use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements.
7. Your rights
7. 2 Exercising the Rights. If you wish to exercise your rights or to receive the relevant information, contact us via one of our Contact details. When you contact us, we have to ask you to provide us with your identification information or other personal data which you have provided us earlier. The provision of such information is necessary for the verification if it is you who has actually sent the request. We will provide you with the answer no later than one month after receiving such request, whereby we retain the right to extend this time period by two months
7. 3 Your rights. In accordance with the applicable law, you may require access to the personal data, which we, as a controller of personal data, process, the right for rectification, erasure or transferability, right to lodge a complaint, right to require the restriction of the processing and right to object to processing. At any time you may withdraw your consent on the processing of personal data.
7. 5 Erasure of your personal data. Anytime you may provide us with a request for the erasure of your personal data. After you contact us with such a request and if one of the grounds for erasure of data applies, we will erase affected personal data from our databases without undue delay, unless we process some of your personal data because of our legal obligation or for the establishment, exercise or defence of our legal claims.
7. 6 Withdrawal of the consent on the processing of personal data. You may anytime withdraw the consent on the processing of personal data that you granted us without giving us any reason. If you want to withdraw your consent let us know via one of our Contact details. Please take into account that the withdrawal of the consent does not affect the lawfulness of the previous processing on the basis of a given consent.
7. 7 Access and transferability of your personal data. You have a right to receive information about processing of your personal data and a copy of your personal data processed by us. If you require, we can transfer all or only part of your personal data provided by you (processed by automated means on the basis of the contract or consent) directly to a third person (another controller of personal data), whom you mention in your request for the transfer of the personal data, if such request will not have a negative effect on the rights and freedoms of other persons and will be technically feasible.
7. 8 Restriction of the processing. If you provide us with a request to restrict the processing of your personal data, especially in cases when you doubt the accuracy, lawfulness or our need to process your personal data, we will assess your request and may restrict the processing of your personal data to the necessary minimum (processing for assessment, enforcement or defence of our legal claims or because of the protection of the right of another natural or legal person or from other reasons). However, if the restriction of the processing is cancelled and we will continue in the processing of your personal data, we will give you a notice about this without undue delay.
7. 9 Objection to processing. You have a right to object to processing of your personal data, based on your particular situation, at any time, where this processing is based on our legitimate interest. We will no longer process your personal data unless we are able to demonstrate compelling legitimate interest to do so or unless such processing relates to direct marketing.
7. 10 A complaint at the Office for personal data protection. You have a right to lodge a complaint regarding our processing of personal data at the UK Information Commissioner’s Office, with its registered office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK, website: https://ico.org.uk/, and at the Czech Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, Czechia, website: https://www.uoou.cz/.
7. 11 Access to protected health information. If we hold the protected health information in records that may be used to make decisions about them and we qualify as a covered entity under the HIPAA, you have a right to access or amend your individual information or have an accounting of disclosures. If we do not act as a covered entity but as a business associate under the HIPAA, we will forward your request to the applicable covered entity.
Questions and comments