Privacy Notice

1. Last Revision

The last revision on this document was done on the 13th of August 2020.

2. Glossary of terms

Please refer to the glossary of terms.


3. Purpose

This Privacy Notice describes our privacy practices to assist you to understand what personal data we collect, use, share and transfer and to inform you about the control and choices you can make in respect of your personal data.


4. Overview

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of data subjects inside the EEA.

The Protection of Personal Information Act, No. 4 of 2013, as amended from time to time (or POPI Act) is South Africa's equivalent of GDPR and is substantively similar to GDPR. It sets out conditions for responsible parties to lawfully process the personal information of data subjects (both natural and juristic persons).

This Privacy Notice is based on General Data Protection Regulation (EU) 2016/679 (GDPR) and applies both to customers and users in both EU and South African jurisdictions. For the purposes of this Privacy Notice Healthcent (Pty) Ltd's customers and users based in South Africa should interpret the following terms as interchangeable:

GDPR POPI
Data Protection Officer (DPO) Information Officer
Information Commissioner's Office (ICO) Information Regulator
Controller Responsible Party

Healthcent (Pty) Ltd ("Healthcent", "we", "us" and "our") are committed to ensuring the privacy and security of personal information entered while using the Services of the Signapps Platform. This Privacy Notice communicates how we collect, use, disclose and securely store the Personal Data provided to us through the Mobile and Desktop Applications and our Web Portal. It also explains how you can manage your information preferences.

We reserve the right to change this Privacy Policy from time to time by updating this page or by posting a new version on this website. We encourage you to check this page from time to time to review updates that may occur. This Privacy Policy supersedes any earlier version.


5. Who we are

For the purposes of this privacy notice, Healthcent (Pty) Ltd ("us", "we", or "our") is the data controller and operates the Services of the Signapps Platform (the "Signapps Platform") which include our Mobile and Desktop Applications, access to our Web Portal and to our website getsignapps.com

Our registered office address is: 22 Somerset Road, Greenpoint, Cape Town, South Africa, 8051

Our company number is: 2016/115627/07


6. Legal basis for processing


6.1. Our Users

For the personal data of Signapps Users Healthcent (Pty) Ltd are the data controller.

We process your data on the basis of:

  1. Legal Obligation; and
  2. Consent


6.2. Our Customers

Where a contract has been signed with a Customer we process your data on the legal basis of contract


6.3. Support Requests and Enquiries via our Website and Marketing

We process your data, (your name, email address and mobile number that you enter) and any additional personal data you send us on the legal basis of legitimate interest.

For all individuals and users we rely on separate, explicit consent for direct marketing. You may withdraw your consent for direct marketing, fully or for specific purposes at any time by emailing dpo@getsignapps.com; or unsubscribing from any digital marketing material we send you.


6.4. Patient Data

We process a special category of personal data for patients, and Article 9, paragraph 2(h) applies:

"processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

It should be noted that for the purposes of patient data Healthcent (Pty) Ltd is the processor of data and not the controller of data.

Should you have any queries relating to patient data these need to be directed to the Customer, with whom Healthcent Pty Ltd has contracted, and whose Signapps Carespace you are a member of as they are the controller of patient data.


7. Why do we need your personal data

Healthcent (Pty) Ltd has an obligation in terms of GDPR to take steps to secure access to Signapps Carespaces to only those invited by members of the Signapps Carespace controlled by the data controller in order to enable those members to secure the personal data of the patient, and we do this by processing your name, mobile phone number and/or email address.

Your personal data is required to confirm your identity as a user, for the maintenance of accurate clinical communication records, and to identify you to other users who collaborate with you.

We also offer you the option to display additional personal data in an internal Signapps Directory for other users in the Signapps Carespace to view. Processing of this type of data is a necessity in order to display it on behalf of the user


8. Data Protection Officer

Mr Michael Gluckman is our Data Protection Officer (DPO).

You can contact our DPO at dpo@getsignapps.com

Written communication can be sent to our DPO at: 22 Somerset Road, Greenpoint, Cape Town, South Africa 8051.


9. Collection and processing of personal data


9.1. Personal Data of users necessary for securing personal data about patients

This section refers to the name, mobile phone number and/or email address of users (Healthcare Professionals).

We have determined that processing this personal data is necessary. Healthcent (Pty) Ltd has an obligation in terms of GDPR to take steps to secure access to Signapps Carespaces to only those invited by members of the Signapps Carespace, controlled by the data controller, in order to enable those members to secure the personal data of the patient, and we do this by processing the name, mobile phone number and/or email address of the healthcare professional.

In the context of our role as a controller of this particular personal data of our users, the lawful basis is legal obligation (Article 6, paragraph 1(c)).

Whilst using the services of the Signapps Platform, personal data is generated relating to your professional and/ or clinical activities. This includes user ID date and time stamp relating to messages or media sent (such as PDF files and imagery), and Signapps Patient Threads created and edited. These are obtained by taking any action within the app and form part of the audit trail generated by the Service.


9.2. Other personal data of users

This section refers to the personal data of users (Healthcare Professionals) other than their name, mobile number and email address.

We have determined that processing this personal data is necessary:

We offer the user the option to display additional personal data in the Signapps Directory for other users in the Carespace to view. Processing of this type of data is a necessity in order to display it on behalf of the user.

In the context of Healthcent (Pty) Ltd's role as a controller of this type of users' personal data, the lawful basis is consent (Article 6, paragraph 1(a)).

When a user registers on the Signapps mobile app, they are presented a screen, separate to the terms and conditions, requesting consent for processing:

  • other personal data including medical field, location of their practice, as provided by them specifically for display in the Carespace directory (optional)
  • their contact details for marketing purposes (optional)

Consent is indicated by the user by ticking each box accordingly. The checkboxes are unfilled by default.

Consenting to these processing activities is not a precondition for service.

This screen also details the name of our organisation and explains that they can withdraw consent at any time within the app. We have included instructions for how to find this information in the Frequently Asked Questions section of our website.

Withdrawal of the consent necessary for security will, as appropriate:

  • Hide the directory information from other users and trigger a request for erasure; or
  • Trigger removal from the marketing list and a request for erasure.

Consents are reviewed annually.


9.3. Personal Data collected for the purposes of providing support

We may also collect information from individuals, users and non-users, who contact us, via email, telephone or our website getsignapps.com. This will include name, email address and telephone number

We may use your personal data for providing the Service, including to:

  • Maintain and improve the Service
  • Contact individuals for the purposes of preventing or addressing service, security or technical issues
  • To answer queries from users directly
  • Maintain the service of the platform

We may hold your information in our CRM (Insightly). We use this information to understand the demand for our services and to improve how we operate.


10. Location of storage and processing of data

GDPR's security requirements also apply to sub-processors Healthcent (Pty) Ltd utilises to deliver it service as detailed in Section 2 Article 32.

All sub-processors we have selected for integration into the Signapps platform provide sufficient guarantees about their security measures in contract.

The following list of sub-processors is used by Healthcent in respect of the Signapps platform and is updated from time to time. GDPR reference material and terms of service are also referenced.


10.1. Infrastructure

Amazon Web Services

The personal data that we collect from you is stored in the European Union on (Europe) Cloud Servers of Amazon Web Services with all primary processing taking place in Ireland.

All generally available, AWS, services and features adhere to the privacy and data protection standards required of data processors by the GDPR. AWS is compliant with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI's Common Cloud Computing Controls Catalogue (C5).

TERMS OF SERVICE/AGREEMENT:

https://aws.amazon.com/agreement/

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Pubnub

TERMS OF SERVICE/AGREEMENT:

https://www.pubnub.com/legal/terms-and-conditions/

GDPR:

https://www.pubnub.com/products/security/gdpr/

https://www.pubnub.com/blog/security-gdpr-compliance/

https://www.pubnub.com/legal/privacy-policy/

Mongo Atlas hosted by Mongo

TERMS OF SERVICE/AGREEMENT:

https://www.mongodb.com/cloud-terms-and-conditions

https://www.mongodb.com/technical-and-organizational-security-measures


10.2. Analytics and Logging

Amazon Web Services

TERMS OF SERVICE/AGREEMENT:

https://aws.amazon.com/agreement/

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Metabase

TERMS OF SERVICE/AGREEMENT:

https://www.metabase.com/terms/

Elastic Search

TERMS OF SERVICE/AGREEMENT:

https://www.elastic.co/legal/terms-of-use

Sentry

TERMS OF SERVICE/AGREEMENT:

https://sentry.io/security

https://sentry.io/terms/


10.3. Customer Support

Trello

TERMS OF SERVICE/AGREEMENT:

https://www.atlassian.com/legal/cloud-terms-of-service

Insightly

TERMS OF SERVICE/AGREEMENT:

https://www.insightly.com/terms-of-service/


11. Sharing of information

We do not share your information with anyone outside Healthcent (Pty) Ltd without your explicit permission to do so.

Healthcent will not distribute any of your personal information or Client Data, to third parties, unless this is required to deliver the Services to you.

In addition, Healthcent may be obligated to disclose personal information to meet any legal or regulatory requirements of applicable laws.


12. Security Measures

Healthcent has implemented technology, policies and processes aimed at protecting the confidentiality, integrity and availability of your personal information. We will update and refine these measures on an ongoing basis.

We will take reasonable steps to protect your personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction. However, no internet transmission is ever fully secure or error free and your use of the Services of the Signapps Platform is at your own risk and we will not be liable for any loss misuse, unauthorised access, disclosure, alteration and destruction in this regard, unless occasioned due to gross negligence or wilful misconduct.

Should you require more information about our policies and security measures please email our Data Protection Officer at: dpo@getsignapps.com


13. Cookies

We may store some information (commonly known as a "cookie") on your computer when you visit our website. This enables Healthcent to recognise you during subsequent visits. The type of information gathered is non-personal such as: the IP address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully.

Apart from merely establishing basic connectivity and communications, Healthcent may also use this data in aggregate form to develop customised services - tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the Healthcent website not to be accessible.


14. Device data logging

When you access the Signapps Platform using the Signapps Mobile or Desktop applications, we collect certain data automatically, including, but not limited to, the manufacturer of your mobile device, the mobile device's IMEI number, the IP address of your device, your operating system, the type of mobile internet browser you use.


15. Retention of Personal Data

We will not retain your Personal Data for longer than is necessary.

The account details are stored for the duration of you maintaining an account for the original purpose for which it was collected. We may however be required to retain your personal data for the purposes of satisfying any legal (specifically medico-legal), or other reporting requirements.

  • Personal data of users necessary for securing personal data of patients - The user is informed at the time of collection on-screen in the app in a layered approach, and it is available in our Privacy Policy.
  • Other personal data of users - The user is informed at the time of consent, either on-screen in the app in a layered approach, or by email to the specified email address. The privacy information is also available in our Privacy Policy.


16. Data Subject Rights


16.1. Right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

The method of informing someone about the collection and use of personal data depends on the type of personal data defined in Section 7 of the GDPR Act:

The user is informed at the time of consent, either on-screen in the app in a layered approach, or by email to the specified email address.

Further information is provided about processing in this Privacy Notice.


16.2. Right of access

You are entitled to request a copy of the all personal data currently held about you as well as the following information about your data:

  1. The purpose of processing;
  2. The categories of personal data concerned;
  3. The recipients to whom the personal data has been disclosed;
  4. The retention period for that personal data;
  5. The source of the personal data if it has been collected from a third-party.
  6. Right to Rectification


16.3. Right to Rectification

We enable right of rectification for you in one of two ways:

  • As the user you are able to edit their own personal data using the Signapps Platform.
  • We can rectify the data for you on your behalf.


16.4. The Right of Erasure

You may request erasure of any personal data of uses necessary for securing personal data of patients we hold on you without undue delay where one of the following grounds apply:

  1. The personal data are no longer necessary in relation to the purposes they were collected or otherwise processed;
  2. The data subject withdraws consent and no other legal ground for processing exists;
  3. The data subject exercises the right to object and no overriding legitimate grounds for processing exist;
  4. The personal data has been unlawfully processed;
  5. The personal data has to be erased for compliance with an overriding legal obligation;
  6. The personal data has been collected in relation to the offer of information society services.


16.5. The Right of Restriction

As an alternative to the right to erasure, you may ask us to cease processing your data, but not erase it entirely. This right right applies when:

  • The personal data has been unlawfully processed and the individual opposes erasure and requests restriction instead;
  • We no longer need the personal data (for patient personal data: the retention period is about to pass) but the individual needs you to keep it in order to establish, exercise or defend a legal claim;
  • The individual has objected to us processing their data under Article 21(1), and we are considering whether our legitimate grounds override those of the individual.


16.6. The Right of Portability

The right to data portability does not apply where the lawful basis is legal obligation or consent and where the processing is not by automated means.


16.7. The Right to Object

The right to object does not apply where the lawful basis is legal obligation or consent.


17. How to exercise your rights

You may send us a request to exercise any of the above rights by emailing us at: dpo@getsignapps.com

We will respond without delay and within one month. We also have a responsibility to verify the identity of the person making the request before we confirm that we process any personal data of the data subject concerned. Our method of identity verification is the provision of government-issued photo ID.

The request for restriction is recorded, considered and responded to in accordance with the Personal Data Requests Procedure. In cases where the restriction can be lifted, the individual is notified before it is lifted.


18. Questions and complaints

Should you lodge complaint you should contact the DPO at email address: dpo@getsignapps.com

If you are unsatisfied with the DPO's response to the complaint lodged then, Under Article 77 of the GDPR you have the right to lodge a complaint directly with the Information Commissioner's Office (ICO).

Under Article 80, you may authorise certain third parties to make a complaint on your behalf.


19. Changes to this privacy notice

This privacy notice may be updated periodically and without prior notice to you to reflect changes in our information practices or relevant laws. We will post a notice on our website, https://www.getsignapps.com, and send you an email to notify you if there are any substantive changes to the way we collect and use information. We will indicate at the top of the privacy notice when it was last updated.