Privacy Policy

This Privacy Policy describes how Infinity Health collects, uses and discloses information, and what choices you have with respect to the information.

We understand that your privacy is important to you and that you care about how your Personal data is used and shared online.

We respect and value the privacy of everyone who uses our "Services". We will only collect and use Personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the law.

We will collect, store, use and disclose Personal data in accordance with all applicable laws relating to the protection of Personal data, including the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, as amended or superseded from time to time, and any national implementing legislation (“Data protection laws”).

1. Applicability of this Privacy Policy

This Privacy Policy applies to Infinity Health’s software-as-a-service (SaaS) solutions, including Websites, Mobile Web Applications and Application Programming Interfaces (APIs) (collectively, the Services) and other interactions (i.e. customer support inquiries, user conferences, etc.).

This Privacy Policy does not apply to any third party applications or software that integrate with the Services through the Infinity Health platform (third party services), or any other third party products, services or businesses. our Services may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of our Privacy Policy is deemed to occur upon your first use of our Services, websites or any other aspect of Infinity Health’s business. If you do not accept and agree with this Privacy Policy, you must stop using Services immediately.

2. Definitions and Interpretation

In this Policy the following terms shall have the following meanings:

- “Account” means an account required to access and/or use certain areas and features of our Services;

“Cookie” means a small text file placed on your computer or device by our Services when you visit certain parts of our Services and/or when you use certain features of Services. Details of the Cookies used by Services are set out in section 15, below;
“Cookie law” means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003;
- "Customer data" means any data of any type that is submitted to our Services” by or on behalf of the Customers and/or generated by the Services in the course of their usage.
"Data protection laws“ ways in which information about living people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them;
GDPR means the regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of Personal data outside the EU and EE;
"Personal data” means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means Personal data that you give to Us directly via our Services. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (GDPR); and
“Services” means our websites (including without limitation infinity.health and infinityhealth.io and any successor URLS, mobile or localised versions and related domains and subdomains), and products, applications and services, in each case in whatever format they may be offered now or in the future;
"Third party services" means an entity that is involved in some way in an interaction that is primarily between two other entities;
“We/Us/our” means Infinity Health Limited, a limited company registered in England under company number 08783651 whose registered address is 35 Ballards Lane, London N3 1XW.

3. Information About Us

All our Services are owned by Infinity Health Limited, a limited company registered in England under company number 08783651 whose registered address is 35 Ballards Lane, London N3 1XW.

our Data Protection Officer can be contacted by email at [email protected] or by post at Data Protection Officer, Infinity Health Limited, 45 Circus Road, London NW8 9jH.

4. What is Personal data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

Please note that we provide users the ability to determine which of these Personal data points are collected and which are not. We are therefore classed as a data processor not a data collector ourselves.

5. Data We Collect and Receive

Infinity Health is the Processor of Customer data. We will store the information that you submit to our Services and this information belongs to you and makes you the Controller of that information. Please note that we provide users the ability to determine which Personal data are collected and which are not.

Infinity Health is the Controller of users’ Personal data, which we collect in different ways. We store only necessary information about your identity in order to verify you as a user of our Services, so that we keep the Services we provide secure.

We may store other information such as how you interact with our Services, so that we can continuously work towards improving them. For example, when users register for an Infinity Health account, a person responds to Infinity Health emails or surveys, or pays for our Services. The Personal data that we may collect includes:

name;
date of birth;
gender;
NHS number;
health data;
business/company name;
job title;
profession;
contact information such as email addresses and telephone numbers;
financial information such as credit/debit card numbers;
IP address;
web browser type an version;
operating system;
services metadata;
information about your location

6. Your Rights

As a data subject, you have the following rights under the GDPR, which this Policy and our use of Personal data have been designed to uphold: - 1. The right to be informed about our collection and use of Personal data; - 2. The right of access to the Personal data We hold about you (see section 12); - 3. The right to rectification if any Personal data We hold about you is inaccurate or incomplete (please contact Us using the details in section 17); - 4. The right to be forgotten – i.e. the right to ask Us to delete any Personal data We hold about you (We only hold your Personal data for a limited time, as explained in section 8 but if you would like Us to delete it sooner, please contact Us using the details in section 17); - 5. The right to restrict (i.e. prevent) the processing of your Personal data; - 6. The right to data portability (obtaining a copy of your Personal data to re-use with another service or organisation); - 7. The right to object to Us using your Personal data for particular purposes; and - 8. Rights with respect to automated decision making and profiling.

Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their Personal data. Subject to any exemptions provided by law, you may have the right to request access to Personal data, as well as to seek to update, delete or correct this Data. You can make a subject access request by contacting us at [email protected]

If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.

7. How We Use Your Data

All Personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the GDPR at all times. For more details on Security see section 16, below.

our use of your Personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your Personal data (e.g. by subscribing to emails), or because it is in our legitimate interests. Specifically, We may use your data for the following purposes:

Providing and managing your Account;
Providing and managing your access to Services;
Supplying our products to you (please note that We require your Personal data in order to enter into a contract with you);
Personalising and tailoring our products for you;**
Replying to emails from you;
Market research;
Analysing your use of Services and gathering feedback to enable Us to continually improve Services and your user experience;
To provide, update, maintain and protect our Services, Websites and business;
As required by applicable law, legal process or regulation;
To communicate by responding to requests, comments and questions;
To develop and provide search, learning and productivity tools and additional features;
To send emails and other communications;
For billing, account management and other administrative matters; and
To investigate and help prevent security issues and abuse.
With your permission and/or where permitted by law, We may also use your data to contact you by email or by phone with information and news on our products and services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that We fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Third Parties (including Intercom, whose content appears on Services for the purposes of providing an online knowledge base for users of our services and for providing customer support) may use third-party Cookies, as detailed below in Part 15. Please refer to Part 15 for more information on controlling cookies. Please note that we do not control the activities of such third parties, nor the data that they collect and use themselves, and we advise you to check the privacy policies of any such third parties.
You have the right to withdraw your consent to Us using your Personal data at any time, and to request that We delete it.

8. Data Retention

We only collect and process the minimum amount of Personal data required to deliver the Services
We only keep your Personal data for as long as We need to in order to use it as described above in section 7, and/or for as long as We have your permission to keep it.
We do not keep your Personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Data will therefore be retained for the following periods (or its retention will be determined on the following basis):
- for six months after the licence agreement entered into between you and Us when you purchase any of our products through the Site is terminated, for whatever reason, to allow you time to request the return or deletion of your data; or
- in accordance with your instructions;
- or as required by applicable law.

9. Data Destruction

Retention periods for clinical data follow the schedules define in the Records Management Code of Practice for Health and Social Care 2016. Infinity does not keep any data for longer than is necessary.

User data is retained for as long as any related outcomes data is retained. For example, who completed a task for a given Patient. Should a contract cease, the Customer can request Infinity to remove any data collected during delivery of the Services and this would be provided to the Customer. Instances of data relevant to that contract will then be eradicated from Our systems.

10. How and Where Do We Store Your Data?

Some or all of your Personal data and Customer data may be stored outside of the European Economic Area (“the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). You are deemed to accept and agree to this by using Services and submitting information to Us. If We do store data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the GDPR.

Data security is very important to Us, and to protect your data We have taken suitable measures to safeguard and secure data collected through Services including:

Registration with the Information Commissioner’s Office;
SSL Certificate;
ISO 27001 Certified;
Information Governance Toolkit.

11. Do We Share Your Data?

This section describes how Infinity Health may share and disclose Personal data. Customers determine their own policies and practices for the sharing and disclosure of Customer data, and Infinity Health does not control how they or any other third parties choose to share or disclose that Data.

We may sometimes contract with third parties to supply products and services to you on our behalf. These may include payment processing or delivery of goods. In some cases, the third parties may require access to some or all of your Personal data. Where any of your Personal data is required for such a purpose, we will take all reasonable steps to ensure that your Personal data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under the law.

We may compile statistics about the use of Services including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with Personal data and used to identify you. We may from time to time share such data with third parties such as prospective investors, affiliates, partners, and advertisers. Personal data will only be shared and used within the bounds of the law.

We may sometimes use third party data Processors that are located outside of the EEA all of which have certified their compliance with the EU – U.S. & Swiss-U.S. Privacy Shield Framework. Where We transfer any Personal data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the GDPR including:

Name: Heroku, Inc., Amazon Web Services, Inc. Purpose:Cloud infrastructure provider Data disclosed: Users' Personal data and User Content.

Name: Stripe, Inc. Purpose: Payment processor Data disclosed: Customers' Personal data

Name: Intercom, Inc. Purpose: Cloud-based customer support services Data disclosed: Users' Personal data

Name: MailChimp Purpose: Email contact Data disclosed: Shareholders' Personal data

Name: SendGrid, Inc. Purpose: Email notification services Data disclosed: Users' Personal data

Name: Wildbit, LLC. (Postmark) Purpose: Email notification services Data disclosed: Users' Personal data

Name: Google, Inc. Purpose: Website and web application analytics services Data disclosed: Website visitors' Personal data

Name: Cloudflare, Inc. Purpose: DNS and web firewall servicesData disclosed: Users' and Website Visitors' Personal data

Name: Rapid7 Ireland Limited (Logentries.com) Purpose: Cloud-based application log management Data disclosed: Users' Personal data

Name: Functional Software, Inc. (Sentry) Purpose: Error tracking system Data disclosed: Users' Personal data

In certain circumstances, We may be legally required to share certain Personal data held by Us, which may include, for example, where We are involved in legal proceedings, where We are complying with legal requirements, a court order, or a governmental authority.

12. What Happens If our Business Changes Hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use that data only for the same purposes for which it was originally collected by Us.

In the event that any of your Personal data is to be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will not, however, be given the choice to have your data deleted or withheld from the new owner or Controller.

13. How Can You Control Your Data?

In addition to your rights under the GDPR, set out in section 4 and 7, when you submit Personal data via Services, you may be given options to restrict our use of your data. In particular, We aim to give you strong controls on our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from Us which you may do by unsubscribing using the links provided in our emails and at the point of providing your details and by managing your Account).

You may also wish to sign up to one or more of the preference Services operating in the UK:

Telephone Preference Service (“the TPS”)
Corporate Telephone Preference Service (“the CTPS”)
Mailing Preference Service (“the MPS”)

These may help to prevent you receiving unsolicited marketing. Please note, however, that these Services will not prevent you from receiving marketing communications that you have consented to receiving.

14. Your Right to Withhold Information

You may access certain areas of our Services without providing any data at all. However, to use all features and functions available on our Services you may be required to submit or allow for the collection of certain Personal data.

You may restrict our use of Cookies. For more information, see our Cookie Policy

15. How Can You Access Your Data?

You have the right to ask for a copy of any of your Personal data held by Us (where such data is held). Under the GDPR, no fee is payable and We will provide any and all information in response to your request free of charge. Please contact Us for more details at [email protected], or using the contact details below in section 17.

You can also contact the Information Commissioner’s Office (ICO) should you have any concerns about our conduct in retaining and releasing your data upon request. The ICO website can be found at: www.ico.org.uk

16. Our Use of Cookies

Our services do not use Cookies on your computer or device under any circumstances.

17. Security

Infinity Health takes security of data very seriously. Infinity Health works hard to protect Data you provide from loss, misuse, and unauthorised access or disclosure. These steps take into account the sensitivity of the Personal and Customer Data we collect, process and store, and the current state of technology. Infinity Health has received internationally recognised security certifications for ISO 27001 (information security management system). To learn more about current practices and policies regarding security and confidentiality of the Services, please see our Security Policy. Given the nature of communications and information processing technology, Infinity Health cannot guarantee that Data, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.

18. Contacting Us

If you have any questions about Services or this Privacy Policy, you may direct questions or concerns to Elliott Engers, our Data Protection Officer:

Elliott Engers

Infinity Health

3rd Floor, 114a Cromwell Road, London, England, SW7 4AG

Email: [email protected]

or our Clinical Safety Officer:

Dr Jo Garland