Privacy Statement

We are iPlato Healthcare Ltd (“we”, “us”, “our”, ” iPlato”), a company registered in England & Wales with company number 6131747 and with registered offices at 13th floor, Millbank Tower, 21-24 Millbank, London SW1P 4QP.

We are committed to protecting and respecting your privacy. We are registered as a data controller under UK law, this means we are responsible for determining the purposes for which and the manner in which personal information provided directly to us is processed.

Personal Information is information that identifies you personally such as your name, photo or contact details, or data that can be linked with such information in order to identify you.

Please note, we also provide Patient Services on behalf of GPs, healthcare providers and NHS central services. In these cases, we are simply processing Patient personal information on their instruction. These parties are data controllers in their own right and have their own privacy policies.

What personal information do you give us / do we collect about you?

You may give us information about you by entering information on our website, filling in forms, or by corresponding with us by phone, e-mail or otherwise. You may also give us information, and we may collect and process information about you resulting from any interactions you undertake or services you request or source from us.

It will be clear at the time what personal information we are requesting from you. If you do not provide the personal information necessary or you withdraw your consent for the processing of your personal information where this information is necessary for us to provide the relevant Services to you, we will not be able to provide these Services to you. You don’t have to provide data and can simply choose to stop using our website or our additional Services.

Information we collect about you and your device.

Each time you use our website we automatically collect the following information:

• technical information, including the type of device you use, a unique device identifier, mobile network information, your mobile operating system, and time zone setting;
• information either accessed through your device or stored on your device which you have explicitly consented to sharing, and the providence of that data including the device used to collect that data, time, date; and
• details of your use of our site and services.

Information we receive from other sources.

To facilitate the provision of Patient Services, we may receive patient information from GPs or other healthcare providers. Such data may include Patient name, NHS number and relevant contact details as well as sensitive information including booked GP appointments. They provide such data to us to enable us to provide Patient Services on their behalf – we are not the controller for such data.

We DO NOT use your data for marketing purposes unless you provide us with explicit consent, or you are a business contact and have previously enquired about a similar service.

Personal information you submit to us via our website or that is provided to us by other means is generally required for providing relevant contracted services to you. However, we may also process your data for other reasons. Specifically, we use information held about you in the following ways:

Where it is in our legitimate interest

• To provide services to you or where we have a Patient Services contract with you.
• To register you for our applicable Services and manage your account and for our own internal administrative purposes.
• To provide you with applicable Services and to ensure that our website presents the correct version and data for your device.
• To update you on any developments or information about the applicable Services. These are strictly service emails and do not include marketing.
• To allow us to investigate and address queries, questions and complaints that affect your use of the applicable Services.
• To provide effective and responsive services.
• To review and enhance the quality of our services and products through details of your use of our website and applicable Services.
• To allow us to respond to general enquiries and feedback from you.
• To protect our business interests and assess our business effectiveness.
• For internal operations, including troubleshooting, detection of fraud, log data analysis, testing, security, audit and statistical purposes.

Where we rely on a legitimate interest to process your personal information, before we go ahead with such processing, we carry out a ‘legitimate interest assessment’ to ensure that the processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests.

Where we have a legal obligation

To make disclosures as required by or in compliance with reasonable requests by regulatory bodies including the General Medical Council or Care Quality Commission, or as otherwise required by law or regulation.

Where we have your consent

Any of the personal information we use contains data concerning health related information and racial or ethnic information, religious or philosophical beliefs, trade union membership data, genetic/ biometric data and sex life or sexual orientation data (together “Sensitive Information”). In addition to the above, where you provide this data to us directly through your use of our website or applicable Services, we rely on you having provided us explicit consent to use such data when you provide us with this personal information.

Additionally, you provide us with consent when opting-in to receive communications from us or our parent company Huma Therapeutics Limited (e.g. newsletter / marketing communications).

Where we rely on your GP or healthcare provider’s legal basis for processing

When delivering services on behalf of GPs or other healthcare providers, we may process personal data that includes Sensitive Information; we rely on the lawful basis of the GP or healthcare provider to use such data for healthcare purposes.

We will not sell your personal information.

We may share your personal data with additional processors which are typically cloud based software providers whose products and services we use, these include the following:

• Email, Office software tools and documentation repositories
• Finance systems
• CRM systems
• Product management, support and development systems

We may disclose your personal information:

• If we are under a duty to disclose or share your personal information to comply with any legal or regulatory obligation; or
• To enforce or apply our Terms and other agreements or to investigate potential breaches of such Terms; or
• To protect the rights, property or safety of iPlato, our customers, or others.
• To our parent company Huma Therapeutics Limited, where you have provided consent.

When providing Patient Services on behalf of a GP or other healthcare provider, we may share relevant Patient Information with them where this is required in the course of providing them with applicable Services.

We may store your personal information at our London office, or for digital data at our secure data centre or on Amazon Web Services, both hosted within the United Kingdom. If applicable all digital data will be encrypted when being transferred to and from us or to our data centre / AWS.

We take all steps reasonably necessary to ensure that your data is treated securely through strict procedures and security features to prevent unauthorised access to your personal information. However, we cannot guarantee the secure transmission of information via the internet due to security threats outside our control and as such, any transmission of information is at your own risk.

We will retain your personal information for as long as needed to fulfil the purposes outlined in the ‘How do we use your personal information?’ section above or for a period specifically required by applicable regulations or laws. For example, where you are registered for any of our Services, we generally keep your personal information for the duration of time you utilise the Service.

When determining the relevant retention periods, we will take into account factors including:

• our contractual obligations and rights in relation to the information involved;
• legal obligation(s) under applicable law to retain data for a certain period of time;
• statute of limitations under applicable law(s);
• our legitimate interests where we have carried out balancing tests (see section on ‘How do we use your information’ above);
• (potential) disputes; and
• guidelines issued by relevant data protection authorities

Otherwise, we securely erase or anonymise your personal information where we no longer require your information for the purposes collected.

Our website and other Services we offer may contain links to other independent third-party websites or mobile applications (“Third-party Sites”).

These Third-party Sites are not under our control, and we are not responsible for and do not endorse their content or their privacy policies (if any). You will need to make your own independent judgement regarding your interaction with any Third-party Sites, including the purchase and use of any products or services accessible through them.