Substrakt Health Ltd ("we", "us", "our", "Substrakt Health"), a company registered in England & Wales with company number 09745077 with registered offices at 2a Victoria Works, Vittoria St, Birmingham. B1 3PE.We are committed to protecting and respecting your privacy. We are a data controller and processor under UK law This means we are responsiblefor determining the purposes for which and the manner in which the personal information provided to us is processed.
Personal Information means information that identifies you personally such as your name, date of birth, photo or contact details, or data that can be linked with such information in order to identify you.
Please note that we interact with other NHS third parties (including GPs, healthcare providers and NHS central services). In some cases we are simply processing your personal information on their behalf. Such third parties may also be data controllers in their own right and have their own privacy policies.
What does this statement relate to?
This statement sets out the basis on which any personal information we collect from you, or that you provide to us or that is provided to us by other third parties will be processed by us. Please read this statement carefully to understand our practices regarding your personal information and how we will treat it.
This Statement pertains to all other uses of any and all data collected by Substrakt Health in relation to the use of our website and/or other Product and Services including, but not limited to, PatientPack, Target and ClinicianPack.
How do we collect your personal information?
1. What personal information do you give us and we collect about you.
You may give us information about you by entering information on our website, products or support services, allowing us access to data about you held by third parties, filling in forms, or by corresponding with us by phone, e-mail or otherwise. You may also give us information, and we maycollect and process information about you resulting from, any interactions you undertake or services you request or source from us.
It will be clear at the time what personal information we are requesting from you. If you do not provide the personal information necessary or withdraw your consent for the processing of your personal information, where this information is necessary for us to provide the relevant Servicesto you, we will not be able to provide these Services to you. You don’t have to provide data and can simply choose to stop using our website or our additional Services.
2. Information we collect about you and your device.
Each time you use our website or products we automatically collect the following information:
- technical information, including the type of device you use, a unique device identifier, mobile network information, your mobile operating system, and time zone setting;
- information either accessed through your device or stored on your device which you have explicitly consented to sharing, and the providence of that data including the device used to collect that data, time, date; and
- details of your use of our site and services.
3. Information we receive from other sources.
We may receive information about you from third parties to facilitate provision of applicable Services. This may include information provided from your GP or other healthcare provider such as your name, NHS number and relevant contact details as well as sensitive information about you including your booked NHS appointments. They provide such data to us to enable us to provide the services to you.
How do we use your personal information?
We DO NOT use your data for marketing purposes or any purpose. In the event we need to share your data to support your healthcare with another NHS service or provider, we will always obtain your consent or permission prior to doing so.
Any personal information you submit to us via our website, products or that is provided to us by other means is generally required for providing relevant services to you. However, we may rely on other lawful basis for using your personal information. Specifically, we use information held about you in the following ways:
1. To provide services to you or where we have a contract with you
- To register you for our applicable services and manage your account and for our own internal administrative purposes.
- To provide you with applicable Services and to ensure that our website or products presents the correct version and data for your device.
- To update you on any developments or information about the applicable Services. These are strictly service emails and do not include marketing.
- To allow us to investigate and address queries, questions and complaints that affect your use of the applicable Services.
2. Where we have a legal obligation
To make disclosures as required by or in compliance with reasonable requests by regulatory bodies including the General Medical Council or Care Quality Commission, Information Commissioner’s Office (ICO) or as otherwise required by law or regulation.
3. Where it is in our legitimate interest
- To review and enhance the quality of our services and products through details of your use of our website and applicable Services. This is in our legitimate interest to ensure we continue to improve the services we provide to customers.
- To allow us respond to general enquiries and feedback from you. This is in our legitimate interest in providing a responsive service to customers.
- For internal operations, including troubleshooting, detection of fraud, log data analysis, testing, security, audit and statistical purposes. This is in our legitimate interest to protect our business interests and assess our business effectiveness.
Where we rely on legitimate interest as a ground for processing your personal information, we carry out an information and clinical risk assessment to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing. We keep a record of these information and clinical risk assessment. You have a right to the information contained in these assessments on request and can find out more by contacting us using the details below.
4. Where we have your explicit consent
Where any of the personal information we use contains data concerning health related information and racial or ethnic information, religious or philosophical beliefs, trade union membership data, genetic/ biometric data and sex life or sexual orientation data (together ”sensitive information”), in addition to the above, where you provide this data to us directly through your use of our website or applicable Services, we rely on you having provided us explicit consent to use such data when you provide us with this personal information.
5. Where we rely on your GP or healthcare provider’s Medical diagnosis or healthcare purposes
Where any of the personal information we use contains Sensitive Information, in addition to the above, where this data is received from your GP or other healthcare provider we rely on the lawful basis of the GP or healthcare provider to use such data for medical diagnosis or healthcare purposes.
When will we share your personal information?
We will not sell your personal information.
We may share your personal data with additional processors which are typically cloud based software providers whose products and services we use, these include the following:
- Support Management: ZenDesk
- SMS/Telecommunications Provider: FireText, Twilio
- Cloud Hosting: Amazon Web Services
The above organisations will comply with the guidance and legal use terms outlined within this document with no exception.
We may disclose your personal information:
- To you and your GP or other NHS healthcare provider (where required) in the course of providing the applicable Services to you; or
- If we are under a duty to disclose or share your personal information to comply with any legal or regulatory obligation; or
- To enforce or apply our Terms and other agreements or to investigate potential breaches of such Terms; or
- To protect the rights, property or safety of Substrakt Health, our customers, or others.
How do we store your personal information?
We may store your personal information at any of our offices, which are all located in the European Economic Area, or for digital data at our secure data centre which is located within the United Kingdom. If applicable all digital data will be encrypted when being transferred to and from us or to our data centre.
Your data will not be transferred outside of the European Economic Area.
We take all steps reasonably necessary to ensure that your data is treated securely through strict procedures and security features to prevent unauthorised access to your personal information. However, we cannot guarantee the secure transmission of information via the internet due to security threats outside our control and as such, any transmission of information is at your own risk.
How long do we keep your personal information?
We will retain your personal information for as long as needed to fulfil the purposes outlined in the ‘How do we use your personal information?’ section above or for a period specifically required by applicable regulations or laws. For example, where you are registered for any of our Services we generally keep your personal information for the duration of time you utilise that Service.
- When determining the relevant retention periods, we will take into account factors including:
- our contractual obligations and rights in relation to the information involved;
- legal obligation(s) under applicable law to retain data for a certain period of time;
- statute of limitations under applicable law(s);
- our legitimate interests where we have carried out information and clinical risk assessments (see section on ‘How do we use your information above);
- (potential) disputes; and
- guidelines issued by relevant data protection authorities.
Otherwise, we securely erase or anonymise your personal information where we no longer require your information for the purposes collected.
What about third party sites?
Our website and other Services we offer may contain links to other independent third-party websites or mobile applications (“Third-party Sites”).
These Third-party Sites are not under our control, and we are not responsible for and do not endorse their content or their privacy policies (if any). You will need to make your own independent judgement regarding your interaction with any Third-party Sites, including the purchase and use of any products or services accessible through them.
What rights do you have?
By law, you have a number of rights (subject to certain conditions) when it comes to your information.
Further information and advice about your rights can be obtained from the data protection regulator in your country (ICO). You can exercise any of these rights by contacting us through our details below.
Rights: What does this mean?
You have the right to object to certain types of processing, including processing where we rely on our legitimate interest as a grounds for processing.
You are entitled to have your information corrected if it is inaccurate or incomplete.
You are entitled to the right to erasure or to be forgotten. This enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right to erasure, there are exceptions.
You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
You have rights to obtain and reuse your information for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability.
You have the right to lodge a complaint about the way we handle or process your information with your national data protection regulator. See details of the UK data protection regulator in the contact us section below.
If you have given your consent to anything we do with your information, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your information with your consent up to that point is unlawful). Note that such withdrawal in certain circumstance may mean we can no longer continue to provide the Services to you.
We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests, or
- further copies of the same information.
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will come back to you and let you know.
Changes to this Privacy Statement
We update our privacy statement from time to time and any changes we may make to our privacy statement in the future will be posted online and, where appropriate, notified to you. The new terms may be displayed on-screen and you may be required to read and acknowledge them to continue your use of our website and services.
If you have any questions, comments and requests regarding this Policy, please get in touch with us:
Substrakt Health Limited
2a Victoria Works,
Data Protection Officer contact details:
2a Victoria Works,
If you are not satisfied with our response to a complaint you have made, or think we aren’t complying with data protection law, you can make a complaint to the UK data protection regulator – the Information Commissioner’s Office:
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Phone number: 0303 123 1113