Skin Analytics is committed to safeguarding your privacy.
Skin Analytics Ltd is the controller and responsible for your personal data. References to “Skin Analytics”, “we”, “us” or “our” are references to Skin Analytics Ltd.
Our data protection officer is responsible for overseeing compliance with data protection. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data protection officer using the details set out below.
Data protection officer: Dr Helen Marsden
Skin Analytics Ltd
Unit 2.04, The Frames, London, EC2A 4PS
If you have any concerns or would like to make a complaint about our processing of your data please contact our data protection officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Personal Data – any information relating to an identified or identifiable natural living person.
Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data.
Data subject – a natural living person whose Personal Data is being Processed.
Child – a natural living person under 16 years of age.
We/us (either capitalized or not) – Skin Analytics Ltd
Purpose – Processing is limited to the purpose of providing a skin cancer check service
Data Protection Principles
We promise to follow the following data protection principles:
- Processing is lawful, fair, transparent. Our Processing activities have lawful grounds. We always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request.
- Processing is limited to the purpose. Our Processing activities fit the purpose for which Personal Data was gathered.
- Processing is done with minimal data. We only gather and Process the minimal amount of Personal Data required for any purpose.
- Processing is limited with a time period. We will not store your personal data for longer than needed.
- We will do our best to ensure the accuracy of data.
- We will do our best to ensure the integrity and confidentiality of data.
Data Subject’s rights
The Data Subject has the following rights:
- Right to information – meaning you have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.
- Right to access – meaning you have the right to access the data collected from/about you. This includes your right to request and obtain a copy of your Personal Data gathered (a “Subject Access Request”). If you would like to know more, please contact our DPO using the details above.
- Right to rectification – meaning you have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.
- Right to erasure – meaning in certain circumstances you can request for your Personal Data to be erased from our records.
- Right to restrict processing – meaning where certain conditions apply, you have the right to restrict the Processing of your Personal Data.
- Right to object to processing – meaning in certain cases you have the right to object to Processing of your Personal Data, for example in the case of direct marketing.
- Right to object to automated Processing – meaning you have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.
- Right to data portability – you have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.
- Right to lodge a complaint – in the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.
- Right for the help of supervisory authority – meaning you have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.
- Right to withdraw consent – you have the right withdraw any given consent for Processing of your Personal Data.
To exercise your rights, or to get in touch with our Data Protection Officer please see the details above.
Data we gather
Information you have provided us with
This might be your e-mail address, name, billing address, home address etc – mainly information that is necessary for delivering you a product/service or to enhance your customer experience with us. We only collect this information when you expressly provide it to us in a contact form or similar.
Information automatically collected about you
This includes information that is automatically stored by cookies and other session tools. For example, pages visited on our website, your IP address etc. This information is used to improve your customer experience. When you use our services or look at the contents of our website, your activities may be logged. More information about cookies and how we use them see the cookie section below.
Information from Healthcare Providers
We gather information from Healthcare Providers with confirmation that they have legal grounds to share that information with us. This is either information you have provided them directly with or that they have gathered about you on other legal grounds.
How we use your Personal Data
We use your Personal data under the following Legal Bases:
On the grounds of Legal Obligation, and if the service is delivered to NHS patients, also Public Task, we Process your Personal Data for the following purposes:
- to provide healthcare services related to assessing skin lesions for skin cancer; and
- to audit the quality of healthcare services related to assessing skin lesions for skin cancer;
On the grounds of entering into a contract or fulfilling contractual obligations, we Process your Personal Data for the following purposes:
- to identify you;
- to communicate in response to your queries;
- to enhance your customer experience;
- to provide you a service or to send/offer you a product; and
- to communicate either for sales or invoicing.
On the ground of legitimate interest, we Process your Personal Data for the following purposes:
- to administer and analyse our client base (purchasing behaviour and history) in order to improve the quality, variety, and availability of products/ services offered/provided;
- to conduct questionnaires concerning client satisfaction; and
- to provide accurate well thought out answers to your queries.
With your consent we Process your Personal Data for the following purposes:
- to send you newsletters and campaign offers;
- to use any of the images and data that you upload to the Website and/or App for the purposes of medical, clinical and commercial training and research. Where possible this data will be anonymised or pseudonymised and no identifiable data will be published without your additional explicit consent; and
- for other purposes, other than the Service, for which we have asked your consent for.
We might process your Personal Data for additional purposes that are not mentioned here, but are compatible with the original purpose for which the data was gathered. To do this, we will ensure that:
- the link between purposes, context and nature of Personal Data is suitable for further Processing;
- the further Processing would not harm your interests;
- there would be appropriate safeguard for Processing; and
- We will inform you of any further Processing and purposes where possible.
We reserve the right to completely anonymise Personal Data gathered and to use any such anonymised data. We will use data outside the scope of this Policy only when it is anonymised.
Who else can access your Personal Data
If you accessed our services through a healthcare provider (e.g. Private Insurer, an NHS CCG or Trust) we will share your personal data with these partners as required to fulfil the healthcare service that we or they are providing to you. In order to deliver our service we also share your data with our trusted partners for the following reasons (a full list of data Processors is available on request from Skin Analytics):
- Amazon Web Services – provision of secure servers
- Mailchimp – provision of email services
- Pro4People – outsourced software development
- Subcontracted Dermatologists – expert assessment of images of lesions
- iPrimary Care Limited – provision of a GP call-back service
- Stripe Inc – card payments
- HubSpot Inc – provision of sales software
We only work with Processing partners who are able to ensure an adequate level of protection to your Personal Data (GDPR Compliant). We disclose your Personal Data to third parties or public officials only when we are legally obliged to do so. We might disclose your Personal Data to other third parties if you have consented to it or if there are other legal grounds for it.
How we secure your data
We do our best to keep your Personal Data safe. We use safe protocols for communication and transferring data (such as HTTPS). We anonymise and pseudonymise data where suitable. We monitor our systems for possible vulnerabilities and attacks. We have a Senior Information Risk Officer (SIRO) who regularly reviews our security to ensure we meet best practice requirements.
Even though we try our best we can not guarantee the security of information. However, we promise to notify suitable authorities of data breaches. We will also notify you if there is a threat to your rights or interests. We will do everything we reasonably can to prevent security breaches and to assist authorities should any breaches occur.
If you have an account with us, note that you have to keep your username and password secret.
We will retain your personal data in line with legal requirements to maintain medical records.
Data Protection Impact Assessments
We take data protection very seriously and we have compiled a Data Protection Impact Assessment (DPIA) for each of our products. DPIAs help us to identify and understand the data that we manage and is the starting point for our data protection controls.
Our DPIAs are available upon request.
We do not intend to collect or knowingly collect information from children. We do not target children with our services.