HDA
1. Introduction
Health Data Avatar ("HDA", "we", "our", "us") is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.
2. Who We Are
Data Controller: The data controller responsible for your personal data is Health Data Avatar.
Data Protection Officer: Hex Miller-Bakewell
Email: hex@healthdataavatar.com
3. What Data We Collect
We collect the following personal data directly from you when you use our services:
a) User-Provided Data
- Files you upload to the service, which may include sensitive medical data protected under Article 9 of the GDPR.
- Any additional data you provide as part of your interaction with the service (e.g., feedback).
b) Medical Data
- Medical data extracted from uploaded files is stored and processed alongside the original files.
- Having submitted medical data is not a requirement for accessing the service.
c) Feedback Data
- You may choose to provide feedback through the service.
- Any data provided for feedback purposes will be anonymised immediately.
4. Why We Process Your Data
We process your personal data on the following legal bases under the GDPR:
- a) Consent: When you choose to upload files, you give explicit consent for us to process and store that data to provide the service. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- b) Legitimate Interest: When you submit feedback, we first process the feedback to remove personal data. This allows us to improve our services while protecting your personal data.
5. How We Use Your Data
We use your personal data to process and store uploaded files and extracted medical data in order to provide the service, process and respond to feedback you provide, and comply with legal obligations and regulatory requirements.
6. For How Long Do We Store Your Data
We retain your data only for as long as necessary to provide the service or comply with legal requirements. Specifically, uploaded files and extracted medical data are held until no longer than one week after you request deletion or close your account.
7. How We Protect Your Data
Your data is stored securely on servers located within the European Union (EU) or European Economic Area (EEA). We apply appropriate technical and organisational measures to protect your data, including encryption, access controls, and regular security audits.
8. Automated Decision-Making
We do not use your personal data for automated decision-making, including profiling.
9. Age Restrictions
You must be at least 16 years old to consent to the processing of your personal data. If you are under 16, consent must be provided by someone with parental responsibility.
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access: You have the right to access and receive a copy of your personal data.
- Right to Rectification: You have the right to correct inaccurate or incomplete personal data.
- Right to Erasure: You can request that we delete your data.
- Right to Restrict Processing: You can request that we limit the processing of your personal data.
- Right to Data Portability: You have the right to receive your data in a structured, machine-readable format and to transfer it to another controller.
- Right to Object: You can object to the processing of your data where we rely on legitimate interests.
You can exercise these rights directly through the service or by contacting the DPO (contact details are at the top of this document). As processing sensitive health data presents a high risk to privacy, we have conducted a Data Protection Impact Assessment (DPIA) to ensure appropriate safeguards are in place. Any data breaches will be communicated to affected users within 72 hours.
11. How to Lodge a Complaint
If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by updating the effective date at the top of this policy.
13. Contact Us
If you have any questions or concerns about this Privacy Policy, please contact the Data Protection Officer, whose details are at the top of this document.