- What information we collect and why we collect it.
- How we use that information.
- The choices we offer, including how to access and update information.
Transparency and choice
Information we collect
We collect information in the following ways:
- We collect information about you and your company as you register for an account with us, create or modify your profile, use, access, or interact with our services or our websites (including but not limited to when you upload, download, collaborate on or share content, including photos and videos). Such content includes any personal information or other sensitive information that you choose to include. For example, many of our services require you to sign up for an account with us. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. We may present your name, email address or image to other users in your organisation, or otherwise associated with your account, in order to assist in sharing or recommendations.
- Information we get from your use of our services. We may collect information about the services that you use and how you use them, like when you visit a website that uses our services, or you view and interact with our content. This information includes:
- Device information – We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). We may associate your device identifiers or phone number with your account.
- Log information – When you use our services or view content provided by us, we may automatically collect and store certain information in server logs. This may include:
- details of how you used our service, such as your search queries
- telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls
- Internet Protocol address
- device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL; and
- cookies that may uniquely identify your browser or your account.
- Location information – When you use a location-enabled service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers
- Unique application numbers – Certain services include a unique application number. This number and information about your installation (for example, the operating system type and application version number) may be sent to us when you install or uninstall that service or when that service periodically contacts our servers, such as for automatic updates
- Local storage – We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.
Gmail Sign In User Data
To sign in to the PandemicCheck app, you will use your Gmail account, the credentials of which are stored in the Google servers. This login information is collected by us and is used to email you your PandemicCheck reports. This information is not sold or passed on to any third party or used for any other purpose at any time. You are able to opt out of this at any time. By signing into the PandemicCheck app, you give your consent for these details to be stored and used.
How we use information we collect
We may use the information we collect, including your personal information and transaction information, from all of our services in any one or more of the locations that PandemicCheck has operations or otherwise conducts business (these locations currently the United Kingdom and Eire) for the following purposes:
- for internal and service-related purposes, such as to provide, maintain, protect, improve, and personalise our services, to develop new ones and to protect the rights, property, or safety of PandemicCheck and our users;
- to communicate with you in order to provide you with information we think may be useful or relevant to you;
- to promote our services and related services;
- to analyse information in order to offer aggregated anonymised data products to third parties;
- to facilitate the sharing of aggregated and anonymised information with third parties, including transaction data. An example of anonymised information would be the number of times a template is used or location data , which may be used by those third parties to inform judgements about the organisation using the software, but not about any individuals whose data is processed using the software;
- to monitor and analyse trends, usage, and activities in connection with our services and for marketing or advertising purposes or to offer you tailored content;
- to investigate and prevent fraudulent transactions, unauthorised access to or use of our services, and other illegal or unusual activities;
- to use the name you provide for your PandemicCheck profile across all of the services we offer that require a PandemicCheck account. In addition, we may replace past names associated with your PandemicCheck account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible PandemicCheck profile information, such as your name and photo;
- when you contact us, to keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements;
- from cookies and other technologies, to improve your user experience and the overall quality of our services;
- to combine information from one service, including personal information, into other PandemicCheck services – for example to make it easier to share things with people you know;
Retention of Personal Data
We’re required to keep some of your information for certain periods of time under law. When we no longer require your information, we’ll ensure that your information is destroyed or de-identified.
We may need to retain certain personal information after we cease providing you with products or services to enforce our terms, for fraud prevention, to identify, issue or resolve legal claims and/or for proper record keeping.
Disclosure of personal information outside EU
We store data on the U.S. based AWS servers who have confirmed compliance with the GDPR. For further information please follow the link to this AWS resource https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
Information we share
We do not share personal information with companies, organizations and individuals outside of PandemicCheck, except in the following circumstances:
- To address fraud, security or technical issues
We will share your personal information with trusted third parties where necessary to detect, prevent or otherwise address fraud, security or technical issues.
- For legal reasons
We may disclose your information if required by applicable law, regulation or as part of any actual or prospective legal process (including if reasonably necessary to enforce applicable Terms of Service or in order to establish, exercise or defend our legal rights). If we receive a request from a regulatory body or law enforcement agency, and if permitted under GDPR, and other relevant laws pertaining at the time, we may disclose certain information to such bodies or agencies.
- Merger or acquisition
We have put in place robust measures regarding the security of the information we collect and store about you (including through the use of network and database security measures) and will use our reasonable endeavours to protect your personal data from unauthorised access to or unauthorised alteration, disclosure or destruction. In particular:
- We encrypt many of our services using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
- We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems.
- We restrict access to personal information to our employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
- We have multiple authentication and access control measures to ensure data is only accessed by authorised personnel
- We enforce strong encryption of all data at rest through the use of the Advanced Encryption Standard (AES-256)
The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our servers via third party networks; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.
You may request details of the personal information that we hold about you. An administrative fee may be payable for the provision of such information. In certain circumstances, as set out in the Data Protection Act 2018, we may refuse to provide you with personal information that we hold about you.
If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.
If you believe that we have breached the Data Protection Act 2018 and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint.
Please note that clicking on links and banner advertisements that may appear from time to time on our apps and websites can result in your browser accessing a third party website, where data privacy practices are different to that of PandemicCheck.
We are not responsible for, and have no control over, information that is submitted to or collected by these third parties and you should consult their privacy policies.
If you have any enquiries or if you would like to contact us about our processing of your personal information, please contact us by any of the methods below. When you contact us, we will ask you to verify your identity.
Contact name: Privacy Officer
Appendix 1 – Your Rights
The Legal Basis for Processing your Information
Under GDPR, the main grounds that we rely upon in order to process personal data collected via our websites and services are the following:
- Necessary for entering into, or performing, a contract – in order to perform obligations that we undertake in providing a service to you, or in order to take steps at your request to enter into a contract with us, it will be necessary for us to process your personal data;
- Necessary for compliance with a legal obligation – we are subject to certain legal requirements which may require us to process your personal data. We may also be obliged by law to disclose your personal data to a regulatory body or law enforcement agency;
- Necessary for the purposes of legitimate interests – either we, or a third party, will need to process your personal data for the purposes of our (or a third party’s) legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your personal data protected. Our legitimate interests include responding to requests and enquiries from you or a third party, optimising our website, applications and customer experience, informing you about our products and services and ensuring that our operations are conducted in an appropriate and efficient manner;
- Consent – in some circumstances, we may ask for your consent to process your personal data in a particular way.
Retention of Personal Data
Your rights in respect of information we hold about you
You have certain rights in relation to personal information we hold about you. Details of these rights and how to exercise them are set out below. We will require evidence of your identity before we are able to act on your request.
Right of Access
You have the right at any time to ask us for a copy of the personal information about you that we hold. Where we have good reason, and if the GDPR permits, we can refuse your request for a copy of your personal information, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reasons for doing so.
Right of Correction or Completion
If personal information we hold about you is not accurate, out of date or incomplete, you have a right to have the data rectified, updated or completed. You can let us know by contacting us at firstname.lastname@example.org
Right of Erasure
In certain circumstances, you have the right to request that personal information we hold about you is erased e.g. if the information is no longer necessary for the purposes for which it was collected or processed or our processing of the information is based on your consent and there are no other legal grounds on which we may process the information.
Right to object to or restrict processing
In certain circumstances, you have the right to object to our processing of your personal information by contacting us at email@example.com For example, if we are processing your information on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests. You also have the right to object to use of your personal information for direct marketing purposes.
You may also have the right to restrict our use of your personal information, such as in circumstances where you have challenged the accuracy of the information and during the period where we are verifying its accuracy.
Right of Data Portability
In certain instances, you have a right to receive any personal information that we hold about you in a structured, commonly used and machine-readable format. You can ask us to transmit that information to you or directly to a third party organisation.
The above right exists only in respect of personal information that:
- you have provided to us previously; and
- is processed by us using automated means.
While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third party organisation’s systems. We are also unable to comply with requests that relate to personal information of others without their consent.
You can exercise any of the above rights by contacting us using any of the methods in the Contact section above.
Most of the above rights are subject to limitations and exceptions. We will provide reasons if we are unable to comply with any request for the exercise of your rights.
To the extent that we are processing your personal information based on your consent, you have the right to withdraw your consent at any time. You can do this by contacting us using the details in the Contact section above.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. It is specifically regulated under GDPR where such decisions are taken which have legal or other significant effects on individuals. It is permitted in the following circumstances:
- Where it is necessary to enter into or perform our contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated processing, unless we have a lawful basis for doing so, we have notified you and given you a right to challenge the decision or to require that the decision be taken by a person.
If you are unhappy about our use of your personal information, you can contact us using the details in the Contact section below. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:
Telephone: 0303 123 11113
Post: Information Commissioner’s Office
If you live or work outside the UK or you have a complaint concerning our activities outside the UK, you may prefer to lodge a complaint with a different supervisory authority. A list of relevant authorities in the EEA and the European Free Trade Area can be accessed here.
You have the right to receive our products and services on equal terms regardless of whether or not you exercise your rights under the GDPR.