PRIVACY POLICY
updated: 14 February 2024
This Privacy Policy (hereinafter, the Policy) governs the processing of personal data within any services and/or products provided by CHESTPAL LTD (hereinafter, CHESTPAL).
We place great importance on the protection of your personal data. Please take a moment to find out more about our Privacy Policy and contact us if you have any questions.
1. Terms and Definitions
1.1. For the purposes hereof, the following terms and definitions are used:
Website – the Website with the domain name “chestpal.com”.
ChestPal Pro – the mobile/web application designed for automatic lung auscultation that is intended for usage by healthcare professionals.
We (CHESTPAL) – CHESTPAL LTD.
You (User) – any individual (healthcare professional) that is using functional features of the Services and has reached the age of full legal capacity in accordance with the legislation of the country of their citizenship.
Services – any products and/or services provided by CHESTPAL and described in the current document.
2. Scope
2.1. This Policy shall govern any interaction between CHESTPAL and users related to personal data when using the Services.
2.2. This Policy neither governs nor determines the rights and obligations of third parties. It also does not apply to third-party applications or software available to users for integration with the Services. Thus, if you integrate any third-party applications with our Services, we will not be able to control how such applications process your personal data.
2.3. This Policy does not govern processing of users’ patients personal data. All these processing activities are performed by CHESTPAL in the role of a data processor. In case if you are a patient please consult your physician on applicable privacy and data protection regulations established by them with regards to your personal data.
2.4. Please do not use the Services if you do not agree with the provisions and scope hereof.
3. Data Processing Roles
3.1. Depending on the context of our processing activities CHESTPAL can be a data controller in one situation and a data processor in another. For example, in the case of providing the functionality of our Services all the purposes and means of processing operations are established by the following legal entity as a data controller:
CHESTPAL LTD
Company number 14073885
63, Ship Street, Brighton BN1 1AE United Kingdom
email (general questions): [email protected]
email (personal data questions): privacy@chestpal.com
3.2. As prescribed by applicable regulations we are thoroughly describing how personal data is processed in those situations where we are acting as a data controller. Nevertheless, because our Services are intended for usage by healthcare professionals we can conduct some of the processing activities as a data processor as well. For transparency reasons, we are also indicating the categories of personal data that we are processing on behalf of our users as a data processor as well as usually applicable retention periods for it.
4. How We Process Your Personal Data On Our Website
4.1. We collect the following personal data on our Website:
(1) contact form data: first name, last name, email address, professional role, company, message content;
(2) newsletter data: email address, subscription status;
(3) customer support data: first name, last name, phone number, email address, professional role, company, message content, message attachments;
(4) registration data: e-mail address, authentication data (e.g. password), organization affiliation;
(5) payment data: billing details, financial transactions.
4.2. As a data controller for all the processing activities happening within our Website we will process your personal data only for the following purposes and on the following legal grounds:
Data type | Processing purposes | Legal basis | Retention period |
Contact form data | We process your contact form data to respond to inquiries you send via the contact form on the Website. | Our legitimate interest to answer your inquiries sent via contact form. | 3 years |
Newsletter data | We process your newsletter data to send you updates and news about our Services. | Your consent. | Until you opt out from our newsletter |
Customer support data | We process your customer support data to respond to your customer support inquiries and complaints. | Performance of our Terms of Service | 10 years |
Registration data | We process your registration data to create and register your account within our subscription module on our Website. | Performance of our Terms of Service | Until your account is deleted |
Payment data | We process your payment data to properly ensure payments for our Services. | Performance of our Terms of Service | As long as needed to comply with tax and payment regulations of respective jurisdiction. |
4.3. We do not use automated decision-making tools (including profiling) in personal data processing on our Website. Automated decision-making tools primarily include those systems that process your personal data without human intervention to make decisions that may have potential legal consequences for you.
5. How We Process Your Personal Data In ChestPal Pro
5.1. We collect the following personal data in ChestPal Pro:
(1) registration data: e-mail address, authentication data (e.g. password), biometric authentication data.
(2) technical data: device model, operating system and its language settings, application version, user’s country, city and region, advertisement ID, session duration, app events (e.g. first launches, app updates), in-app purchases;
(3) stethoscope data: Stethoscope ID.
5.2. As a data processor acting on behalf of healthcare professionals we also will be processing the following categories of personal data of our users’ patients in ChestPal Pro:
(1) profile data: patient ID, first name, last name, date of birth, gender;
(2) auscultation results: lungs sounds and their analysis;
(3) medical info: chronic diseases, information about smoking and harmful working conditions, notes.
5.3. For those processing activities in ChestPal Pro where we are acting as a data controller the following purposes and the following legal grounds apply:
Data type | Processing purposes | Legal basis | Retention period |
Registration data | We process your registration data to create and register your account in ChestPal Pro. | Performance of our Terms of Service + Your consent in the case of biometric authentication | Until your account is deleted. |
Technical data | We process technical data in order to provide users with the possibility of proper and uninterrupted use of the functionality of the Services (for example, to log errors, send notifications, or select the right resources from the server) and for product improvement. | Legal interest to provide services, the availability of the functions of the Services and to improve their quality. | 14 months. |
Stethoscope data | We process stethoscope data in order to control users’ compliance with our Terms and Conditions. | Performance of our Terms of Service. | Until your account is deleted. |
5.4. We use automated decision-making tools (including profiling) in personal data processing activities conducted in ChestPal Pro: users’ patients’ auscultation results are analyzed with the involvement of computer software to enhance the auscultation process and make it more accurate and effective. Nevertheless, these profiling actions shall never be the sole basis for any decisions that are significantly affecting our users’ patients. All the results shall be checked by a healthcare professional before any medical conclusions are made.
6. Storage, Transfer And Disclosure
6.1. Your personal data will be stored on the servers of our counterparties that we are using for operating our Services.
6.2. We use Microsoft Azure service for operating our Services. Therefore, your data will be stored on the servers of the following legal entity:
Microsoft Ireland Operations Limited (Ireland)
Address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
6.3. Employees of CHESTPAL shall also take all necessary organizational, legal and technical measures available to us for protection of your personal data. Users of the Services shall also be responsible to the maximum possible extent for the provision of accurate account details, keeping passwords and any other information required for authorisation confidential and its protection from unauthorized access by third parties.
6.4. If your personal data is transferred to any third party, the storage time will be determined in accordance with the privacy policy of such a third party. We will do our best to inform them about the deletion of your personal data if necessary.
6.5. Any personal data collected and processed hereunder shall be properly protected unless:
(1) you consent to their disclosure;
(2) such personal data are anonymised;
(3) such personal data are subject to disclosure under the applicable law.
6.6. We will do our best to keep your personal data protected by limiting the number of people who have access to your personal data, using anti-virus software, Web Application Firewall and traffic filtering for our servers that store personal data. However, despite any possible measures taken on our part, we cannot guarantee full protection of the Services against information security risks.
6.7. Your personal data could also be transferred to the following legal entities:
(1) Google Inc. (Ireland)
Address: Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
Google may have access to the personal data that you provide to us because we use Gmail service to respond to your request and Firebase, Data Studio, BigQuery and Crashlytics services for logging errors and for analytics.
(2) Amplitude, Inc. (USA)
Address: 201 Third Street, Suite 200, San Francisco, CA 94103
Amplitude may have access to the personal data that you provide to us because we use their services for analytics.
We use EU Commission Standard Contractual Clauses as well as respective transfer impact assessment as additional legal safeguards to enable this international data transfer to the USA.
(3) Stripe Inc. (USA)
Address: South San Francisco, 354 Oyster Point Blvd, United States
Stripe may have access to the personal data that you provide to us because we use their services to handle payments.
We use EU Commission Standard Contractual Clauses as well as respective transfer impact assessment as additional legal safeguards to enable this international data transfer to the USA.
6.8. To ensure the provision of our services, your personal data may also be transferred to a legal entity created after reorganization of CHESTPAL should it be necessary.
6.9. Please note that disclosure of your personal data may be required in accordance with the law and judicial procedures or at the request of public bodies of the country of your stay or other countries. Your personal data will be disclosed if it is necessary for the purposes of national security, law enforcement, protection of the rights and legitimate interests of CHESTPAL and third parties or for other substantial public interest purposes.
7. Children’s Personal Data
7.1. To the extent to which it is not prohibited by the applicable law, we do not authorize the use of our Services by individuals who have not reached the age of full legal capacity in accordance with the legislation of the country of their citizenship. We do not collect and process (at least knowingly) their personal data without the consent of their legal representatives.
8. User Rights
8.1. The rights of users related to the collection and processing of personal data shall be determined in accordance with the applicable law.
8.2. Your rights with respect to the collection and processing of personal data may be determined in accordance with applicable laws and regulations.
Therefore, you may access, change and/or make additions to, delete, restrict processing and migration of, object to or withdraw your consent to the processing of your personal data as well as lodge a complaint to the supervisory authority and opt-out from selling your personal data.
8.3. To exercise any of your rights above and any other rights guaranteed to you by applicable law and if you have any related questions, write to: [email protected]. For issues related to your personal data please contact: privacy@chestpal.com.
8.4. CHESTPAL reserves the right to verify your identity before exercising any rights at your request. In case we are not able to exercise any of your rights or provide any information, we will also explain the reasons to you.
9. Final Provisions
9.1. This Policy may be amended and (or) modified at any time of the Services operation. In this case, a notice with information about the changes accompanied by the new version of the Policy and date of its adoption will be published in the Services. The User of the Services must read and acknowledge the new version hereof.
9.2. The Policy is an agreement between us and the User about the use of the Services. Any other pre-existing written or oral agreements or arrangements with respect to such use are hereby canceled.
9.3. If any provision hereof is invalid or unenforceable, other provisions shall remain valid and enforceable to the fullest extent permitted by applicable law.
9.4. Failure to enforce your strict compliance herewith cannot be construed as our waiver of any provision hereof or any right hereunder.