Competition

Privacy Policy

Who are we?

We are Patientcards Ltd, a company registered in Truro, Cornwall, England, with registered office at Old Bakery Studios, Blewett’s Wharf, Malpas Road, Truro, TR1 1QH (we​, us​, our​).

We provide an online platform (Patient Manager / Help at Hand app)​ which facilitates the provision of social prescription services by enabling health and social care professionals to set up patient profiles, make referrals to support and link workers and onward connections to community providers, and enables the exchange of notes about patients to help assess the social prescription services being provided (our Services​).

In each case, we make Patient Manager / Help at Hand app available to designated users because we have been contracted to do so by our Client in connection with a particular Social Prescription Programme which our Client has decided to run.

What is this policy notice?

2.1 In order to provide our Services, we may need to process Personal Data from time to time (that is information from which an individual can be identified). This Personal Data may be about you or other people. This notice explains how we will use the Personal Data we hold. Patient Manager enables users to collect and share data. This notice only deals with our use of Personal Data. Recipients (including our Client and Professional Users) are not bound by this privacy notice.

(i) If you decide to take part in a Social Prescription Programme, it is up to you to ask your healthcare professional who might be given access to your data, and what data will be transferred.

(ii) If you upload Personal Data on to Patient Manager / Help at Hand app, it is up to you to make sure the recipient of any Personal Data you’ve sent will use the information as you intend.

2.2 We might need to change this privacy notice from time to time. If we do, we let you know. So please do keep an eye on our notice before sending us any Personal Data or uploading it on to Patient Manager.

2.3 All of the defined terms in this notice are explained in paragraph 14 below. If you have any questions about this notice, feel free to send us an email to [email protected]

Whose data do we hold?

3.1.We hold Personal Data about the following groups of people (Data Subjects):

(i) Client Contact Data: that is Personal Data about our Client (including key contact data);

(ii) Prospective Client Data: that is Personal Data about prospective clients (including key contact data);

(iii) Professional User Data: that is Personal Data about the following groups of Data Subject:

(a) Administrative Users: any individuals who have been designated to use Patient Manager in order to manage an aspect of our Client’s Social Prescription Programme.

(b) Referral Agents: any individuals who have been designated to provide social prescription referrals as part of our Client’s Social Prescription Programme. This might be a general practitioner or other health or social care professional.

(c) Referral Handlers: any link or support workers who have been designated to use Patient Manager as part of our Client’s Social Prescription Programme.

(d) Community Providers: any individuals involved in providing programmes, activities, events or services in the community, who have been designated to provide servicesto Patients in connection with our Client’s Social Prescription Programme.

(iv) Patient Data: that is Personal Data about any individuals who have been identified to receive social prescription services as part of our Client’s Social Prescription Programme.

Are you a controller or a processor?

4.1 It depends on the data and how it is collected and used.

4.2 We are a Controller in respect of the following data:

(a) Client Contact Data. We collect and hold information about our clients for our own business purposes and we make decisions about how best to use that data.

(b) Prospective Client Data. We collect and hold information about prospective clients for our own business purposes and we make decisions about how best to use that data.

(c) Personal Data which we collect from a user of Patient Manager (User) outside the scope of our Services to our Client .

For example, this could include:

4.3 We are a Processor in respect of any Personal Data about Professional Users or Patients which our Client Administrative Users or Referral Agents) gives us or which we collect on behalf of our Client to enable us to provide our Services.

Where do you collect personal data from?

5.1 We might collect Personal Data in the following ways:

Client Contact Data

(i) Direct interactions with our client: information which our Client provides us with directly about its key contacts, including:

Prospective Client Data

(i) Direct interactions with a prospective client: any information which a prospective client gives us when they contact us or us them. This might include their contact details, information about key contacts in the prospective client, information about their business and job role, their interests and needs.

(ii) Online traffic data: we may use cookies to find out about how people who visit our site use our site. If you would like to know more about our cookies policy, please click here.

(iii) Information which we collect from publicly available sources: to help make sure the right people know about what we do, we may carry out research to find out who we think might be interested in using Patient Manager. We may collect the following information about the personnel of prospective clients which we’ve identified:

Professional User Data

(i) Data given to us by Client personnel to facilitate the Social Prescription Programme: We will hold Personal Data about Professional Users primarily because they have been designated by our Client (or Administrative Users or Referral Agents) to take part in our Client’s Social Prescription Programme. This might include:

(ii) Direct interactions with Professional Users (when they use Patient Manager or contact us): This might include:

(iii) Online tracking: Patient Manager is set up to automatically collect certain information using cookies and other similar tracking technologies. As such, we may also collect information about how a Professional User uses Patient Manager. This might include:

Patient Data

(i) Data given to us by Client Personnel to facilitate the Social Prescription Programme: We will hold Personal Data about Patients primarily because they have been designated by our Client (or Administrative Users or Referral Agents) to take part in our Client’s Social Prescription Programme. This information may include the following:

(ii) Data added to Patient Manager by Professional Users: The majority of the data we will hold data about Patients will be because Professional Users upload it on to Patient Manager (or pull it over from their own system) and we will store it. This could be information about:

(iii) Data which a Patient gives us if they set up and use an account on Patient Manager or if they contact us directly. This might include:

(iv) Online Tracking: Patient Manager is set up to automatically collect certain information using cookies and other similar tracking technologies. As such, we may also collect information about how a Patient (who has decided to set up an account on Patient Manager) uses Patient Manager. This might include:

It is likely that some of the Personal Data which we collect and store on behalf of our Client, in relation to Patients, may include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.

General

5.2 We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with our Clients or any Users of Patient Manager. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.

How will you use the personal data you hold and what is your lawful basis for doing so?

Client Data

(i) We hold and process Client Contact Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Client Contact Data along with our lawful basis in the table below.

(ii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which in this case is to function as a business. We consider such use goes no further than a Client would reasonable expect; is likely to align with the Client’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of our Client.

To provide our services

Agreeing the parameters of the Social Prescription Programme and facilitating the set-up and managing payment

Identity Data, Contact Data, Transaction Data

Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

To manage our relationship with you

To notify you of updates to our (or our Licensor’s) services or software or updates to our privacy notice

Identity Data, Contact Data

Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

Administration and Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Identity Data, Contact Data, Transaction Data

Legitimate Interest

Marketing

From time to time we might contact you by telephone or email about updates to our services, new features or functions or new products we are bringing out. Our marketing may be tailored on the basis of what we think your interests are (from looking at data collected using cookies and other similar technologies as well as past transactions and interactions). We will always include the right to opt out in any such correspondence.

Identity Data, Contact Data, Transaction Data, Profile Data, Traffic Data

Legitimate Interest

Prospective Client Data

We hold and process Prospective Client Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Prospective Client Data along with our lawful basis in the table below.

Responding to your requests for information (solicited marketing)

This may involve sending you information about our services if you have asked us to do so or contacting you whether by telephone or email to discuss proposals for a Social Prescription Programme.

Identity Data, Contact Data

Necessary steps to enter into a contract

Profiling and Marketing

We may carry out research online (including by looking at traffic data collected by cookies and other similar technology) and through word of mouth in order to find businesses we think might be interested in hearing about Patient Manager. We may use such information to make marketing calls or send an email.

We are relying on legitimate interest as our legal basis for profiling and marketing. The legitimate interest being the promotion of our business. We believe that marketing of this kind is integral to getting our product known in the correct circles, and, since the marketing communication is targeted to individuals working in the field of Social Prescription, and we will only use contact details published on business websites, we believe that this will not be considered invasive by the Data Subject and in this case our interests and the Data Subject’s may be aligned.

Professional User Data

(i) Any Professional User Data which we have been given by our Client (Administrative Users or Referral Agents) or which we collect on behalf of our Client to enable us to provide our Services, we hold as a Processor. Provided we are acting in accordance with our Client’s instructions, we are not required to have a lawful basis for our processing. If you would like more information about who our Client is and their lawful basis, please contact us at [email protected] and we will pass your query to our Client.

(ii) Any Professional User Data which we collect directly from a Professional User but which falls outside the scope of our services to our client, we hold as a Controller which means we must have a ‘lawful basis’ for doing so. We have set out how we use Professional User Data along with our lawful basis in the table below.

(iii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which is in this case is to function as a business. We consider such use will go no further than a Professional User would reasonable expect; is likely to align with the Professional User’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of a Professional User.

(iv) We may also collect aggregate data about how a Professional User uses our software. This data will be anonymised and will not identify a Professional User.

Monitoring account usage

We may record usage patterns or other data we collect from your use of Patient Manager in order to make sure such use is in accordance with our terms of use.

Administration And Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)

If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Patient Manager and traffic data we’ve collected.

Patient Data

(i) Any Patient Data which we have been given by our Client (or Professional Users) or which we collect on behalf of our Client (including Professional Users) to enable us to provide our Services, we hold as a Processor. Given the nature of the services we facilitate, it is likely that this will include Special Categories of Personal Data. Provided we are acting in accordance with our Client’s instructions, we are not required to have a lawful basis for our processing. If you would like more information about who our Client is and their lawful basis, please contact us at [email protected] and we will pass your query to our Client.

(ii) Any Patient Data which we collect directly from a Patient but which falls outside the scope of our services to our Client, we hold as a Controller which means we must have a ‘lawful basis’ for doing so. We have set out how we use Patient Data along with our lawful basis in the table below. We do not envisage that any of the Patient Data which we hold as a Controller will include Special Categories of Personal Data.

(iii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which is in this case is to function as a business. We consider such use will go no further than a Patient would reasonable expect; is likely to align with the Patient’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of a Patient.

(iv) We may also collect aggregate data about a Patient’s use of Patient Manager and participation in the Social Prescription Programme. This data will be anonymised and will not identify any Patient.

Monitoring account usage

We may record usage patterns or other data we collect from your use of Patient Manager in order to make sure such use is in accordance with our terms of use.

Administration and Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)

If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Patient Manager and traffic data we’ve collected

Will you disclose personal data to anyone else?

7.1 Disclosures of Patient Data made as part of the Social Prescription Services: The purpose of the Social Prescription Programme is to enable Professional Users to disclose and share information to each other about a patient’s progress in connection with the Social Prescription Programme. The decision to transfer Patient Data is made by the Professional Users themselves or a Patient (if they have set up their own account on Patient Manager.

If you have any questions about who your data might be transferred to if you take part in our Client’s Social Prescription Programme, please ask the Referring Agent or Referral Handler. If you don’t know who that is, feel free to send us an email at [email protected] and we will pass your query to our Client for them to contact you directly.

7.2 Disclosures of Personal Data by us to third parties. We may disclose Personal Data to third parties, for the following purposes:

(a) To employees and third parties (including professional advisors, such as lawyers and accountants) who are contracted to help us to provide Patient Manager and our business. Any such third parties and/or data processors contracted by us will be subject to strict contractual requirements only to use Personal Data in accordance with our privacy notice. If you would like more information about third party processors used by us, please contact us at [email protected].

(b) If we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements or to protect the operation of our website, or the rights, property, or safety of us, our customers, or others.

(c) Third parties if we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use Personal Data in accordance with the provisions set out in this privacy notice.

What security procedures do you have in place?

8.1 It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.  
Our cyber security has been penetration tested by Nettitude, A Lloyd’s Registered Company. For more information, please see our cyber security report. Iff you have any queries, please email [email protected].

For how long do you store personal data?

Client Contact Data

10.1 Our retention policies for Client Contact Data are as follows:

(a) we may store data related to financial transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective;

(b) we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(c) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date);

(d) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

Prospective Client Data

10.2 We will retain Prospective Client Contact Data for up to 1 year from the point of collection or last interaction. If a Prospective Client becomes a Client, the retention policy set out in paragraph 10.1 shall apply.

Professional Data

10.3 Any Professional User Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Professional Data.

10.4 Any Professional User Data which we hold as a Controller will be retained in accordance with the following provisions:

(a) we may archive data relating to disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(b) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date); and

(c) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

Patient Data

10.5 Any Patient Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Patient Data.

10.6 Any Patient Data which we hold as a Controller will be retained in accordance with the following provisions:

(a) we may archive data relating to disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(b) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date); and

(c) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

What rights does a data subject have about the personal data we collect and hold?

11.1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller. (a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.

(b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients to whom the personal data has/will be disclosed;
(iv) how long it will be stored; and
(v) if data wasn’t collected directly from the Data Subject, information about the source.

(c) Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete.

(d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s records.

(e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.

(f) Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.

(g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).

(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data Subject.

11.2 If you want to avail of any of these rights, you should contact us immediately at [email protected]. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.

What happens if I no longer want you to process personal data about me?

12.1 If we are holding Personal Data about you as a Processor, we will need to transfer your request to the Controller who has engaged us to provide our Services – that will be our Client. To the extent that we are holding Personal Data about you to facilitate our Client’s Social Prescription Programme, such a request is likely to impact on your ability to be a part of the programme.

12.2 If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to be a part of our Client’s Social Prescription Programme.

Who do I complain to if I’m not happy with how you process personal data about me?

13.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to [email protected]. If we are processing Personal Data about you on behalf of our Client, we will need to pass your complaint to our Client – we will only do so with your consent.
13.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.

COOKIES POLICY

WHAT IS A COOKIE?

1.1. A cookie is a small text file containing anonymous information (letters and numbers) which acts as an identifier that will be sent by our server to your computer or mobile device when you use our Site.

1.2. By allowing us to identify you, your user experience will be improved. For instance, our Site will be able to remember your preferred settings, user name and preferences, saving you time each time you log in.

2.1. In our provision of services to you, we use both ‘essential’ and ‘non-essential’ cookies.

2.1.1. ESSENTIAL COOKIES Some cookies are required to perform essential functions on our Site. We use essential cookies for the purposes such as:

2.1.2. NON-ESSENTIAL COOKIES The table below explains the non-essential cookies we use and why

Blocking Cookies

3.1. By using our Site, you are consenting to our use of these non-essential cookies. If you do not consent to our using non-essential cookies you may opt to block the cookies by using the appropriate setting on your browser. For more information on how to disable cookies please see: https://www.allaboutcookies.org​.

3.2. Please note that blocking cookies could affect some of the services provided on our Site.

Changes to our Privacy Policy:

Any changes we may make to our cookies policy in the future will be posted on this page.

Contact: Questions, comments and requests regarding this cookies policy are welcomed and should be addressed to: [email protected]

What do all of the defined terms in this privacy notice mean?

14.1 Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings: