1. Identification of the Controller
IBSA PHARMA LTD., a company domiciled at 4-6 Colonial Business Park, Colonial Way, Watford WD24 4PR, United Kingdom with Company number 03929804 (“IBSA Pharma UK”) is the Controller of your personal data, which is collected and processed in order to provide you the services and content identified in this application (the “Aura App”).
IBSA Pharma UK is committed to the protection of your personal data and this privacy policy is intended to inform you of your rights as a data subject. IBSA Pharma UK processes personal data in Compliance with UK data protection legislation (which includes the Data Protection Act 2018 and the UK retained General Data Protection Regulation 2016/679) and the six principles of the Uk data protection legislation which are (i) Lawfulness, fairness and transparency; (ii) Purpose limitation; (iii) Data minimisation; (iv) Accuracy; (v) Storage limitation; (vi) Integrity and confidentiality. This App is designed with personal data protection principles at its core and is compliant with UK data protection legislation.
This App is not intended or designed for use by minors (under the age of 18 years) and IBSA Pharma UK does not knowingly or intentionally collect personal data of minors under 18 years of age. If you believe a minor has accessed the App and uploaded personal data, please contact us to notify us so we can remove the records and any personal data relating to the minor.
IBSA Pharma UK has appointed a data protection officer (“DPO”), Ellis Chung, in compliance with the Data Protection Act 2018, who is at your disposal for any doubts or queries you may have regarding data protection or in relation to our privacy policy, and whom you may contact via e-mail: [email protected].
For some of the processing activities identified in this Privacy Policy, IBSA Pharma UK acts as a joint-controller with clinics, as set out in section 4 of this Policy.
2. What information will we collect from you?
a) The data you provide directly to us.
We collect personal data about you when you register and create an account in the App, or respond to questions during our onboarding process, complete mood logs in the App, contact us or subscribe to our newsletters or reply to our satisfaction surveys. When you use our services, you may submit personal data including health-related personal data (so called “special category data”) if you provide information relating to your health and any fertility process or other medical treatment you are having and when you contact us via our Chat Section. We use your personal data and your health data in order to offer you personalised content and services through the App.
In each of our forms and questionnaires, we will identify the information that is mandatory to fill in, where omission of information may mean it is impossible for us to provide the services requested.
It is essential that you keep your reference data, passwords and access codes safe at all times. You will be solely responsible for the use of your personal account, and in this respect, you undertake to keep your passwords and access codes securely to prevent access by third parties, and to inform us, without delay, of their loss or theft (were it to arise).
In order to ensure that the information provided is always up to date and error-free we rely on you to notify us of any update as soon as possible, by making any change required to your personal data in your profile configuration panel.
Where we collect your personal data for consent-related uses, your consent will be given by your clicking on the “I accept” (or equivalent) button incorporated in the relevant form, indicating that you accept the proposed processing and use of your personal data. If at any point there are any changes that apply to how your data is collected or used, we will re-obtain your consent and inform you clearly of the changes and implications.
b) Data obtained indirectly through third parties.
We may collect your personal data indirectly, through third parties. The clinic you are receiving treatment from will share your name and basic personal data with us to enable you to create an account on this App (personal data which they have collected from you and obtained your consent to use and share with us).
We do not use cookies on the App that track any personal data or device data or IP addresses. Any cookies used gather only anonymous and aggregated data that is used for statistical purposes. As a result, this privacy notice does not include any cookie policy.
The App may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
3. How will we use your personal information and what services will we provide you?
IBSA Pharma UK acts as the controller of personal data collected and processed from you for the following purposes:
Purpose of data collection | Type of personal data collected | Legal basis for collection | Anticipated retention period |
To create your account, register and sign in to the App, To verify your identity each time you log in to the App | Your name and email address | Contract | 7 years after last contact or your last Access to your account. |
To provide support mechanisms and information services related to fertility treatments | Information related to your lifestyle, the medical or health [fertility] treatment you are about to start, DOB and information about other treatments you have undergone in the past (provided via onboarding questionnaire and mood logs) | Contract and explicit consent | |
To support your queries and questions via our chat section. | Information you provide via our messaging service | Contract and/or explicit consent | |
To carry out satisfaction surveys, to target and improve our services. | Replies to (optional) survey questions which may include personal data if user provides personal data in free text reply. | Consent | |
To keep you informed about the products and services of the Aura application, as well as to send you news, events and other activities that we carry out, by email | Email and name | Consent or legitimate interests | |
To ensure security of the App and to take steps to prevent fraud or identity theft. | IP address Mobile phone number country code and browser user agent | Contract or Legitimate interests | |
To comply with legal obligations or for the formulation, exercise and defence of claims. | Usually only Name and contact details, although where required for legal claim, may include any personal data taken from your records on our live system including any health or treatment data you have uploaded | Legal obligation | |
To reply to data subject’s rights requests. | Your name and photo identity to verify your identity in the event of a data subject access request; In order to reply fully to a data subject access request, we may access all of your records on our live system including any health or treatment data | Legal obligation | |
To maintain and support our IT systems (we give access to a third party IT service provider under a written data processing agreement) | Your records on our live system including name, address, any health or treatment data you have uploaded | Legitimate interests and legal requirement |
IBSA Pharma UK acts as a joint-controller of the personal data with the clinics for the following purposes:
Purpose of data collection | Type of personal data collected | Legal basis for collection | Anticipated retention period |
To access App on referral from clinic | Name, surname, patient id and email address collected by clinics and shared with IBSA Pharma UK | Consent (obtained by clinic) | |
To share areas of concern for the patient based on the outcomes from the fertility quality of life questionnaire with the clinic. | Summary output of the main areas of concern from the fertility quality of life questionnaire. | Contract | |
Analysing and processing personal data to identify patients who are more likely to struggle during the fertility treatment; Sharing personal data with clinic to identify and support those “high-risk” patients. | User’s name and identification information where the user has been categorised as “more likely to struggle emotionally” users (identified from initial assessment questionnaire) is shared from the App to clinic | Consent (obtained by IBSA Pharma UK); The clinic processes this personal data in accordance with Article 9(h) of the Data Protection Act 2018. |
The joint-controller relationship with the clinics set out above relates only to the personal data and processing activities mentioned in this section and is strictly limited to activities carried out within the App. All activities involving the processing of personal data by the clinics outside of the App are exclusively the responsibility of the clinics, and IBSA Pharma UK does not have access to the personal data or clinical notes relating to treatments of patients, nor does IBSA Pharma UK assume any liability regarding such activities.
In this regard, IBSA Pharma UK will only notify the clinic of users who, based on their initial assessment, have been identified as more likely to struggle during the fertility treatment. We will never disclose the answers given by the users to our questionnaires to the clinics, we will only give them the name and identity of users based on the overall evaluation of answers.
4. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Data transfers and international transfers
Any transfers of personal data that we carry out are necessary for the fulfilment of the above-mentioned purposes:
- Providers of IT services, tools or infrastructure on which the services provided by IBSA Pharma UK are based, such as hosting providers, CRMs, emailing service companies, etc.
- Fertility clinics will be notified of users who, based on their initial assessment, have been identified as more likely to struggle emotionally during the fertility treatment (but no specific information beyond the identity will be provided).
In this regard, any transfer will be made taking into account all the necessary legal safeguards and subject to written terms governing the processing of the personal data (Data processing agreements).
Furthermore, IBSA Pharma UK will ensure that any transfers of personal data to countries outside the UK or other countries not considered adequate under data protection regulations, appropriate safeguards are put in place to ensure that the data can be transferred securely.
IBSA Pharma UK may transmit information to entities dedicated to medical, psychological and social research, in which case the information will be transmitted with prior anonymisation of the same, that is, in such a way that no person to whom it refers can be identified, either directly or indirectly. In this case, the data transmitted to these research entities or universities shall not be considered personal data, in accordance with the definition included in the UK Data Protection Act 2018.
6. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed while it is stored with us or while being transferred between us and the clinics or other third parties. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. All personal data is protected from unauthorised access as we have a virtual private network, with access to internal portals password protected by two factor authentication.
Any third parties will only process your personal data on our instructions and they are subject to a duty of confidentiality.
In practice this means that we use AWS in the European Economic Area for all personal data storage. Data Minimisation principles have been followed: IBSA Pharma UK collects data that is adequate, relevant, and limited to what is necessary for our data processing purposes, and we retain it only for as long as needed.
Data transferred between your device (for example your smart phone or computer) and IBSA Pharma UK ‘s systems is encrypted in line with current industry practice and is regularly reviewed using automated vulnerability scans. Penetration testing and hacker checks are carried out regularly by a third party security specialists providing support for our App and services.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Disclosures of your personal data
We may share your personal data with the parties set out below for the purposes set out in the table above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. Your Legal Rights
You have a number of legal rights in relation to your personal data (set out below), and if you exercise your legal rights we must respond within a month of your request, either to satisfy your request or to explain what steps we have taken and why we have not yet been able to fulfil your request (and notify you of the delay). Your legal rights relating to your personal data include:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), or where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time to the processing of your personal data and health data where we are relying on consent to be able to process is. Note: However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise your rights at any time and for free by sending an e-mail to [email protected] indicating the right you wish to exercise and providing some personal identification to enable us to comply with your request.
In addition, when you receive any communication from us, by clicking on the unsubscribe section that will contain that communication, you can unsubscribe from all our emails that you have previously consented to [marketing communications and third party marketing communications].
If you have any complaints or questions, we would be grateful if you would contact us in the first instance at [email protected]. You should also be aware that you have the right to make a complaint about the processing of your personal data at any time to the UK Data Protection Authority, the Information Commissioner’s Office, which can be reached at www.ico.org.uk.
9. Retention periods
We will keep your data on our live database for the duration of your subscription with us unless you request its deletion from our records. On termination of the subscription, or on request of deletion, we Will remove your personal data from our live databases however Will continue to retain your personal data for legal reasons for a further seven years on our archived database for reference in the event of legal claims or other legal obligation.
Please note that when your personal data is archived, it is minimised as much possible, including the deletion of any unnecessary personal data records.
10. Security and confidentiality
In order to prevent unauthorised access or unauthorised disclosure of personal data, we have undertaken appropriate technical and physical measures and management processes to safeguard and secure the information we collect from you.
11. Minors
The services provided by IBSA Pharma UK and, consequently, the use of the App, are not directed at persons under the age of 18. To the extent that IBSA Pharma UK is not able to control whether or not users are minors, we shall not accept any liability in this regard.
12. Update of the privacy policy
We do our best to keep our privacy policy fully updated. If we make changes, they will be clearly identifiable (for example: we may communicate changes to you by email).
This privacy policy has been updated and published as of 18/07/2024.