Privacy Policy / Data Protection Notice for Vitacam Clinic

Revision 1.1 – 1st of June 2023

This notice applies to all use of the Vitacam Clinic smartphone app (‘the app’).

Please note that if there is a change to the Privacy policy of any kind incl. the purpose of data collection, your consent for the Data Protection Notice will be asked again.

Personal data submitted through the use of the app is processed by NE Device SW (‘the company’) as the ‘data processor’, on behalf of a health or social care provider who is the ‘data controller.’

The company complies with General Data Protection Regulation 2016/679.

The basis for processing personal data within the app and any related circumstances depends on your usage.

1) As a healthcare / social care user (e.g. nurse given the license to use the app), the regulations for processing personal data for health or social care apply:

GDPR 2017 Article 6 1E
The lawful basis we rely on to process this personal data is article 6(1)(e) of the GDPR, which allows the processing of personal data when necessary to perform a duty of care.

GDPR 2017 Article 9 Paragraph 2H
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This covers the provision of health or social care or treatment. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.

2) As an individual person or representative of a company, given the permission by the company, to e.g. do an assessment, try or demo the app:

GDPR 2017 Article 6 1A
The lawful basis we rely on to process this personal data is article 6(1)(a) of the GDPR, which allows the processing of personal data with a given consent from the user. To be able to use the application, you will need to consent to the processing of your personal data for the described use. If you utilize the application to measure vital signs of another person, you must ensure he/she is aware of the data protection notice and gives a consent for the processing of personal data.

GDPR 2017 Article 9 Paragraph 2A
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This instantiates the explicit consent from the person, whose personal data will be processed. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.

The intended purpose of Vitacam is to measure and monitor the vital signs, including respiratory rate and heart rate, of a single patient/client or group of patients, by analyzing a video feed obtained from a mobile camera on a cloud server. The software is intended for healthcare professionals and professional carers as a measuring and monitoring tool that provides inputs for clinical decision making. The software can be given for assessment purposes for individual persons and/or representative of a 3^rd party company. Still, no data is shared between the different user categories of the application – results or data provided by another user is not accessible or visible by any means to the other but remains at the company and end-user.

Within the scope of using the Vitacam app for its intended purpose, personal data is collected, processed, and stored permanently or temporarily as follows:

Log-in events are recorded on the server when the user logs in on the app. Log-in credentials are never stored on the app.

A new user cannot register on the app but must be added by an admin.

The user can record a video of residents/clients on the app. This recording is temporarily stored on the app until it has been uploaded to the server or over 30 minutes has passed since recording, in which case it is deleted from the app.

The user can record a video of a person who is under clinical examination or her-/himself on the app. This recording is temporarily stored on the app until it has been uploaded to the server or over 30 minutes has passed since recording, in which case it is deleted from the app, provided the app is active.

The server returns respiratory rate and heart rate of the resident/client obtained from the processed video.

The video is processed on a server instance maintained by the company and approved by the data controller, in accordance with both national and European data protection regulations. It is deleted programmatically immediately upon processing and cannot be viewed by any human.

The measurements are stored on a server and deleted according to the data controller’s policy. The time of storing the data is up to 10 years.

On transit from the app to cloud server instance, the data is encrypted over SSL/TLS 1.3 with AES-256 NSA-level encryption. The utilized server instance is running within EU (Finland, Hamina) Google Cloud server, and all data within the cloud is encrypted with AES-256 advanced encryption standard both during transit and in storage.

The following data or data categories are collected:

User data, collected in enrolling as Vitacam Clinic user phase with a separate contract
username, first name, last name, id, e-mail address, Healthcare facility/company (permanent as defined by data controller)

Resident/client biometric data

Date & time of video recording, physiological measurements resulted by the video analysis (namely pulse and respiration rate) (permanent storing as defined by data controller)
Recorded videos with the app (temporary – deleted once uploaded and processed, or in case of a) upload has not been possible, after 30 mins whenever the app is launched, b) in case of processing has not been possible, within 24 hours.
None of the data is shared with a 3^rd party.

We promise to follow the following data protection principles:

Processing is lawful, fair and transparent. Our Processing activities have lawful grounds. We always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request.

Processing is limited to the intended purpose. Our Processing activities fit the purpose for which Personal Data was gathered.

Processing is done with minimal data. We only gather and Process the minimal amount of Personal Data required for any purpose.

Processing is limited with a time period. We will not store your personal data for longer than needed.

We will do our best to ensure the accuracy of data.

We will do our best to ensure the integrity and confidentiality of data. The company “NE Device SW” has a company-wide Cyber Essentials certificate (https://iasme.co.uk/cyber-essentials/)

Both users and residents/clients are considered as Data Subjects with the lawful rights:

Right to information
You have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.

Right to access
You have the right to access the data collected from/about you when the data is stored in a way, that it can be linked to you. This includes your right to request and obtain a copy of your Personal Data gathered (a “Subject Access Request”). If you would like to know more, please contact our DPO using the details above.

Right to rectification
You have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.

Right to erasure
In certain circumstances* you can request for your Personal Data to be erased from our records.

Right to restrict processing
Where certain conditions apply*, you have the right to restrict the Processing of your Personal Data.

Right to object to processing
In certain cases* you have the right to object to Processing of your Personal Data.

Right to object to automated Processing
You have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.

Right to data portability
You have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.

Right to lodge a complaint
In the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.

Right for the help of supervisory authority
You have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.

Right to withdraw consent
You have the right withdraw any given consent for Processing of your Personal Data.

*If the right to erase, restrict or object to processing is in conflict with your local legislation in relation to e.g. healthcare and patient record data holding, then legislation will be followed and you will be informed of the outcome

Please note that no data is stored of the recorded individuals, which could be linked to any of the stored data.

To exercise your rights, or to get in touch, contact our Data Protection Officer, Mr Miikka Kirveskoski. We will get back to you as soon as possible or by latest within a month.

Please note that if you follow any links from the Privacy policy and/or the app, the Privacy Policy does not extend to third parties and you are advised to make yourself aware of the related 3^rd party site/platform privacy policy.

If you are made aware of a child or a minor accessing the app and potentially providing personal data without parental consent, please contact the Data Protection Officer for data removal as soon as possible (by latest within a month) and potential further required actions.

If you have any questions or comments on our data protection policy, or want to get in touch with the Data Protection Officer, please contact us at: info@nedevicesw.com

NE Device SW Oy
Teknologiantie 7B
90590 Oulu
Finland

VAT no. FI26513007

Moyeen Ahmad (CEO)
moyeen@vitacam.health