Privacy Policy
Who we are
YOUR.MD AS, incorporated and registered in Norway with the company number 999260993 whose registered office is at c/o Advokatfirmaet Simonsen Vogt Wiig AS, Filipstad Brygge 1, 0252 Oslo, Norway, represented by Matteo Berlucchi, CEO, is offering its Services which may be branded as Healthily and/or Your.MD, via its subsidiary Your.MD Limited, incorporated and registered in the UK with the company number 08727263 whose registered office is at Your.MD Ltd, 36 Egerton Road, Bournemouth, BH89AY, England, UK, (hereinafter collectively referred to as: ‘Your.MD’, ‘Healthily’, ‘we’ or ‘us’).
Your personal data is controlled by Your.MD Ltd who is the data controller in regard to its Services. Should you have any privacy-related questions, please contact us at privacy@livehealthily.com.
How we use your data
We use your data to personalise your experience when you use our Services. We also use your data to improve the safety and security of the Services we provide, and for the purpose of analytics, marketing and communications.
LEGAL BASIS
Contract performance. This covers data that is processed by us in order to provide you with the Services that you have requested, by initiation of the Services.
Consent. Where you have consented to our use of your personal data, including health data.
Legitimate interests. This covers data processed by us for the purposes that can be reasonably expected within the context of your use of our Services to pursue our legitimate interests, in order to improve our Services and your experience, for general social benefits to enable free access to health information, for exploring business opportunities, for scientific research and to enable us to offer a safe and secure service.
PROVIDING OUR SERVICES AND PERSONALISING YOUR EXPERIENCE
We use your data to understand your health so that we can provide relevant information personalised to your needs. You can personalise your experience by adding health data to your account, completing assessments, or using other services we offer. We will use this data to personalise Services such as the Smart Symptom Checker, and to recommend health plans, track your symptoms, assess your health, and display articles of interest to you.
APPS for users who create an account. Legal basis: contract performance and consent for processing health data. Data collected: as stated in ‘The data we collect’ section of this Policy.
Dot Platform. We use your data so the chatbot can calculate the most likely condition based on your reported symptoms. We might use the Smart Symptom Checker's results to show you relevant care options from third party providers ("Advertisers"), or to offer follow-up notifications for relevant conditions, symptom tracking, Health plans, and receive articles about specific topics.
Health library. You can search the Health library and save your preferred articles. Some articles include a 'When to see a doctor', which helps you assess the need to visit a health professional. We might show you relevant care options from third party providers based on your Health library search. For example, if you read an article about asthma, we will show you to a third party provider that offers services for this condition.
You can access our Dot™ symptom checker
Report
If you request us to send you the Assessment report (Report) to your email address we will ask you to choose a 6 digits PIN number to secure the Report. This way we make sure that the Report is shared only with you and that no health data is stored together with your email address, meaning that the processing is still private and secure.
FOR INTERNAL ANALYTICS
We collect data on how you use our Services so we can make improvements to the service we offer you. We use identifiers but do not link these to your name or email address, and we carry out troubleshooting, testing, research, and surveys. We also analyse your activities to understand how you use and interact with our Services. Legal basis: consent and/or legitimate interests, to help us improve our Services (Site) and for general social benefits to enable free access to health information for users who do not create a profile. Data collected: Analytical information, Technical Information, as stated in ‘The data we collect’ section of this policy.
For example, we look at whether you click on an Advertisement, conduct an assessment, view articles, use the health tracker, engage with notifications, and we will analyse the screens you use and if you added data to your profile. We check how you use our Services with the help of analytics providers (Amplitude and Google Analytics) and by processing Analytical Information (please see section “The data we collect” of this Policy). With the help of the analytics ID assigned to you, we can use the data that you enter when talking to our chatbot (age and location, but not your name or email address) for our internal analytics and research. We do not process any information which could directly identify you in our analytical databases unless you use a service that requires us to do so. For example, we check how many users have finished an assessment or have visited our Site.
FOR SAFETY AND SECURITY
We usually process your data based on IDs attached to your account, so we do not see your name or email address. To safeguard your privacy, we store health data and data which could personally identify you in separate databases. We do store technical logs of your activities in the app. In line with best practice, only authorised staff members can access personal data, and only when required for user safety or critical systems issues. Legal basis: legitimate interests, to enable us to offer a safe and secure service. Data collected: As stated in Technical Information of this Policy; in ‘The data we collect’ section.
EMAIL REQUESTS. We will use your email to respond to any queries you send to support@livehealthily.com and/or privacy@livehealthily.com. Please do not share any health data when sending emails to support@livehealthily.com and/or privacy@livehealthily.com as we do not respond to any case-specific health issues.
The data we collect
DIRECTLY IDENTIFIABLE PERSONAL DATA (only for users who decide to create a profile): name, email address, Facebook/Google account name and email address.
INDIRECTLY IDENTIFIABLE PERSONAL DATA: First name or nickname, age, gender, location (country, region - not specific enough to identify the street), time zone, service preferences, acquisition channel), identifiers (profile ID attached to your profile data, IP address, analytics IDs, conversation/consultation ID, device ID).
HEALTH DATA. Any type of health data you share when using our Services and when participating in research projects and research surveys, such as health data collected through the Smart Symptom Checker, and Health data provided through specific services such as the Trackers.
TECHNICAL INFORMATION. User agent (web browser type and version), device model, screen information, mobile service provider, installed app version, OS version, location (country and city), time zone, IP address at the time of usage, Healthily unique identifiers (profile ID, conversation ID/consultation ID), records of events with Technical Information and your interaction with our App/Services. For example, logs on your usage of the Services, which include chat information, quizzes, self-assessments and tools, the BMI calculator, and the articles you have viewed in the Health Library.
ANALYTICAL INFORMATION. Hashed IP address, hashed profile ID or guest profile ID, hashed conversation/consultation ID, analytics provider's unique user ID (Amplitude ID), user's device ID (Amplitude analytics) or client ID (Google Analytics ID), Hotjar ID (Hotjar), third-party cookies.
Information on how you use our Services:
General Activity (e.g. the screens you view, time spent, if you added data to your profile, whether you are in test groups, items on your home feed and interaction)
Sessions (e.g. when you started the session, duration)
App info (e.g. if you deleted/upgraded the App, version)
Authentication (e.g. whether you authenticated and which type of authentication)
Acquisition channel (e.g. which ad you clicked on to get to our Services)
Notification activity (e.g. whether you opted in or out of notifications)
Activity within our Services and features (e.g. your data and activities, assessment outcomes and feedback, whether you sent an input that failed to be understood by our chatbot, clicks on articles, whether you opened an assessment report, viewed assessment history, articles you view, share, whether you view/click on the partner, whether you are logging your feelings, tracking symptoms, receiving follow ups, syncing data with third-parties, whether you sign up for Health plans and your interactions, logs on your usage of our Services).
Who has access to your data
We cannot provide all services necessary for the successful operation of our Services by ourselves. We, therefore, share collected information with third-party providers for the purpose of offering and improving the Services. The information we share will not identify you personally, and the providers will only use the data to offer services to us. However, we will use your email to send you newsletters and surveys. For privacy-related requests, see section “Your rights” of this Policy or send an email to privacy@livehealthily.com
THIRD-PARTY TECHNOLOGY AND PROVIDERS
Third party providers are data processors. This means they process your information on our behalf, in accordance with our instructions. We only allow your information to be used by them to offer services to us. How third party providers' use of information is controlled by the terms of their contract with us and any settings enabled by us through the user interface of their product.
Mailchimp. We use Mailchimp to send out transactional emails for our mobile app. MailChimp uses your data to host an email marketing service for us, and may share your data with third-parties for the same purpose. Your data is stored on a secure Mailchimp server. Mailchimp is not allowed to sell your data. Mailchimp will give access to/delete any personal information they hold about you within 30 days of a request. Please refer to the Mailchimp Privacy Policy for more information. You can unsubscribe from these emails by clicking the 'unsubscribe from the list' link in the footer of every email you receive from us.
ADVERTISING PROVIDERS
We use third-party providers to show native ads on our Site and Web App.
Kevel. We use Kevel for advertising purposes of our Services by setting APIs infrastructure needed to build custom ad platforms for features such as sponsored listings, internal promotions and native ads. You can find more information on those features here. For more information regarding data collection and usage as part of the ad serving platform, please read Kevel Privacy Policy on Ad Serving.
COMMUNICATION PROVIDERS
We use third-party services for our internal communications and communication with external partners, namely:
Skype www.skype.com/en/, https://www.skype.com/en/legal/ ,
Slack AI Work Management & Productivity Tools ,Privacy Policy | Legal ,
Google Hangouts https://hangouts.google.com/, Privacy Policy – Privacy & Terms – Google ,
Gmail https://www.google.com/gmail, Privacy Policy – Privacy & Terms – Google ,
Zoom One platform to connect | Zoom , Zoom Trust Center | Zoom .
We do not share directly identifiable personal data with these services.
MANAGING PROJECTS, HOSTING, SOFTWARE DEVELOPMENT AND CLOUD STORAGE
Gatsby The Best React-Based Framework | Gatsby ,
Github GitHub · Build and ship software on a single, collaborative platform , GitHub General Privacy Statement - GitHub Docs ,
Jira Collaboration software for software, IT and business teams , Privacy Policy | Atlassian ,
Google drive www.google.com/drive/, Privacy Policy – Privacy & Terms – Google
Dropbox Previous Privacy Policy - Dropbox ,
Tableau Tableau Software Site Usage Agreement , Privacy Page
ANALYTICS PROVIDERS
With the help of analytics providers, we collect Analytical Information to help us improve our Services for you. We chose our providers carefully and set the most restrictive controls available to ensure they do not use your data for any purpose other than providing services to us.
Google BigQueryWe can draw and analyse data from GAF using Google BigQuery. For more information, please see Google Service Specific Terms. We use Tableau Software for graphic visualisations of the data extracted from Firebase Analytics and BigQuery. For more information, please see the Tableau Software Privacy Policy.
AWS Analytics does not access or use your data for any purpose other than to provide services to us, as legally required, and to maintain AWS services. Strong encryption of your data is in place. You can refer to the AWS Privacy Notice for more information. Please note, AWS Analytics is only used in our iOS App.
Google Analytics (GA) is used on our Site and Web App. When you visit the Web App or our Site, your web browser automatically sends your IP address and information on how you use the Service to GA. Processing is based on a GA-created browser ID by using cookies. GA uses IP addresses to provide and protect the security of the service, and for us to know the country you use our Services in. GA anonymises the IP address before any storage or processing takes place by obfuscating the last few digits. Please refer to the IP Anonymisation in Analytics. GA processes the data based on a GA identifier called Client ID, which is stored in a cookie. Identifiers such as cookies and GA user IDs measure and report statistics about your interactions on our Site and/or Web App. GA stores cookies on your device to keep track of how you use our Site/Web App statistics without personally identifying you. We use the data collected by GA to improve the quality of our Site and Web App and to analyse Site/Web App usage. For more information, please read How Google uses cookies. Google uses Standard ISO 27001 security measures. For more information on operational security and disaster recovery, please visit: How Google analytics secures your web traffic and Safeguarding your data. For general information, please read the following: How Google uses information from sites or apps that use their services, and the Google Privacy Policy.
Crashlytics Privacy Policy,Fabric Privacy and Security Google Privacy Policy.
LAWFUL PURPOSES
Your data will be disclosed only when necessary for lawful purposes, our legal obligations and rights as stated herein, and will be limited to such purposes:a) if required by law, for example to comply with a court order, subpoena, regulation, legal process or other governmental requestb) to exercise or protect the rights, property or personal safety of our company, our users or othersc) to enforce this privacy statement, including investigation of potential violations d) upon fulfilling legal requirements of local legislation to supply certain services a third party might legally request from use) to detect, prevent, or otherwise address fraud, security, or technical issuesf) if we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified of any change in ownership or uses of your datag) to respond to claims that any content published within our Services or our Services violates any right of a third party.
How long do we keep your data
We follow generally accepted industry standards and internal procedures to protect the data submitted to us during transmission, storage, and processing. We store your data for as long as is needed to provide our Services.We may store it for longer, but only in a way that it cannot be tracked back to you. We delete all personally identifiable data we have about you within 30 days of receiving your data deletion request. Please make sure you request a copy of your data before you ask to delete your data, as your data will not be retrievable afterwards.
We delete the logs we keep of the IP addresses you have used after approximately six months. When the data is no longer needed, we delete it using reasonable measures to protect the information from unauthorised access or use. Any information you send to care@livehealthily.com and/or privacy@livehealthily.com will be deleted as soon as we respond to your enquiry and/or the information is no longer needed.
We store your data,
if you have consented to the processing, at most until you revoke your consent;
if we need the data for the execution of a contract, at most for as long as the contractual relationship with you exists;
if we use the data on the basis of a legitimate interest, at most for as long as your interest in deletion or anonymisation does not outweigh the data;
insofar as statutory storage obligations exist, until the end of the storage periods.
Your rights
We are committed to keeping your data up-to-date. You can exercise your rights within our App or ask us to do so for other services by sending an email to privacy@livehealthily.com. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardise the privacy of others, are impractical, or if we are required to retain such information by law or for legitimate business purposes. In the event of a suspicious request made in bad faith or accompanying unlawful behaviour, we reserve the right to deny any request you make. We will not respond to any enquiry emails which we do not understand, where the request is not clearly specified, or pertains to health questions as we do not offer case-specific advice.
As a data subject, you have the following rights:
To request information about the processing of your data, as well as to receive a copy of your personal data. Among other things you may request information on the purposes of the processing, the categories of personal data processed, the recipients of the data (if a transfer is made), the duration of the storage or the criteria for determining the duration;
To receive personal data relating to you in a structured, common and machine-readable format or to transfer it to another person in charge;
To correct your data. If your personal data is incomplete, you have the right to complete the data, taking into account the purposes of the processing;
To have your data deleted or blocked;
To have the processing restricted;
To object to the processing of your data;
To revoke your consent to the processing of your data for the futureand
To complain to the responsible supervisory authority about unauthorised data processing.
RIGHT TO WITHDRAW YOUR CONSENT
You can withdraw your consent for email collection for research purposes by sending us an email to privacy@livehealthily.com, subject: withdrawal consent for research.
RIGHT TO OBJECT AND TO RESTRICTION OF PROCESSING
We process your data on a legitimate interests basis when you use our Site, or when sending out business emails. We limit the amount of data we collect, and this data cannot directly identify you. To exercise your right to object or restrict processing, please send us an email to privacy@livehealthily.com.
RIGHT TO ACCESS, COPY, RECTIFICATION
You can request your data by visiting Your account settings/Your data and choosing the ‘Export data’ option. You will be able to download your data to your device. We will send your data within 30 days of receipt of your request. If we need to acquire your data from a third party, this might take longer.
You can use the Your personal details section within the App to change the data you added to your Account.
You have the right to request the rectification of inaccurate personal data that cannot be rectified within our Services by sending an email to privacy@livehealthily.com.
USERS OF OUR SMART SYMPTOM CHECKER
If you use our Smart Symptom Checker you should be aware that we are not able to accommodate your request for the deletion/access/copy of your data because we do not store any data that could directly personally identify you. Similarly, we cannot carry out such a request if you are a Site visitor as we do not store any data that could personally identify you. If you stop using our Services, we will delete all collected data within six months.
OPTING OUT
We make sure we do not collect more information than is needed to provide our Services and we strive to limit our Providers to do so as well. We have integrated protocols to allow us to process Health Data in a way that does not directly identify you. However, you are always free to opt out of data collection by not using our Services or by uninstalling the app.
Analytics. You can opt out of our information processing by sending an email to privacy@livehealthily.com and/or opt out of Google Analytics by installing this browser add-on Google Analytics Opt-out Browser Add-on Download Page .
CALIFORNIA RESIDENCE PRIVACY INFORMATION
This section of our Privacy Policy contains information required by California Consumer Privacy Act (hereinafter the "CCPA") that came into force on January 1st, 2020.
If you are a California resident (as defined in section 17014 of Title 18 of the California Code of Regulations), California law requires us to provide you with some additional information regarding your rights with respect to your “personal information”.
We may transfer your personal data to third party processors in order to achieve the purposes of the processing listed in section ‘How we use your data’ above. Please see section ‘Who has access to your data’ to learn about what third party processors do we use.
CCPA provides Californian consumers with the following rights (which do not interfere with GDPR):
Right to request disclosure of any personal information we collected. This means in particular that you have:
the right to request disclosure of the categories of personal information we collected from you, together with the categories of sources from which it was collected (please see section “The data we collect”),
the purpose of the collection (please see section “How we use your data”),
the categories of third parties with whom we shared your personal information (please see section “Who has access to your data”), and
the specific pieces of personal information that have been collected please see section “The data we collect”).
Please see “Right to reassure/access/copy” section to learn how we process your request.
Right to request deletion of any personal information that we collected from you. Please see section “Right to erasure/access/copy”.
Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights. This generally means that we will not deny you Services or provide a different level of Service or quality of Services. However, please bear in mind that, if you ask us to delete your data, it may impact your experience with us, and you may not be able to use our Services which require usage of your personal information to function properly.
Right to Opt-Out of Sale.Under the CCPA placing third party behavioural advertising cookies on your device could be considered a “sale” of your personal data. For this purpose we are providing an opt-out option on our Site (“Do Not Sell My Personal Information") where you are able to opt out from such placement by clicking on the Cookie Settings link available in the footer of our Site.
Storing, security and data transfers
We follow generally accepted industry standards and internal procedures to protect the information submitted to us.
STORING
We store identifiable personal data and health data in separate databases. This means that whatever you enter or do when using our Services, is not connected to data that could personally identify you. We normally process your data with the help of identifiers, namely profile ID, consultation/ conversation ID and analytic identifiers to avoid personal identification. In limited cases when required for user safety or critical systems issues, authorised personnel can access personal data along with Health Data. Your IP address is used to determine location, but it is normally masked (hashed) when stored on our backend.
We store your information for as long as needed to provide our Service. We may store the information longer, but only in a way that it cannot be tracked back to you. We use AWS and Google Cloud Platform for storing information.
AWS. AWS has multiple security certificates Cloud Security – Amazon Web Services (AWS) .The data we collect from you may be transferred to, and stored at, a destination outside and inside of the European Economic Area (EEA), namely the AWS regions in the US and EU. It may also be processed by staff operating outside the EEA who work for us, or for one of our Providers. Your data will still be safe - we have entered into the AWS data processing addendum to make sure your personal information (IP address) is safe, namely:
a) that the AWS will use the data only to provide its storing services
b) that it will not disclose data to any third-party
c) that the AWS restricts its personnel to process your data without their authorisation
d) that we stay in control of correcting, blocking, deleting, and retrieving your data
e) that AWS is responsible for implementing and maintaining the technical and organisational measures
f) that AWS is certified under ISO 27001 and agrees to maintain an information security program for the service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the AWS Security Standards
g) that AWS may use subcontractors, but will restrict their access only for the purposes of offering AWS services. By using and downloading our Services, you agree to the transfer, storing and processing, as stated herein. We will take all the reasonably necessary steps to ensure that your data is treated securely and in accordance with this privacy policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk.
Google Cloud Platform. We store all analytical data on the Google Cloud Platform (GCP). We control the stored data while Google is the processor. This means that Google processes the data only for the purposes of providing GCP services and technical support to us, in accordance with data processing and security terms Cloud Data Processing Addendum | Google Cloud . We control what happens to the data and can access it at any time. We have chosen to store the data in the US. Google stores data in a multi-tenant environment on Google-owned servers. The data and file system architecture are replicated in multiple geographically dispersed data centres. Google also logically isolates stored data. We have control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, enable us to determine the product sharing settings applicable to this privacy policy. We may choose to make use of certain logging capabilities that Google may make available via the services. Google has updated their data processing terms for GCP to reflect various models of the E.U Standard Contractual Clauses (SCCs) regarding International Data Transfers. Get more information on Google Cloud Platform and the terms: How Google Cloud helps E.U. companies under new data transfer rules | Google Cloud Blog
SECURITY
To guarantee your privacy, we securely encrypt, limit, and restrict access to your personal details.
We encrypt all your data at rest and any directly identifiable personal information is double encrypted with two keys at both the infrastructure and application level. We have restricted access to production environments and monitoring of your activities. The information is encrypted and key protected, and we have integrated commercially reasonable efforts to make sure your information remains secure when processed by us. However, please be aware that no security measures are impenetrable. If you have any concerns about the security of our Services, please contact us at privacy@livehealthily.com.
To ensure the security of processing we engage third-party providers for penetration testing (security testing) - a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company's networks or applications. During security testing, the third-party provider may have access to your personally identifiable data. Security testing providers are contractually bound to take all necessary technical and organisational measures to protect data, and they are not allowed to transfer it to third parties or use it for any other purpose besides security testing for us.
TRANSFERS
Data is being transferred to countries outside the United Kingdom and the European Economic Area. We only transfer personal data to third countries where the ICO and the EU Commission have confirmed an adequate level of protection or where we can ensure the careful handling of personal data by means of contractual agreements or other suitable guarantees, such as certifications or proven compliance with international security standards, which you can review on request."
EU and UK Territory We delete logs we keep of the IP address within six months. We store your personally identifiable data for the duration of the provision of our Services or up to 30 days after your deletion request. This section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication, or as strictly necessary for us to provide the Services you requested. We reserve the right to delete your profile after an extended period of inactivity.
US Territory We will retain collected information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by applicable legislation. We reserve the right to delete your profile after an extended period of inactivity.
Storing might be different depending on which territory is collecting the information and the applicable legislation, but we always strive to store the information only if it is needed for the purposes of providing, improving or personalising our Services.
Cookies
For information about cookies, please see our Cookie Policy which is hereby incorporated into this Policy. You can manage cookies on our Site at any time by visiting the Cookie settings section available in the footer of our Site. You can turn off cookies by changing your specific browser settings. You may disable cookies or delete any individual cookie set by Google Analytics. Google Analytics supports an optional browser add-on that - once installed and enabled - disables measurement by Google Analytics for any site you visit. This add-on only disables Google Analytics measurement. You can use Ads Settings to manage the Google ads you see and disable personalisation. Even if you opt out of personalised ads, you may still see ads based on factors such as your general location derived from your IP address, your browser type, and your search terms. You can also manage many companies' cookies used for online advertising via the consumer choice tools created under self-regulation programs in many countries, such as the US-based aboutads.info choices page or the EU-based Your Online Choices. Finally, you can manage cookies in your web browser. For more information visit Advertising – Privacy & Terms – Google and read our Cookie Policy.
General
Should you have any privacy-related questions, please contact us at privacy@livehealthily.com. If we are not able to help, we will forward your enquiry to our External Data Protection Officer (DPO), ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer, Große Bleichen 21, 20354 Hamburg. Should you have any concerns or complaints that our DPO is not able to resolve, you have the right to lodge a complaint with our supervisory authority Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Kurt-Schumacher-Allee 4, 20097 Hamburg. If you are a UK customer, you can lodge a complaint with the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Our EU Representative is ePrivacy, Holding GmbH, Große Bleichen 21, 20354 Hamburg, Germany. For more information, click Legal .
We update this Privacy Policy to reflect changes in our data processing practices. Because we are constantly adding new services and features, we may not make an immediate upgrade of the Privacy Policy unless material changes occur. We encourage you to periodically review https://www.livehealthily.com/legal/privacy or the Simply legal section of our Services for the latest information on our privacy practices. You will be informed about material changes to our data processing practices with a push notification, or by other means.
Matteo Berlucchi, CEO