Surgery Hero respects and protects your privacy. In this policy you will find information about when, how and why we collect personal data as well as the rights you have in relation to data collected.
We may revise this policy depending on changes in law or our operating practices. We will notify you if there are any major changes you need to be aware of. If you have any questions about any of this, please get in touch by emailing our Data Protection Officer at firstname.lastname@example.org. This policy was last updated on 30/10/2023.
Who we are
Who this policy applies to
How and why we process your data varies depending on which of the below categories you fall into;
- Patients / Users of the App
- Healthcare Professionals
- Healthcare Administrators
- Visitors to this website
- Third Party Suppliers
- Job Applicants
How Personal Information is Obtained
We collect information when you
- Download and use the app
- Access admin dashboards
- Sign up to newsletters
- Register with or use the website
- Contact us
The information collected may come from you directly (ie information entered into forms or indirectly ie information collected when you browse our site such as IP address).
Types of Personal Information Obtained
Information collected includes;
- Personal details like your name and DOB
- Contact details such as your phone number and email address
- Login Information including details associated with you account like username and password
- Technical information, like most sites these days, when you use our services we may utilise cookies or similar technologies which automatically collect information. This information may include your browser, mobile device, IP address, other websites you've visited etc. You can turn off cookies by activating this setting on your internet browser. See the cookies section below for more information.
If you are a patient or user of the Surgery Hero (Patient) App
Additional information about you and the status of your health is necessary in order to tailor our services, personalise advice and content for you and the healthcare professionals handling treatment. Some of the additional information we may use to do this includes special data as defined by Article 9 of the GDPR. Additional information collected includes ;
- Data concerning health such as your mental and physical health and wellbeing. This includes your medical records and other documentation related to your medical history
- Third Party Health App Data captured by the likes of Google Fit or HealthKit. You are under no obligation to provide this and will need to grant us access to this kind of data first when promoted by your device. You can stop access at any point by changing the settings on your device.
- Sexual orientation
- Genetic Data
- Biometric Data
- Your use of the app generates data we may analyse to improve our services, for example, which articles you found most relevant, communications sent surrounding bugs or problems you've encountered and other types of feedback.
- Location information may be gathered to enable personalised content and make local recommendations. It can also be used for authentication purposes. This data may be provided by your device, GPS can be utilised to do this. Where we seek to use location data via the app we will notify you and you can disable location sharing in the settings of your device.
If you are a Healthcare Professional or Healthcare Administrator
To help us deliver the best possible experience, both for you and the patients you care for. We may request the following additional information;
- Contact information for employees who are involved in the care of patients who are utilising Surgery Hero services. This can include people like the surgeons, physios, occupational therapists, nurses and others.
- Information relating to your organisation to give an idea of how Surgery Hero has impacted performance.
If you are a supplier, applying for a job or visiting the site for another reason
Additional information may be required in order to assist you with your reason for getting in touch. For job applicants this may include;
- Information about your employment history
- Contact details for referees
- Depending on the role and jurisdiction, some special category data may be requested such as health info, background check info, criminal history info and trade membership association.
Additional supplier information requested can include;
- Tender information
- Proof of identification and address
- Bank details, expense claims
- Information necessary to access company systems
We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary, we are required to comply with all aspects of the Data Protection Act (DPA), Privacy and Communications Regulation (PECR) and the UK General Data Protection Regulation (GDPR) as it applies. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with ;
- Business associates and other professional advisers
- Financial organisations
- Current, past or prospective employers
- Educators and examining bodies
- Suppliers and services providers
GDPR affords EU Data subjects with rights which are summarised below. To exercise any of these rights, or to ask any questions, please contact our Data Protection Officer at email@example.com. You can find additional contact details for our Data Protection Officer here.
Right of Confirmation
You have a right to obtain confirmation as to whether or not personal data concerning you is being processed.
Right of Access
You have a right of access to any personal information we hold about you. You can ask us for a copy of your personal information, details about how and why it is being used; and details of the safeguards which are in place if we transfer your information outside of the UK.
Right to rectification
You have a right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have any incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure
You have the right to erasure of personal data concerning you without undue delay. We will action this right where one of the statutory grounds applies as long as the processing is not necessary.
Right of Restriction of Processing
You have the right to restrict processing where a statutory reason applies.
Right to Data Portability
You have a right to receive the personal data concerning you in a structured, commonly used and machine readable format.
Right to Object
You have a right to object on grounds relating to your particular situation, at any time, the processing of personal data concerning you.
Automated individual decision making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling.
Right to Withdraw Consent
Where consent forms the basis for processing, you have the right to withdraw consent to processing at any time. You can do this via our services or by contacting the data protection officer.
Right to complain to the supervisory authority
You also have a right to make a complaint to the Information Commissioner's Office, or the data protection regulator in the country where you usually live or work, or where an alleged infringement of the General Data Protection Regulation has taken place. Alternatively, you may seek a remedy through the courts if you believe your rights have been breached.
Legal Basis for Processing
The legal basis for Surgery Hero processing personal data is typically where;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Consent has been granted.
- Processing is necessary for our legitimate interests (or those of a third-party), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The legal basis for Surgery Hero processing special category data is typically;
- Explicit Consent for purposes specified in a consent module / form.
- Processing is necessary for employment, social security and social protection (if authorised by law).
- Processing is necessary for Health or social care (with a basis in law).
- Processing is necessary for Public health (with a basis in law).
How we share your information
We may share your personal information with the following third parties or categories of third parties.
- service providers and subcontractors, including payment processors, cloud service providers, utility and logistic providers
- public agencies and the emergency services
- companies that assist in our marketing activities
- analytics providers to assist in the improvement and optimisation of our services
Any third party with whom we share your personal information with shall be subject to privacy and security obligations consistent with applicable laws.
We will also disclose your personal information to third parties where it is in our legitimate interests to do so to run, grow and develop our business for example, In the event that we undergo re-organisation or are sold to a third-party personal information we hold about you may be transferred to that re-organised entity or third-party.
We may disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Services or the rights, property or personal safety of any person.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
SurgeryHero uses traffic log cookies to identify and provide statistics on which pages are being used and how. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. When you click accept you are enabling these statistical cookies, you do have the option to decline this.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
How long we store your personal information
We keep your personal information for no longer than is necessary keeping in mind the reasons it was collected. The length of time for which we retain personal information depends on the reasons for which it was collected and if we are required to retain it to comply with any applicable laws or to defend our legal rights.
Security and Transfers
Surgery Hero takes all reasonable precautions to safeguard the confidentiality of your personal information, including through the use of appropriate organisational and technical measures.
Where you have been given or chosen a password that enables you to access certain parts of our services, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
The personal information we collect is generally transferred to and stored on secure third-party servers located in the UK. Such storage is necessary in order to process the information. Where your data is processed or stored outside of the UK, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the appropriate safeguards described in the GDPR is in place, such as;
- The country data is being transferred to has been deemed to provide an adequate level of protection for personal data by the European Commission;
- Specific contractual terms approved by the European Commission which give personal data the same protection it has in the EEA are in place.
Any transfers made will be in full compliance with the Data Protection Legislation.
We encrypt your data at transmission to and from the App and Dashboard and at rest. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Changes to this policy