Privacy Policy - Infermedica

Who we are

Welcome to the website of Infermedica Sp. z o.o. with its registered office in Wrocław, Plac Solny 14/3, 50-062 Wrocław, Poland ("Infermedica", “we”, “us”, “our”). Infermedica is a Polish company entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, VI Commercial Division of the National Court Register, under KRS number: 0000429183, with tax identification number (NIP): 8971782877, and registered business number (REGON): 021889810.

Infermedica owns the website under the domain www.symptomate.com (the “Website”). Through the Website, as well as through a mobile application available in certain application markets for different mobile devices (the “App”), we provide services and Additional Services (the “Service”) described explicitly and comprehensively in the “Symptomate.com” Terms of Service available at https://symptomate.com/terms-of-service or in mobile apps. Infermedica acts as the controller of any personal data collected and processed in connection with use of the Website, Additional Services and the App.

All our activities connected with the Website, Additional Service, or the App comply with the applicable data protection legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).

The main goal of this privacy policy is to inform you how and for what purpose we process personal data in connection with your visit to, and use of, the Website and the App.

Why we collect and process data

We collect and process your data to securely provide you with the Services and Additional Services. Additionally, we process data to ensure and improve the functioning of the Website, Additional Services, and the App. We collect and process your personal data, (i.e. information that identifies, or at least makes it possible to identify, you as a natural person) when you voluntarily decide to actively communicate with us, or decide to leave us your feedback regarding our Service. Furthermore, we collect and process certain technical data generated due to you visiting the Website, Additional Services, or using the App, which may also be considered personal data. ‘Processing’ means any operation which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, any kind of disclosure, erasure or destruction, or other use.

In a situation when you are using the Website and/or the App on your own behalf, but in aid of a third party (including a child), remember to obtain appropriate authorization prior to providing this data.

What data we collect and process

We collect several different types of information for various purposes connected with providing and improving our Service. The types of information that we collect and process depend on the types of services we provide via the Website, Additional Services, and the App. We collect and process your personal data:

• when you contact us

• when you decide to leave us your feedback

• when you browse the Website, Additional Services, or use the App

Your personal data is provided voluntarily, but without providing it we will not be able to realize what you expect from us, e.g. we will not be able to contact you or provide you with the Services.

Your data will be processed for as long as necessary to fulfill the purpose for which it was collected, or as long as is necessary or possible due to certain legal provisions regarding the processing of personal data.

1.Contact:

When you ask us to contact you, we will collect and process the following personal data:

• e-mail address,

• name and surname, if you provided them voluntarily.

Where your personal data is collected and processed for contact purposes, the legal basis is your voluntary consent (legal basis under Article 6(1)(a) of the GDPR).

Data will be processed until the purpose of contact is achieved or until consent is withdrawn, in any case for no more than three years from the last action performed.

2.Feedback:

If you decide to provide us with feedback on the quality of our Services, we may process only the data that you decide to provide us with. However, provision of personal data that enables identifying you is not required for providing feedback. You can provide us with your contact data in order to enable us to respond to your feedback.

In this case, your personal data are collected and processed for feedback purposes, and the legal basis is your voluntary consent (legal basis under Article 6(1)(a) of the GDPR).

Data will be processed until consent is withdrawn, in any case for no more than three years from the last action performed.

3.Security:

When you browse our Website and use the Services, we collect and process your IP address and other technological data derived from logs which may be considered a piece of personal data - for security purposes only. We do not process such data in order to identify you as a natural person, but only to increase the level of security of the Website and the App in order to be able to react - for example - to the activity of automatic mechanisms.

In such a case, your personal data is collected and processed for the purposes related to ensuring security of functioning of the Website and the App, and the legal ground for processing is legitimate interest (legal ground under Article 6(1)(f) of GDPR) understood as a necessity to ensure the secure use of the Application and our Services. 

Data will be processed for no longer than 30 days after the date of its collection.

If you decide to use Additional Services, for security reasons we will have to  authenticate your identity (legal basis under Article 6(1)(f) of the GDPR) since it is necessary to ensure that your data is protected against unauthorized access. To achieve this goal, you will be asked to provide us with your contact data so that we can send you authentication code and link to the Additional Services. This authentication data will be processed for no longer than 90 days from the date of its collection.

4.Marketing:

Additionally, we take advantage of marketing services in order to analyze your behavior for the purposes of optimizing the functioning of the Website and the App, as well as for the purposes of optimizing our advertising activities. In particular, we take advantage of technologies such as Google Analytics.

In such a case the data is collected and processed for marketing purposes, and the legal grounds for processing is legitimate interest (legal ground under Article 6(1)(f) of GDPR) understood as the desire to reach as many users and customers as possible, to promote our Application and Services and thereby develop our business.

Data will be processed for as long as the services are provided, until an objection is submitted or until a change is made to the settings of your browser or in your Facebook or Google profile.

5.Medical interview:

When you are using Services and Additional Services, we collect certain information regarding health conditions, as well as other information that may be helpful for correct provision of Services and Additional Services, e.g. regarding sex, age, individual risk factor, region of residence, or everyday behavior.

Such information regarding health is not combined with information that makes it possible for us to identify the person regarded by the medical history, except for the necessary authentication process. Such information is combined with a unique identifier in order to obtain insight into statistical data allowing us to improve our Services and Additional Services. In view of the fact that we may potentially combine the IP address with the medical history for a period of 30 days, this data may be of personal nature during that period. In the case of Additional Services, we will be additionally processing your contact data used for authentication purposes.

In such a case, data is collected and processed for the purposes related to provision of the Services and Additional Services, and the legal grounds for processing is your voluntary consent and intent to take advantage of the solutions provided (legal grounds under Article 9(2)(a) of GDPR).

Data will be processed for no longer than 30 days after the date of its collection - after that period the data is anonymized in relation to removal of data (IP address) necessary for security purposes and for the purposes of determining of the location of the User to be able to provide them with Additional Serivces; or 90 days in the case of Additional Services. 

Such anonymized data may be used by Infermedica for research and development purposes, as well as in scientific publications.  

6.Analytics:

When you use the Application or our Services, we may perform analytics on your actions in order to improve both the Services and the Application itself, so that you receive a better user experience. Analytics is done for two purposes and on the following legal bases:

1. we analyze the data collected during your use of the Services, and Additional Services in order to improve our services and products, and the legal basis is our your consent if it refers to health data (Article 9(2)(a) of GDPR) and legitimate interest  in terms of your regular data (legal basis in Article 6(1)(f) of GDPR) understood as the need to provide services and products of the highest quality, corresponding to the needs of users, to develop software functionality, to improve its accuracy and correctness;

2. we also analyze the data collected during your use of the Application in order to ensure high quality and safety standards for medical products or medical devices (legal basis: Article 9(2)(i) of GDPR in connection with article 83 of Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC as regards health data, and as regards other data Article 6(1)(f) of GDPR, i.e. our legitimate legal interest, understood as the need to ensure high standards of quality and safety of medical devices).

Data will be processed until:

• you raise an objection or change your browser settings,

• the data is of personal nature,

• the analysis is carried out and the purpose is achieved,

whichever comes first, after that personal data is anonymized.

7.Protection against claims and recovery of claims: 

We may process your personal data in order to assert or defend against possible claims related to the contact or processing of your personal data and the processing is based on a legitimate interest (Article 6(1)(f) GDPR), understood as the possibility to assert or defend against claims.

The data will be processed until the statute of limitations for the respective claims has expired.

Technical Data

We also automatically store and process certain information about how you use our Services and Additional Services (Log Data). Such Log Data do not allow you to be identified in any way and do not constitute personal data. They include information such as your browser name and version, your operating system name and version as well as the platform you use (mobile or desktop). We use such Log Data to improve, customize and enhance our Services, and Additional Services by expanding their features and functionality and tailoring them to your needs and preferences. 

What we can do with your data

We work with some third parties and they may have access to some of the information about you that we collect and process. The recipients of your personal data may include:

1. entities authorized by law on the basis of a proper request (courts, state authorities)

2. entities providing accounting, IT, marketing, communication, analytical and legal services, including HubSpot, Google, Facebook, FullStory, AWS

3. subcontractors with whom we cooperate.

Your information, including personal data, may also be transferred to — and maintained on — computers located outside of the European Economic Area, where the data protection laws may differ from the GDPR.

If we provide the personal data beyond the European Economic Area, and in particular to any third countries, such provision will take place on the basis of appropriate legal mechanisms, such as Executive Decisions of the Commission (EU), standard contractual clauses applicable, or other similar legal instruments specified in the content of GDPR. In addition, we follow the Post Schrems II recommendations adopted by the European Data Protection Board.

To ensure that you have adequate control over your personal data transferred outside the European Economic Area, you will have the right to obtain a copy of your personal data transferred to third countries at any time.

Your rights concerning data

You have the following rights under the GDPR:

1. The right to request access to your data and to receive a copy of your data: whenever possible, you can access, update or request deletion of your personal data;

2. The right to rectify (correct) your data: you have the right to have your information rectified if that information is inaccurate or incomplete;

3. The right to erasure: you have a right to erasure regarding data that are no longer required for the original purposes or that are processed unlawfully;

4. The right to data portability: you have the right to be provided with a copy of the information we have regarding you in a structured, machine-readable and commonly used format;

5. The right to object: you have the right to object to our processing of your personal data – upon your justified objection we will cease any further processing under Article 6(1)(f) of the GDPR;

6. The right to withdraw consent: you also have the right to withdraw your consent at any time where we relied on your voluntary consent to process your personal information;

7. The right to lodge a complaint with the competent supervisory authority - about our collection and use of your personal data.

In order to exercise your rights described above, you may send appropriate requests to the following e-mail address: support@infermedica.com, dpo@infermedica.com, send them to our correspondence address given above, or submit them in person at our registered office. Bear in mind that, prior to responding to your request regarding the exercising of your rights, we may ask you for a proof of your identity. If you want to withdraw your consent to data processing, you can also click on the hyperlink entitled "unsubscribe" in the content of the e-mail correspondence. Withdrawal of your consent to data processing has no impact on legality of data processing that had taken place under the consent granted prior to the effective withdrawal thereof.

Automated Decision Making

You use the Application thanks to our intelligent algorithm, which carefully analyzes your answers given in the interview, so you can learn the possible causes of your symptoms. This analysis is done automatically, based on the information you provide and, as a result, the tool can suggest your potential health condition. This process is referred to as "profiling" and its use if it concerns personal data is regulated by law (Article 22 of GDPR). This analysis is the essence of the service and must be carried out for you to receive an interview result. In addition, we also analyze the way in which you use the Application - thanks to this we can improve the quality of our solution and make the medical device not only safer but also more friendly and effective. The data and results of the analyses performed are not used for marketing purposes.

The analysis performed, although it may be considered as profiling in nature, does not produce any legal effects on you or similarly significantly affect you.

Security

The security of your data is a very important issue for us. We strive to conscientiously and perpetually protect your personal data from loss, destruction, distortion/falsification, manipulation and unauthorized access or unauthorized disclosure through appropriate technical and organizational measures adopted at our company.

However, please always keep in mind that no method of transmission over the Internet or method of electronic storage is 100% secure. Due to the inherent nature of the Internet, we cannot guarantee that, during transmission over the Internet, or while stored on our system, or otherwise in our care, information will be safe from any intrusion by third parties, such as hackers.

Cookies

We use cookies to track your activity on our Website and in the App, and we hold certain information obtained from such tracking. We will not be using the same cookies technology in Additional Services, if you need more information please contact us. 

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from our Website and the App, and stored on your device. They are used to collect and track information, and to improve and analyze our services rendered through our Website and the App.

Detailed information can be found in our Cookies Policy.

Session Storage

We also use technology similar to cookies (called Session Storage) to provide you with the highest level of service. One of the features of Session Storage is that when you refresh the session, you can return to the exact place in the medical interview where you left off. It also allows us to analyze your actions in different scenarios. 

Session Storage is a user-side feature that allows web apps to store data or states on the user/browser without involving the server. 

The main features of Session storage are the following:

1. It stores data only for a session - meaning that the data is only stored until the browser (or tab) is closed;

2. Data is never transferred to the server - your data is always under your control.

Services rendered by third parties

Based on the legitimate interest in the analysis, optimization and economic operation of our activities, as well as in analyzing your behavior in order to optimize both our Website and our advertising, we use certain online marketing services such as Google Analytics. Moreover, we can also use a captcha solution to protect the Website, the Application as well as the Services from fraud, spam and abuse. These services can change over time. You can check the current list of technologies used in the table available in our Cookies Policy as well as examine the Website in the settings of your browser or contact us for the details. 

You can also prevent the collection and processing of information generated by the cookies of third-party service providers by placing an opt-out cookie or deactivating specific services in the menu of your terminal device. For more information, see the privacy policies of the individual providers.          

Amendments

We may revise this privacy policy from time to time. The most recent version of the privacy policy will govern our use of your personal data and other information we process, and will be posted on the Website. By continuing to access or use the Website and the services we render through it, once those changes take effect, you agree to be bound by the revised privacy policy. If you do not agree, you must cease using our Website immediately.

Contact

You can reach us:

• via e-mail: support@infermedica.com, dpo@infermedica.com

• by writing to our registered office: Infermedica Sp. z o.o., Plac Solny 14/3, 50-062 Wrocław, Poland

Data Protection Officer (DPO)

Bearing in mind the security and transparency of the data processing procedures and the necessity of maintaining continuous supervision over them, we have appointed a Data Protection Officer (DPO) in the person of Mr. Marcin Kaleta.  

You can contact the DPO appointed using the dpo@infermedica.com e-mail address or using our postal address (please include the "Data Protection Officer" annotation).

Last update: December 18, 2023