Who are we
Welcome to the website of Infermedica Sp. z o.o. based in Wrocław at Plac Solny 14/3, 50-062 Wrocław, Poland ("Infermedica", "we", "us", "our"). Infermedica is a company under Polish law registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław 6th Commercial Department of the National Register of Entrepreneurs under KRS number: 0000429183, with a tax identification number (NIP): 8971782877 and with a REGON number: 021889810.
Infermedica is the owner of the website operated at https://www.symptomate.com (the "Website"). Through the Website, as well as the mobile application available from certain application stores offering applications for the mobile devices in question (the "Application"), we provide the services (the "Services") described in a comprehensive and accessible manner in the terms of service of "Symptomate.com" available at https://symptomate.com/site/regulamin-serwisu/ or in the dedicated mobile applications. Infermedica acts as a controller of all personal data collected and processed in connection with your use of the Website or Application.
All of our activities in the operation of the Website and the Application comply with applicable data protection laws, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
Why we collect and process data
We collect and process personal data in order to provide and improve the operation of the Website and the Application. We collect and process data, i.e. information that identifies or at least allows us to identify you as an individual, when you voluntarily choose to contact us or when you choose to leave your feedback regarding our Services. Furthermore, we collect and process certain technical data generated in connection with your visit to the Website or use of the Application, which may also be considered personal data. "Processing" means any operation performed on personal data, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, disseminating or otherwise making available, matching or combining, limiting, deleting or destroying, or any other use.
In a situation where you are using the Website and the Application on your behalf but on behalf of a third party, be sure to obtain proper authorization before providing such data.
What data we collect and process
We collect various types of data for various purposes related to the provision and improvement of our Services. The types of information collected and processed depend on the type of services we provide through the Website and the Application. We collect and process data in the following situations:
Providing your personal data is voluntary, but without providing it we will not be able to realize what you want from us, e.g. we will not be able to contact you.
Your data will be processed for as long as it is necessary to fulfil the purpose for which it was collected or as long as it is necessary or possible to do so due to certain legal provisions on the processing of personal data.
When you ask to contact us from our Website, we will collect and process the following data:
The legal basis for the processing of your data for the purposes of contact is your voluntary consent (legal basis pursuant to Article 6 paragraph 1 letter a GDPR).
The data will be processed until the purpose of the contact request is achieved or the processing consent is withdrawn, in any case no longer than three years from the last action.
If you choose to leave us your feedback regarding the quality of our Services, we may only process the data you choose to share with us. However, providing personal information that allows us to identify you is not necessary to leave feedback.
You can leave us your contact information so that we can address your feedback.
In this case, your personal data is collected and processed for the purposes of the issued opinion, and the legal basis is your voluntary consent (legal basis according to Article 6 paragraph 1 letter a GDPR). Data will be processed until consent is withdrawn, in any case no longer than three years after the last action.
When you browse our Website and use the Services, we collect and process for security purposes only your IP address and other technological data from logs - which may be considered personal data. We do not process this data for the purpose of identifying you as an individual, but in order to increase the security level of the Website and Application, e.g. to be able to react to the operation of automatic mechanisms.
The legal basis is our legitimate interest (legal basis under Article 6 paragraph 1 letter f GDPR) understood as the need to ensure safe use of the Application and our Services.
Data will be processed no longer than 30 days from the date of collection.
In addition, we use marketing services to analyse your behaviour in order to optimize the performance of the Website and the Application, as well as advertising activities. In particular, we use technologies such as Google Analytics.
In this case, the data is collected and processed for marketing purposes, and the legal basis is our legitimate interest (legal basis from Article 6 paragraph 1 letter f GDPR) understood as the desire to reach as many Users and clients as possible, to promote our Applications and Services and thus develop our business.
The data will be processed as long as the services are provided, until you object or until you change the settings of your browser or in your Facebook or Google profile.
When you use the Services through the Website and the Application, we collect certain health information, as well as other information that may be helpful for the proper provision of the Services, such as data on gender, age, individual risk factors, region of residence or daily behaviour.
Such health information is not combined with information that allows us to identify the interviewee. We combine such information with a unique identifier to provide statistical insights that allow us to improve our Services. Given that we can potentially link an IP address to intelligence within a 30-day period - for that period, the data may be personal.
In this case, the data is collected and processed for purposes related to the provision of the Service through the Application and the legal basis is your voluntary consent and willingness to use the solution provided (legal basis according to Article 9 paragraph 2 letter a GDPR).
The data will be processed no longer than 30 days from the date of collection - after this period, due to the deletion of IP address data necessary for security purposes, the data will be anonymised.
When you use the Application or our Services, we may analyse your actions to improve both the Services and the Application itself, so that the User receives the highest quality benefit. Analytics are performed for two purposes and on the following legal bases:
a) we analyse the data collected during your use of the Services, Website and Application in order to improve our services and products, and the legal basis is our legitimate interest legitimate interest (legal basis in Article 6 paragraph 1 letter f GDPR) understood as the need to provide services and products in the highest quality, corresponding to the needs of users, development of software functionality, improving its accuracy and correctness;
b) we also analyse data collected during your use of the Application to ensure high standards of quality and safety of medicinal products or medical devices (legal basis: Article 9 Paragraph 2(i) of the GDPR in conjunction with Article 83 of Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017. on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC as far as health data is concerned, and as far as other data is concerned, Article 6 paragraph 1 letter f GDPR, i.e. our legitimate legal interest, understood as the need to ensure high standards of quality and safety of medical devices).
Data will be processed until: to object, to change your browser settings, to have this data of a personal nature, * to carry out analysis and achieve the purpose,
whichever comes first.
7. Protection from claims and enforcement of claims:
We may process your personal data for the purpose of asserting or defending against possible claims related to the contact or processing of your personal data and the processing is based on a legitimate interest (Article 6 paragraph letter f GDPR), understood as the ability to assert or defend against claims.
Data will be processed until the expiration of the statute of limitations for individual claims.
We also automatically store and process certain information about your use of our Services (the "Log Data"). Such Log Data does not identify the User in any way and does not constitute personal information. This includes information such as the name and version of the browser, the name and version of the operating system, and the platform the User is using (mobile or desktop device). We use such Log Data to improve, customize and enhance our Services by extending their features and functionality and tailoring them to your needs and preferences
What we can do with your data
We work with certain third parties that can access the data we collect and process. Recipients of your data include:
entities authorized by law or by authorized request (courts, administrative authorities);
accounting, IT, marketing, communications, analytical and legal service providers, including HubSpot, Google, FullStory, Amplitude, among others;
the subcontractors we work with.
Information about you, including your personal data, may also be transferred - and maintained - on devices located outside the European Economic Area, where data protection regulations may differ from those set forth in the GDPR.
If we transfer personal data outside the European Economic Area, in particular to third countries, such transfer will be based on the relevant legal mechanisms such as Commission (EU) Implementing Decisions, applicable standard contractual clauses or other similar legal instruments as set forth in the GDPR. In addition, we follow the Post Schrems II recommendations adopted by the European Data Protection Board.
In order to ensure adequate control over data transferred outside the European Economic Area, you will in any case have the opportunity to receive a copy of your data transferred to a third country.
You have the following rights under GDPR provisions:
the right to request access to the processed data and to receive a copy of the data: at any time you can access the data, update the data or request deletion of the data;
the right of rectification: you have the right to rectify your data if the data is incorrect or incomplete;
the right to erasure: you have the right to request the erasure of data that are no longer necessary for the purposes of processing existing at the time of collection or data whose processing has no legal basis;
the right to data portability: you have the right to obtain a copy of the data concerning your person in a structured, commonly used machine-readable format;
the right to object: you have the right to object to the processing of your personal data - in the event of a legitimate objection, we will cease any further processing on the basis of Article 6(1)(f) GDPR;
the right to withdraw consent: you also have the right to withdraw at any time your consent on the basis of which we process your data;
the right to lodge a complaint with the competent supervisory authority: in connection with the way your data is collected and processed.
In order to exercise the rights described above, you can send relevant requests to the e-mail address: firstname.lastname@example.org, email@example.com send your request by mail to the address indicated above or submit it in person at our headquarters. Keep in mind that we may ask you to confirm your identity before responding to a request to exercise your rights. You can also click on the link titled "unsubscribe" in the body of the email correspondence to revoke the consent you have given for data processing. Withdrawal of consent to data processing does not affect the lawfulness of data processing on the basis of consent granted before its effective withdrawal.
Automated Decision Making
You use the Application thanks to our intelligent algorithm that carefully analyses your answers given in the interview, so you can learn the possible causes of your symptoms. This analysis is done automatically, based on the information you provide, and as a result, the tool can suggest your potential health status. This process is referred to as "profiling," and its use if it involves personal data is regulated by law (Article 22 of the GDPR). This analysis is the essence of the service and must be carried out so that you can get the result of the interview. In addition, we also analyse the way you use the Application - so we can improve the quality of our solution and make the medical device safer but also, for example, more friendly and efficient. The data and results of the analyses performed are not used for marketing purposes.
The analysis performed, although in the nature of profiling, does not have any legal effect on you or similarly significantly affect you.
The security of your data is an extremely important issue for us. We endeavour, through appropriate technical and organizational measures put in place at our company, to protect your personal information from loss, destruction, deformation, any manipulation or unauthorized access, and unauthorized disclosure, on a continuous and meticulous basis.
However, it is important to keep in mind that no form of data transmission or maintenance on the Internet is 100% secure. Due to the inherent characteristics of the Internet, we are not able to guarantee that during the transmission or maintenance of data through our system or on our behalf, the data will be secure and free from any violation by third parties, such as hackers.
Cookies are files containing a small amount of information, which may contain an anonymous unique identifier. Cookies are sent by our Website and Application to your browser and are stored in the memory of your device. They are used to collect and track information, as well as to analyse and improve the quality of services provided through the Website and the Application.
Please see our Cookies Policy for details.
To provide you with the highest level of service, we also use technology similar to Cookies (the "Session Storage"). One of the features of Session Storage is that after refreshing the session, the User can return to the exact point in the medical interview where he/she left off. It also allows us to analyse your activities in different scenarios.
Session Storage is a User-side feature that allows Website applications to store data or states at the User and browser level without involving the server.
The main features of Session Storage are as follows: 1. Stores data only for the duration of the session - this means that data is stored only until the browser (or tab) is closed; 1. Data is never sent to the server - the User always has control over it
Services provided by third parties
Based on our legitimate interest in analysing, optimizing and economically operating our business, as well as analysing User behaviour to optimize both our Website and our advertising, we use certain online marketing services such as Google Analytics. In addition, we may also use a captcha solution to protect the Website, Application and Services from fraud, spam and abuse. These services may be subject to change over time. Users can check the current list of technologies used in the table available in our Cookies Policy, and check the Website in their browser settings or contact us for more information.
Users can also prevent the collection and processing of information generated by third-party service providers' cookies by setting cookie opt-out or deactivating certain services in the menu of their end device. For more information, please refer to the privacy policies of each provider.
You can contact us as follows: by e-mail: firstname.lastname@example.org , email@example.com in writing to the registered office address: Infermedica Sp. z o.o., Plac Solny 14/3, 50-062 Wrocław, Poland
Data Protection Officer (DPO)
Bearing in mind the security and transparency of personal data processing, as well as the necessity of its constant control, we appointed a Data Protection Inspector (DPO) - Marcin Kaleta.
You can contact the appointed DPO using firstname.lastname@example.org or via our postal address (please add "Data Protection Officer").