Privacy Policy

You're in control of your data.

Who are we?
This Privacy Policy
Questions or complaints
Your rights
Collection and use of data
Using your data
Collecting your data
Sharing your data
Storing and transferring data
Third party websites

Who are we?

We are Elephant Healthcare, a global healthcare technology company. Our group of companies (“Elephant”, “us”, “we”, “our”) is committed to compliance with all relevant data protection legislation, including the General Data Protection Regulation (EU Regulation 2016/679).

We are the owner and provider of our Software for healthcare providers, healthcare workers and clinicians, and patients. We act as the data processor and/or data controller of data, including personal data, collected by our Software or provided to us.

By engaging with us, you confirm that you have read and understood this policy.

This Privacy Policy

We value your privacy and want to be accountable and transparent in the way that we collect and use your personal data.

This policy tells you how and why we collect and use your personal data. We have tried to make it easy to navigate so you can find the information that is most relevant to you based on our relationship with you.

We may update this policy from time to time. Any changes we make will be posted on this page.

This policy applies to:

  • Patients (including child Patients under the age of 16 and their parents/legal guardians) who use the Software and/or who receive a digital health record;
  • Customers, prospective customers and users of our Software;
  • Visitors to our website and people who contact us with enquiries; and
  • Suppliers and their employees.

Questions or complaints

Elephant has appointed a Data Protection Officer in accordance with our legal obligations.

You can contact our Data Protection Officer if you have any queries or complaints about our collection, use or storage of your personal data, or if you wish to exercise any of your rights in relation to your personal data, by:

  • Emailing us at privacy@elephant.healthcare.
  • Writing to us at Elephant Healthcare Limited, One London Wall, London EC2Y 5EB, Untied Kingdom.

We will investigate and attempt to resolve any such complaint or dispute regarding the use or disclosure of your personal data.

If you are subject to GDPR

In accordance with Article 77 of the General Data Protection Regulation, you may also make a complaint to the UK’s Information Commissioner's Office or the data protection regulator in the country where you usually live or work, or where an alleged infringement of the General Data Protection Regulation has taken place.  Alternatively, you may seek a remedy through the courts if you believe your rights have been breached.

Details for the data protection regulators can be found here:

If you are subject to the Data Protection Act 2019 (Kenya)

The Office of the Data Commissioner is still being established. The Ministry of ICT, Innovation and Youth Affairs can be contacted here: https://ict.go.ke.

If you are subject to the Data Protection Act 2012 (Ghana)

The Data Protection Commissioner can be contacted here: https://www.dataprotection.org.gh

If you are subject to any other Data Protection Legislation

Please contact the relevant data protection regulator.

Your rights

Depending on the information we collect and our relationship with you, you may have one or all of the following rights in relation to your personal data:

  • Right to object to our use of all or part of your personal data where we process your personal data on the basis of our or another person's legitimate interest.
  • Right to withdraw your consent when it has been provided, which you can do by contacting us at privacy@elephant.healthcare.
  • Right of access to any personal data we hold about you. You can ask us for a copy of your personal data; confirmation as to whether your personal data is being used by us; details about how and why it is being used; and details of the safeguards which are in place if we transfer your information outside of the UK, the EEA or your home country as prescribed under any other relevant data protection legislation.
  • Right to update your information which is out of date or incorrect.
  • Right to delete your information which we hold about you in certain specific circumstances. You can ask us for further information about these specific circumstances by contacting us. We will pass your request onto other recipients of your personal data unless that is impossible or involves disproportionate effort.
  • Right to restrict the use of your information in certain specific circumstances. You can ask us for further information about these specific circumstances by contacting us. We will pass your request onto other recipients of your personal data unless that is impossible or involves disproportionate effort.
  • Right to data portability to a third party provider of services, where we use your personal data on the basis of your consent or performance of a contract.
  • Right to be informed of the information being collected about you, in certain circumstances.

We have one month to provide a response to your request, unless we advise you we need longer.

We may request that you provide us with information necessary to confirm your identity before responding to any request.

If an exception applies, we will tell you and your request may be rejected. For example if we need to keep using the information to comply with our own legal obligations or to establish, exercise or defend legal claims.

Collection and use of data

Please see the section or sections below that best describes our relationship with you to find out what data we collect about you and how we use it:

All personal data

Regardless of our relationship with you, we will use your personal data:

  • to deal with any enquiries or issues you have about how we collect, store and use your personal data, or any requests made by you for a copy of the information we hold about you. If we do not have a contract with you, we may process your personal data for these purposes where it is in our legitimate interests for customer services purposes;
  • for internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, the security of company facilities, research and development, and to identify and implement business efficiencies. We may process your personal data for these purposes where it is in our legitimate interests to do so;
  • to comply with any procedures, laws and regulations which apply to us – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others to comply, as well as where we are legally required to do so; and
  • to establish, exercise or defend our legal rights – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others, as well as where we are legally required to do so.

Patients and child Patients

If you are a Patient with a digital health record or use our Software, we need certain types of personal data so that we can provide services to you (or your child) directly or process that information on behalf of your healthcare provider, and/or perform contractual and other legal obligations that we have to you.

If you do not provide us with personal data, or if you ask us to delete it, you (or your child) may no longer be able to access our Software.

We, or authorised third parties on our behalf, may collect and use any of the following personal data about you:

  • your name including your title;
  • your postal address;
  • your email address;
  • your telephone number;
  • your age;
  • your sex;
  • your height, weight and other physical characteristics;
  • information about your mental and physical health and wellbeing;
  • your medical records and other documentation related to your medical history;
  • the name, address, telephone number and email address of any doctor, care provider or authorised healthcare professional and their associated healthcare organisation;
  • username and password for access to the Software and/or digital health record;
  • information about the Elephant services we provide to you;
  • details of your leisure activities and interests;
  • details of your lifestyle;
  • information about your preferences; and
  • ‘special categories’ of personal data including information about physical and mental health.

We will collect, use and store the personal data listed above for the following reasons:

  • to provide the Software and digital health record to you;
  • to help you manage your profile, preferences and other choices in relation to the Software and digital health record and associated services;
  • to keep an up-to-date record of your treatment and use of pharmaceutical products;
  • to record and collate your medical history, including symptoms and results of physical examination and medical investigations;
  • to record medical interventions and treatments;
  • to notify you of upcoming appointments, treatments or other medical related information;
  • to enable named clinicians or authorised healthcare professionals to access your digital health record and other logged information via the Software in order to provide you with care or treatment or any other recommended course of action;
  • to anonymise and aggregate data (so that personal data is no longer identifiable) to provide reporting to your healthcare provider improve health care services;
  • where you have provided your explicit consent, to suggest appropriate offers, healthcare projects or initiatives operated or developed by Elephant or third parties;
  • Having removed personal identifiers, such as your name, address and contact details and where we have obtained your consent as required:
  • to improve our healthcare products and services and to share that anonymised data with third parties for research into medical conditions, trends and the development of treatments;
  • for research purposes by us related to medical diagnosis and treatments, or the use of the Software; and
  • enable us to analyse and improve the services we are providing to other users of our Software or third parties.
  • for enforcing our rights, including rights to payment for the Software, under contracts with healthcare or other non-department government organisations entered into in connection with the provision of our Software.

Customers and Software users

If you are a customer or a user of our Software, we need certain types of personal data so that we can provide services to you and perform contractual and other legal obligations that we have to you or your employer.

If you do not provide us with your personal data, or if you ask us to delete it, you or your employer may no longer be able to access our Software for receipt of the Elephant services.

We, or third parties on our behalf, may collect and use any of the following information about you:

  • your name including your title;
  • your date of birth;
  • your sex;
  • your address;
  • your email address;
  • your telephone number;
  • username and password for access to the Software;
  • the name and address of your company or organisation;
  • information about your preferences;
  • information provided when you correspond with us;
  • any updates to information provided to us;
  • information about the provision of existing or potential projects or studies using or developing new elements of the Software, and the associated services we provide (or may provide) to you including (but not limited to):
  • information needed to provide the services to you, or develop future services (including information on joining forms, order details, order history and payment details);
  • customer/Patient/clinician relationship management; and
  • information you provide to help us provide you with improved service, for example if we ask you to fill in a survey or questionnaire.

We will collect, use and store the personal data listed above for the following reasons:

  • to provide you with access to our Software which helps you manage our services and which enables you to provide healthcare services and digital health records to Patients;
  • to facilitate deliveries of data, new products and services to you;
  • to deal with any enquiries or issues you have about the Software and digital health record and associated services that you request from us;
  • to send you certain communications (including by email or SMS) about our products and services such as administrative messages (for example, setting out changes to our terms and conditions and keeping you informed about our fees and charges);
  • to anonymise and aggregate data (so that personal data is no longer identifiable) to provide reporting to your employer to improve health care services and the use of the Software;
  • to carry out statistical analysis and market research on people who may be interested in our existing or new Elephant products and services;
  • if it is in our legitimate interests for business development and marketing purposes, to contact you (including by email, telephone or SMS) with information about our products and services or the products and services of our suppliers which either you request, or which we feel will be of interest to you; and
  • if you are a sole trader or a non-limited liability partnership and provided consent, to contact you by email with information about our products and services or the products and services of our suppliers which either you request, or which we feel will be of interest to you.

Website users or enquiries

If you visit our website or contact us with an enquiry, we collect certain types of personal data so that we can provide services to you and perform contractual and other legal obligations.

If you do not provide us with such personal data, or if you ask us to delete it, you may no longer be able to access our Software or services.

We, or third parties on our behalf, may collect and use any of the following information about you:

  • your name including your title;
  • your email address; 
  • your telephone number;
  • your employer;
  • your job title;
  • your employer's address;
  • your date of birth;
  • information provided when you correspond with us;
  • any updates to information provided to us;
  • technical information automatically created and recorded when you visit our website including the Internet Protocol (IP) address; the website address and country from which you access information; the files requested; browser type and version; browser plug-in types and versions; operating system; and platform; and
  • Information about your behaviour on the internet automatically created and recorded when you visit our website for example, the pages that you click on, the website you visit before and after visiting our website (including date and time), time and length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, traffic data, location data, weblogs and other communication data and information provided when requesting further service or downloads.

We will collect, use and store the personal data listed above for the following reasons:

  • to allow you to access and use our website;
  • to allow you to provide information for the purpose of an enquiry;
  • to register to receive sales or other notifications and materials;
  • to receive enquiries from you through the website about our website, app and associated services;
  • for improvement and maintenance of our website and to provide technical support for our website;
  • to ensure the security of our website;
  • to recognise you when you return to our website, to store information about your preferences, and to allow us to customise the website according to your individual interests;
  • to evaluate your visit to the website and prepare reports or compile statistics to understand the type of people who use our website, how they use our website and to make our website more intuitive. Such details will be anonymised as far as reasonably possible and you will not be identifiable from the information collected; and
  • to deal with any enquiries or issues you have about our products and services, including any questions you may have about how we collect, store and use your personal data, or any requests made by you for a copy of the information we hold about you, for customer services purposes.

Suppliers

If you are a supplier or an employee of a supplier to Elephant or a group company, we need certain types of personal data so that you or your employer can provide services to us.

If you do not provide us with such personal data, or if you or your employer ask us to delete it, you may no longer be able to provide services to us.

We, or third parties on our behalf, may collect and use any of the following information about you:

  • your name including your title;
  • work contact information (phone number, postal address, mailing address, email address);
  • your job title;
  • information provided when you correspond with us;
  • any updates to information provided to us;
  • personal data we collect about you from third party sources such as LinkedIn, CVs, pitch and tender information;
  • proof of identification and address;
  • visa or work permit documentation;
  • details of compensation, expense claims and bank details; and
  • information required to access company systems and applications (such as system ID).

We will collect, use and store the personal data listed above for the following reasons:

  • to enable us to purchase and receive products and services from you or your employer (including supplier due diligence, payment and expense reporting and financial audits);
  • to deal with enquiries from you;
  • to confirm information on CVs and performance reference checks, to assess you or your employer's suitability to work for or with us;
  • for equal opportunities monitoring;
  • for health and safety records and management; and
  • for security vetting and criminal records checks (where applicable and allowed by law).

Using your data

We only use or process your data when we have a legal basis for doing so.

Consent

Patients and child Patients

Where you are a Patient (or a parent or legal guardian of a child Patient) and we act as a data controller we will process your personal data only with your explicit consent:

  • for the referral of appropriate projects or initiatives;
  • for the use and sharing of anonymised health data for third party research;
  • where the data relates to ‘special categories’ of personal data including information about physical or mental health; or
  • to anonymise your data for our research.

Children

Where we process, or act as a controller for, any personal data of a child (under the age of 16) and the lawful basis for doing so would require the explicit consent of that child, we shall rely on explicit consent given by that child's parent or other legal guardian.

We will carry out, or ensure that third parties carry out identity verification checks to ascertain the identity and relationship of the adult providing consent and the child on whose behalf such consent is being provided.

Where we rely on another basis for processing any child’s personal data in connection with the provision of the Software or digital health record, we have reviewed our processes and systems to assess that they are suitable and protect that child’s personal data from the outset.

If we rely on your consent to use your (or your child’s) personal data in a particular way, but you later change your mind, you may withdraw your consent at any time by contacting us by email at privacy@elephant.healthcare.

Marketing

We will only use your personal data to send Elephant marketing communications with your explicit consent. If you wish to stop receiving marketing communications, you can contact us by email at privacy@elephant.healthcare.

Vital interests

Patients and child Patients

Where you are a Patient and we act as a data processor on behalf of your data controller, and when processing is necessary for medical purposes, including diagnosis and the provision of healthcare or treatment, of preventative or occupation medicine and medical diagnosis. This includes sharing data with authorised healthcare professionals as necessary for your healthcare.

Duties under a contract

When we are required to perform obligations under a contract with you (for example, to comply with the terms of use of our Software, digital health record or website which you accept by registering for the Software or digital health record or browsing our website).

Legal duty

When we are required to comply with any procedures, laws and regulations which apply to us or to establish, exercise or defend our legal rights, as well as where we are legally required to do so.

Legitimate interest

If none of the above bases apply, the use of your personal data is necessary for our legitimate interests or the legitimate interests of others, such as:

  • to select and engage appropriately skilled and qualified employees and contractors;
  • operate our website and the Elephant Software and provide digital health records to Patients;
  • where you are a potential supplier, to select appropriately skilled and qualified suppliers;
  • run, grow and develop our business;
  • operate and manage any careers page or recruitment tools;
  • carry out marketing, market research and business development (see more below); and
  • for internal group administrative purposes.

If we rely on our or anothers legitimate interests for using your personal data, we will undertake a balancing test to ensure that our or the others legitimate interests are not outweighed by your interests or fundamental rights and freedoms to protect your personal data.

Collecting your data

Data you provide

You may voluntarily provide us with your personal data in a number of ways, depending on your relationship with us, including:

  • registering for a digital health record;
  • setting up an account with us and using our Software;
  • using bulletin boards or forums on our website;
  • using the online forms provided on our website;
  • as a Patient, providing your personal data to authorised healthcare professionals for uploading to the Software;
  • or by contacting us by phone, email or other means. This includes, for example, where you provide your personal data to us in order to receive products, deliveries, information or services from us.

Third party data

We may also receive information about you from third parties such as marketing agencies, market research companies, your employer, our suppliers, contractors and consultants, group companies, public websites and public agencies.

Sharing your data

We will only share your personal data with third parties when it is relevant and we have a legal basis.

Who we share your personal data with depends on our relationship with you.

All personal data

Regardless of your relationship with us, we may share your personal data with the following categories of third parties:

  • our group companies and partners where it is in our legitimate interests to do so for internal administrative purposes (for example, for corporate strategy, compliance, auditing and monitoring, research and development and quality assurance);
  • companies that assist in our marketing, advertising and promotional activities, such as the marketing automation platform MailChimp and SMS service providers;
  • our other service providers and subcontractors, including payment processors, utility providers, suppliers of technical and support services, insurers, logistic providers, and cloud service providers; and
  • public agencies and the emergency services when we are legally required to do so.

Patients and child Patients

If you are a Patient or child Patient using our Software, we may share your personal data with the following categories of third parties:

  • where necessary for your treatment or care, with the data controller of your personal data and with your other health and social care providers;
  • companies providing services to us including those who act as data processors on our behalf. Those data processors are bound by strict confidentiality and data security provisions, and they can only use certain personal data in the ways specified by us. The categories of third party processors that Elephant uses are:
  • analytics providers and behaviour analytics tools to process pseudo anonymised personal data of our Software users to enable Elephant to gain insights about the use of our Products;
  • feature management software applications to allow Elephant to launch product features to our users;
  • reporting and business intelligence tools to enable the use of the Software;
  • dashboarding and data visualisation tools to allow Elephant to provide anonymised and aggregate dashboards to our customers for the provision of better healthcare; and
  • databases for production data and transfer applications to enable the provision of anonymised reporting and analytics to customers for the provision of healthcare.

Customers and Software users

If you are a customer or prospective customer, or using our Software, we may share your personal data with the following categories of third parties:

Website users

If you are a visitor to our website we may share your personal data third parties including analytics and search engine providers that assist us in the improvement and optimisation of our website.

Why we share you personal data

We will share your personal data with third parties:

  • where it is in our legitimate interests to do so to run, grow and develop our business:
  • if we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if all of our or any of our affiliates' assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets;
  • in order to comply with any legal obligation, lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
  • in order to to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
  • to protect the rights, property, or safety of the company, our staff, our customers or other persons. This may include exchanging personal data with other organisations for the purposes of fraud protection and credit risk reduction.

Any third parties with whom we share your personal data are limited (by law and by contract) in their ability to use your personal data for any purpose other than to provide services for us. We ensure that any third parties with whom we share your personal data are subject to privacy and security obligations consistent with this policy and applicable laws.

Except as expressly detailed above, we will never share, sell or rent any of your personal data to any third party without notifying you and, where necessary, obtaining your consent. If you have given your consent for us to use your personal data in a particular way, but later change your mind, you should contact us at
privacy@elephant.healthcare.

Sharing anonymised data

We may share anonymised and aggregated statistical data (which is not personal data) as follows:

  • within our group companies for reporting and statistics about the use of our Software, digital health records, customers or website;
  • with third party technology tools in order to provide our customers with aggregate reporting and statistics relevant to their location; and
  • with suppliers as required for a legitimate business need.

Storing and transferring your data

Elephant uses end to end encryption to securely store your personal data on servers in the EEA and/or the country where you are receiving healthcare services. Your personal data is never held on any computer, laptop, or mobile device, including your own.

Your personal data may be used, stored and/or accessed by Elephant staff operating outside the EEA, other members of our group companies or suppliers.

If we provide any personal data about you to any non-EEA members of our group or suppliers, we will take appropriate measures to ensure that the recipient adequately protects your personal data. These measures may include the following permitted in Articles 45 and 46 of the General Data Protection Regulation for example, in the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements.

We are committed to protecting your personal data from loss, theft and misuse. We take all reasonable precautions to safeguard the confidentiality and integrity of your personal data through the use of appropriate organisational and technical measures, including encryption and password protection to our internal and third party systems.

You may transfer your personal data to us over the internet and although we make every effort to protect your personal data, transmission of information over the internet is never completely secure. You acknowledge and accept that we cannot guarantee the security of your personal data transmitted to us and that transmission is at your own risk.

Where we have given you (or where you have chosen) a password which enables you to access the Elephant Software application or your digital health record , you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We store your personal data for no longer than necessary for the purposes for which it was obtained, and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights.

Further details on the steps we take to protect your personal data is available on request by contacting us by email at privacy@elephant.healthcare.

Third party websites

Our website may contain hyperlinks to third party websites not operated by us. Elephant does not endorse and is not associated with any third party.

This policy only applies to the personal data that we collect or which we receive from third party sources, and we cannot be responsible for personal data about you that is collected and stored by third parties.

Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal data to these websites.

We do not endorse or otherwise accept any responsibility or liability for the content of such third party websites or third party terms and conditions or policies.

This policy is current as of 14 October 2020.