Personal Data Processing Policy – Vtight

Personal Data Processing Policy (Privacy Policy)

 

1. INTRODUCTION

 

Human Bionics SAS. in order to comply strictly with current regulations on the protection of Personal Health Record (PHR), in accordance with the provisions of the Health Insurance Portability and Accountability Act (HIPPA) and any other provisions amending it, The following PERSONAL DATA PROTECTION AND PROCESSING POLICY (hereinafter “Processing Policy”) is presented for the purpose of protecting the personal information provided by users who have a relationship with Human Bionics SAS, such as partners, suppliers, customers, employees, collaborators and any other natural person from whom Vtight obtains, collects, processes or treats personal data, whether such processing is carried out by Human Bionics SAS or by third parties acting on its behalf.

 

The purpose of the Processing Policy is to protect the right of all individuals to know, update and rectify the information that has been collected and stored in the different Vtight databases and, by virtue of compliance with this right, only collects and processes Personal Data when it has been previously authorized by the user, implementing clear measures on confidentiality and privacy of Personal Data. It also details the general corporate guidelines that are taken into account in order to protect the Personal Data of users, the purposes for processing the information, the area responsible for dealing with complaints and claims, and the procedures that must be exhausted to know, update, rectify and delete the information and the respective channels so that they can exercise them.

 

1. DEFINITIONS

 

Personal data:Any information concerning or relating to a specific or identifiable natural person.

Personal data owner:Natural person whose data is processed. In the context of the present personal data processing policy, the data subjects may be: (i) Patients; (ii) Physicians; (iii) Providers; (iv) all people not related to Vtight whose personal data is processed.

Personal database: Organized set of personal data that are processed by a natural or legal person..

Sensitive data: It is personal data that affects the privacy of the Data Subject and whose incorrect use could lead to discrimination. Sensitive data includes, among others, health data, data on sexual orientation, racial and ethnic origin, political opinions, religious, philosophical or moral convictions.

Protected health information (PHI): It is personal data which, due to its intimate or reserved nature, is relevant to the Data Subject.

Semi-private data: It is personal data that is known and of interest both to the holder and to a certain sector of people or to society in general, and is therefore not of an intimate, reserved or public nature.

Public data:It is personal data that is qualified as such under the Constitution and the law, and that has not been classified as private or semi-private personal data.

Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.

Privacy Notice: Verbal or written communication addressed to the Data Controllers of the personal data that are being processed by the company, in which they are informed about the existence of the personal data processing policies that will be applied to them, how to access them, and the purposes for which their personal data will be used.

Data controller Natural or legal person of a public or private nature who by himself or in association with another or others decides on the processing of personal data.

Data processor: A natural or legal person, public or private, who alone or in association with others, carries out the processing of personal data on behalf of the controller.

Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Custodian of databases: Natural person, within the company, who is the custodian of the personal databases.

Transmission:Processing of Personal Data that involves the communication of such data to a third party, within or outside the territory of the Republic of Colombia, when such communication has as its purpose the performance of a Processing operation by the Processor on behalf of and for the account of the Controller, in order to fulfill the purposes of the latter.

Transfer: The Transfer of Personal Data takes place when the controller and/or Processor of Personal Data sends the information or personal data to a recipient, which in turn is a data controller and is located inside or outside the country.

Ways of collecting personal data: Human Bionics SAS. will be able to know, collect, store, manage the information of the holder of the information in accordance with the policy of use of data contained in the present document through the following means: (i) registration and use of the Vtight mobile application; (ii) entering into any type of contract, partnership and/or agreement with Vtight.

 

 

III. GUIDING PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

 

According to the provisions of the Health Insurance Portability and Accountability Act, the protection of personal data shall be governed by the harmonious and comprehensive application of the following principles:

Health information privacy: Health care organizations and related providers are obliged to use the information of their users only for issues related to medical treatment. For all other uses, written authorization is required that removes the data protection granted by law.

Limited use and disclosure of information: The protection of user information is ensured by meeting administrative (regulatory compliance), physical (protection of buildings and physical equipment) and technical (processes to protect and monitor access to medical records) safeguards.

Health information security: Documentation of patient health information privacy processes must be in place to ensure the protection of patient information.

Patient rights: Patients have the right to request access to their medical records; to know how and with whom their medical information is shared, as well as the reasons why it has been shared; to file complaints when required; and to request that medical information not be shared with recipients of their choice.

Compliance and sanctions: Civil and criminal penalties, fines of up to USD 250,000 or up to 10 years imprisonment for repeated breaches in the same year and knowing misuse of medical information are covered.

 

1. RIGHTS OF THE OWNERS

 

In compliance with the fundamental guarantees enshrined in HIPAA, and without prejudice to the provisions of the other regulations governing the matter, the Data Controllers may exercise the following rights free of charge and without limitation:

The right to receive a privacy notice.

Right to access.

The right to request corrections.

The right to request restrictions.

Right to request confidential communications.

The right to a record of disclosures.

The right to lodge a complaint.

 

1. METHOD OF COLLECTING DATA

 

How the personal data of Users/Customers is collected:

The collection of personal data from potential users and users of Vtight will be carried out in the following ways:

• Through the automatic storage of data of users accessing the Vtight platform, by the use of cookies. Some of the data that can be stored automatically are URLs, the browser used, IP address and others.
• Through the exchange of e-mails.
• Through access to the application, by creating a username and password.
• Through events conducted by Human Bionics SAS.
• Through transmission or transfer by strategic partners.

 

1. PURPOSES OF PERSONAL DATA PROCESSING

 

The Personal Data collected by Vtight are included in a database to which authorized staff have access in the exercise of their functions, warning that in no case is authorized the processing of information for purposes other than those described herein, and that they are communicated to the Holder directly at the latest at the time of collection.

Purpose of processing the personal data of Users/Customers:

The main purpose of the collection, storage, use and/or circulation of personal data of Vtight users is to provide the services offered and/or contracted in an adequate manner and with excellent quality. For the above, the purposes of collecting and processing the Personal Data of Users and Clients of Vtight shall be the following: Ordering, cataloging, classifying, dividing or separating and storing the personal data within the systems and files of Human Bionics SAS.

• User account creation and administration.
• To provide for the maintenance, development and/or control of the commercial relationship between the Data Subject and Vtight.
• Carry out in-house processes for operational development and/or systems administration purposes.
• To provide the company’s services and follow up according to the particular needs of the user, in order to provide the appropriate services and products to meet their specific needs.
• Sending information about new products, news, newsletters, educational forums, advertising or marketing, distance selling. Using means such as email, PUSH notifications, text messages (SMS), offers of products and/or services found on the website and the application.
• To keep a historical record of information for the purpose of user satisfaction by developing analyses of interests and needs, thus providing a better service.
• Carry out market strategies by studying user behavior in relation to offers and thus improve their content, personalizing presentation and service.
• Preparation of commercial prospecting and market segmentation.
• Conduct satisfaction surveys and offer or recognition of benefits of our loyalty programme and after-sales service, to qualify the service and attention through the channels provided for this purpose.
• Carry out the necessary activities to manage requests, complaints and claims from users of the company or third parties; and direct them to the areas responsible for issuing the corresponding responses.
• Submit reports to the inspection, surveillance and control authorities, and process the requirements made by administrative or judicial entities.
• Administrative, commercial and advertising uses that are established in the agreements signed with the clients.
• Accounting, economic, fiscal and administrative management of clients.
• Have access to credit bureaux to know the financial statements of clients.
• Transfer or Transmission of Personal Data nationally or internationally to suppliers with whom Vtight carries out activities in compliance with its corporate purpose. Likewise, transfers may be made to strategic allies of the company to carry out marketing, advertising and promotional activities associated with the corporate purpose; all in accordance with the provisions of US regulations.
• To forward information to the Processors in order to facilitate and improve the quality of the Vtight service.
• Reports to credit bureaux for non-compliance with financial obligations arising from the commercial relationship.
• Request authorization for collection from the entities defined and authorized to do so.
• In the event of any other type of purpose for the processing of personal data, the prior, express and informed authorization of the Data Subject shall be requested.

 

VII. AUTHORIZATION AND CONSENT OF THE OWNER

 

Consent and authorization by the data subject is a constitutional and legal requirement that must be met by the individuals responsible for the processing of personal data. Consent must comply with the following assumptions:

Previous: Authorization must be given by the Data Subject prior to any processing of personal data.

Express: The authorization must be given in an unambiguous, clear and specific manner.

Informed: The Data Subject should clearly understand the purposes for which his or her personal data will be processed and the purposes that may arise from the Processing of such data.

All visitors to the Vtight application must register and authorize the processing of personal data in order to make use of the services offered. Therefore, in each of the systems there is a box that indicates “Privacy Policy and Processing of Personal Data” which must be read and accepted in order to continue with the use of Vtight services.

 

VIII. ACCESS CHANNELS AND MECHANISMS PROVIDED BY VTIGHT

 

With regard to the rights of access, updating, rectification and deletion by the Data Subject, their assignees, legal representatives and/or proxies, Vtight will provide access channels for Data Subjects..

All communications, queries, complaints and/or claims must be addressed to the Personal Database Protection Officer or to the CUSTOMER CARE/CUSTOMER SERVICE AREA of Vtight, by electronic attention, making your request through the help center available on the virtual platform.

 

Vtight.