App Privacy Policy

Data & Privacy Policy

Ampersand & Ampersand Limited, a company registered in England and Wales under company registration number 08836602 with registered office at 179 Great Portland Street, London, England, W1W 5PL is committed to protecting and respecting your privacy.

This policy sets out the basis on which any personal data, including (but not limited to) sensitive health, genetic, sex, or biometric data, we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purposes of data protection laws in the UK, the data controller is Ampersand & Ampersand Limited. We are registered as a data controller with the Information Commissioner’s Office under number ZA270434.

BASIS FOR PROCESSING SENSITIVE PERSONAL DATA

Before we process any of your sensitive personal data, we will need to obtain your explicit consent. Please read the information below on how and why we process your sensitive personal data before confirming your consent by ticking the boxes below.

Sensitive personal data is personal data that related to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sex life and sexual orientation, genetic data or biometric data.

– What sensitive personal data do we hold and what do we do with it?

We hold, inter alia, patient name, hospital number, care pathway/medication, hospital appointments, patient reported condition information (including physiological and mental wellbeing)

We process the information and make it available on an individual, identifiable basis to your hospital team.

We process the information and make it available on an aggregate, identifiable basis to your hospital team

We process the information and make it available on an aggregate, anonymised or pseudonymised basis to our research partners.

We only require, store and process the data that you supply that your clinician or hospital require to further your care.

Ampersand & Ampersand is the controller and processor if your data.

  • I confirm that I have read and understood how and why Ampersand & Ampersand will collect and process my personal data, both sensitive and non-sensitive.
  • I confirm that I have read and understood the contents of this Privacy Policy, including my rights in relation to the sensitive personal data.
  • I acknowledge my right to withdraw consent to the processing of sensitive personal data at any time.
  • I hereby consent to Ampersand and Ampersand processing my sensitive personal data in accordance with this Privacy Policy.

INFORMATION WE COLLECT FROM YOU

We will collect and process the following data about you:

  • Information you give us.
  • Information we collect about you.
  • Anonymised data.

WHERE WE STORE PERSONAL DATA

We store your personal data on virtual private servers in a secure datacentre in the EEA and on your device. We take reasonable precautions to ensure that your data does not get processed outside the EEA.

PERIOD OF STORAGE

We hold your data until you request that we delete it, which you can do at any time, should you decide to cease using the service.

YOUR RIGHTS UNDER DATA PROTECTION LAWS

Right to object

You have the right to object to us processing your personal data where we are processing your personal data:​

based on our legitimate interests. If you ask us to stop processing your personal data on this basis, we will stop processing your personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws; and

for direct marking purposes. If you ask us to stop processing your personal data on this basis, we will stop.

Right of access

You have the right to receive confirmation as to whether your personal data is being processed by us, as well as various other information relating to our use of your personal data. You also have the right to access your personal data which we are processing. We may charge you for exercising this right if we are allowed to do so by applicable law.

Right to rectification

You have the right to require us to rectify any inaccurate personal data we hold about you. You also have the right to have incomplete personal data we hold about you completed, by providing a supplementary statement to us.

Right to restriction

You have the right to restrict our processing of your personal data where:

  • the accuracy of the personal data is being contested by you;
  • the processing by us of your personal data is unlawful, but you do not want the relevant personal data erased;
  • we no longer need to process your personal data for the agreed purposes, but you want to preserve your personal data for the establishment, exercise or defence of legal claims; or
  • we are processing your data on the basis of our legitimate interest(as set out above) and you:
  • object to our processing on this basis; and
  • want processing of the relevant personal data to be restricted until it can be determined whether our legitimate interest overrides your legitimate interest.

Where any exercise by you of your right to restriction determines that our processing of particular personal data is to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.

Right to data portability

You have the right to receive your personal data in structured, standard machine readable format and the right to transmit such personal data to another controller.

Right to erasure

You have the right to require we erase your personal data which we are processing where at least one of the following grounds applies:

  • the processing is no longer necessary in relation to the purposes for which your personal data were collected or otherwise processed;
  • our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
  • you object to the processing as set out in the “right to object” section of this policy and we have no overriding legitimate interest for our processing;
  • the personal data have been unlawfully processed; and
  • the erasure is required for compliance with a law to which we are subject.

You also have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.

Exercising your rights

You can exercise such rights by contacting the Caldecott Guardian at your hospital, or by contacting myibdcare@3amp.com