Privacy Notice

Last Revision Date: May 2020

Purpose: We take our responsibilities as custodians of your data very seriously. This privacy policy explains what personal information we collect, how we use it and your rights with regards to this data.

Contents

  1. Introduction
  2. Who are we?
  3. What types of information do we collect?
  4. Cookies
  5. How we use your personal data (legal basis for processing)
  6. Your data, your rights, your choices
  7. Sharing and disclosing your personal information
  8. Safeguarding Measures
  9. Transfers outside the EU
  10. Legitimate Interests Assessment
  11. How long we keep your data
  12. Special Categories Data
  13. National Data Opt-out
  14. Lodging a Complaint

Introduction

Lifelight® regards your privacy and the handling of your personal data with the utmost importance. This Privacy Notice details how we collect, use and securely store any personal data submitted to us through use of our website and Lifelight Application.

We are what is known as a ‘data controller’ for processing your personal data submitted to us through our website. For patient’s data submitted to us through use of our Lifelight Application xim is what is known as the ‘data processor’ and not the ‘data controller.’

There is also an explanation of the various rights you can exercise as a data subject, as well as how you can exercise those rights.

The scope of this Privacy Notice applies to https://lifelight.ai/

Introduction

Lifelight® regards your privacy and the handling of your personal data with the utmost importance. This Privacy Notice details how we collect, use and securely store any personal data submitted to us through use of our website and Lifelight Application.

We are what is known as a ‘data controller’ for processing your personal data submitted to us through our website. For patient’s data submitted to us through use of our Lifelight Application xim is what is known as the ‘data processor’ and not the ‘data controller.’

There is also an explanation of the various rights you can exercise as a data subject, as well as how you can exercise those rights.

The scope of this Privacy Notice applies to https://lifelight.ai/

Who are we?

Xim Limited, creators of Lifelight (‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.  We are registered as a ‘data controller’ – you can read more about our responsibilities by visiting the Information Commissioner’s Office website here. It should be noted from above that for patient’s data that is submitted through use of our Lifelight Application xim is what is known as the ‘data processor’ and not the ‘data controller.’

Xim’s registered office is: The University of Southampton Science Park, 2 Venture Road, Chilworth, Southampton, Hampshire SO16 7NP

We are a company registered in England and Wales under company number: 3699022

Our Information Commissioner’s Office (ICO) Registration number is: ZA241740

We  act as the data controller when processing your data.  The individual responsible for data protection is Claire Robinson who can be contacted at:
The University of Southampton Science Park, 2 Venture Road, Chilworth, Southampton, Hampshire SO16 7NP

Who are we?

Xim Limited, creators of Lifelight (‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.  We are registered as a ‘data controller’ – you can read more about our responsibilities by visiting the Information Commissioner’s Office website here. It should be noted from above that for patient’s data that is submitted through use of our Lifelight Application xim is what is known as the ‘data processor’ and not the ‘data controller.’

Xim’s registered office is: The University of Southampton Science Park, 2 Venture Road, Chilworth, Southampton, Hampshire SO16 7NP

We are a company registered in England and Wales under company number: 3699022

Our Information Commissioner’s Office (ICO) Registration number is: ZA241740

We  act as the data controller when processing your data.  The individual responsible for data protection is Claire Robinson who can be contacted at:
The University of Southampton Science Park, 2 Venture Road, Chilworth, Southampton, Hampshire SO16 7NP

What types of information do we collect?

Xim Limited processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We collect information that you give us to process your enquiry and to better understand how our services are used. We’ve outlined the main types of information that we handle below. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.

Examples of the types of personal data that we collect are:

  • Name
  • Personal Email
  • Business Email
  • Mobile Telephone Number
  • Technical information from usage of our Apps

How do we collect your information?

We collect your information when you provide it to us through the website contact form or when you communicate with us in other ways. Whenever you subscribe to our newsletter or fill out a form, we may also collect and process data in order to carry out any services you use.

What types of information do we collect?

Xim Limited processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We collect information that you give us to process your enquiry and to better understand how our services are used. We’ve outlined the main types of information that we handle below. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.

Examples of the types of personal data that we collect are:

  • Name
  • Personal Email
  • Business Email
  • Mobile Telephone Number
  • Technical information from usage of our Apps

How do we collect your information?

We collect your information when you provide it to us through the website contact form or when you communicate with us in other ways. Whenever you subscribe to our newsletter or fill out a form, we may also collect and process data in order to carry out any services you use.

Your data, your rights, your choices

At xim, we want to make sure you find it easy to access and amend the data we hold about you. Subject to limitations, you can also make certain requests about that data. Please contact us using the details set out below if you wish to exercise your data rights, or contact the data protection regulator to find out more about them.

The right to be informed:

You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Privacy Notice.

The right of access:

You have the right to obtain access to your information (if we’re processing it), and certain other information (similar to that provided in this Privacy Notice). This is so you’re aware and can check that we’re using your information in accordance with data protection law.

The right to rectification:

You are entitled to have your information corrected if it is inaccurate or incomplete.

The right to erasure:

This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information that we hold.

The right to restrict processing:

You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but will not use it further.

The right to object to processing:

You have the right to object to certain types of processing, including processing for direct marketing (i.e. receiving information about xim’s products and services which may be of interest to you via email or post).

The right to data portability:

You have the right to obtain and reuse your information for your own purposes across different services. To our best ability we will provide your information in an easily accessible format.

The right to lodge a complaint:

You have the right to lodge a complaint about the way we handle or process your information with the national data protection regulator.

The right to withdraw consent:

If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time.

Please note that withdrawing your consent does not make unlawful what we have done with your personal data up to that point (when your consent was active).

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

Your data, your rights, your choices

At xim, we want to make sure you find it easy to access and amend the data we hold about you. Subject to limitations, you can also make certain requests about that data. Please contact us using the details set out below if you wish to exercise your data rights, or contact the data protection regulator to find out more about them.

The right to be informed:

You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Privacy Notice.

The right of access:

You have the right to obtain access to your information (if we’re processing it), and certain other information (similar to that provided in this Privacy Notice). This is so you’re aware and can check that we’re using your information in accordance with data protection law.

The right to rectification:

You are entitled to have your information corrected if it is inaccurate or incomplete.

The right to erasure:

This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information that we hold.

The right to restrict processing:

You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but will not use it further.

The right to object to processing:

You have the right to object to certain types of processing, including processing for direct marketing (i.e. receiving information about xim’s products and services which may be of interest to you via email or post).

The right to data portability:

You have the right to obtain and reuse your information for your own purposes across different services. To our best ability we will provide your information in an easily accessible format.

The right to lodge a complaint:

You have the right to lodge a complaint about the way we handle or process your information with the national data protection regulator.

The right to withdraw consent:

If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time.

Please note that withdrawing your consent does not make unlawful what we have done with your personal data up to that point (when your consent was active).

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

Sharing and disclosing your personal information

Xim does not sell, trade or rent your information to third parties. We will share your information to service providers working on our behalf, or to meet certain other requirements, such as to comply with the law. We will never share your information with any third parties for marketing, advertising or any other purposes.

We may share your information externally to organisations which process data on our behalf. For example, we will need to share your address with Royal Mail to get information posted to you.

Please note that we are obliged to share information as necessary to comply with UK law and regulations. For example, we might need to share your information with regulators.

For further information about who your personal information is shared with, please get in contact with us using the details set out below.

Sharing and disclosing your personal information

Xim does not sell, trade or rent your information to third parties. We will share your information to service providers working on our behalf, or to meet certain other requirements, such as to comply with the law. We will never share your information with any third parties for marketing, advertising or any other purposes.

We may share your information externally to organisations which process data on our behalf. For example, we will need to share your address with Royal Mail to get information posted to you.

Please note that we are obliged to share information as necessary to comply with UK law and regulations. For example, we might need to share your information with regulators.

For further information about who your personal information is shared with, please get in contact with us using the details set out below.

Safeguarding Measures

Xim Limited takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including:  SSL, TLS, encryptions, pseudonymisation, restricted access, IT authentication, firewalls and anti-virus/malware.

Safeguarding Measures

Xim Limited takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including:  SSL, TLS, encryptions, pseudonymisation, restricted access, IT authentication, firewalls and anti-virus/malware.

Transfers outside the EU

Given the worldwide nature of online communications and services, it is very common for users’ data on sites like ours to be transferred outside of the country in which it was collected. For example, the servers which host our sites could be located abroad. Where we transfer your data to countries outside of the European Economic Area (“EEA”), we will only do so if measures to maintain to protect your data and its privacy have been put in place.

Xim transfers your information to the United States where some of its service providers are based. However, xim ensures that the organisations to whom your information is transferred have adequate safeguards in place to protect your data, in particular, through being “Privacy Shield” certified. You can obtain more information on what this means here.

Transfers outside the EU

Given the worldwide nature of online communications and services, it is very common for users’ data on sites like ours to be transferred outside of the country in which it was collected. For example, the servers which host our sites could be located abroad. Where we transfer your data to countries outside of the European Economic Area (“EEA”), we will only do so if measures to maintain to protect your data and its privacy have been put in place.

Xim transfers your information to the United States where some of its service providers are based. However, xim ensures that the organisations to whom your information is transferred have adequate safeguards in place to protect your data, in particular, through being “Privacy Shield” certified. You can obtain more information on what this means here.

Legitimate Interests Assessment

As noted in the How we use your personal data section of this notice, we occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.

Legitimate Interests Assessment

As noted in the How we use your personal data section of this notice, we occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.

How Long We Keep Your Data

Xim Limited only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed.

Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.

How Long We Keep Your Data

Xim Limited only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed.

Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.

Special Categories Data

Owing to the products, services or treatments that we offer, xim Limited sometimes needs to process sensitive personal information (known as special category data) about you. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so.

Where we rely on your consent for processing special category data, we will obtain your explicit consent. You can modify or withdraw consent at any time, which we will act on immediately, unless there is a legitimate or legal reason for not doing so.

Patient data is considered to be a special category of data under the General Data Protection Regulation (EU) 2016/679 (GDPR) and is processed under section 6(1)(c) “necessary for compliance with a legal obligation to which the controller is subject” and 9(2)(h) “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or member State law pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

Giving your explicit consent for us to process your data does not affect your rights. Details of your rights and our data retention periods are further explained below in this Privacy Notice. It should be noted that for patient’s data xim is the processor and not the controller. Any queries in relation to patient data should be addressed to the hospitals/trusts as they remain the controllers of patient data.

For all individuals, users and non-user contacts we rely on separate, explicit consent for direct marketing. You may withdraw your consent for further processing, fully or for specific purposes at any time by emailing info@lifelight.ai

It is important to note that this may affect the services we are able to offer you, and we may need to continue to process data relating to your request to withdraw consent.

Special Categories Data

Owing to the products, services or treatments that we offer, xim Limited sometimes needs to process sensitive personal information (known as special category data) about you. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so.

Where we rely on your consent for processing special category data, we will obtain your explicit consent. You can modify or withdraw consent at any time, which we will act on immediately, unless there is a legitimate or legal reason for not doing so.

Patient data is considered to be a special category of data under the General Data Protection Regulation (EU) 2016/679 (GDPR) and is processed under section 6(1)(c) “necessary for compliance with a legal obligation to which the controller is subject” and 9(2)(h) “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or member State law pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

Giving your explicit consent for us to process your data does not affect your rights. Details of your rights and our data retention periods are further explained below in this Privacy Notice. It should be noted that for patient’s data xim is the processor and not the controller. Any queries in relation to patient data should be addressed to the hospitals/trusts as they remain the controllers of patient data.

For all individuals, users and non-user contacts we rely on separate, explicit consent for direct marketing. You may withdraw your consent for further processing, fully or for specific purposes at any time by emailing info@lifelight.ai

It is important to note that this may affect the services we are able to offer you, and we may need to continue to process data relating to your request to withdraw consent.

National Data Opt-out

Information about your health and care helps the NHS to improve your individual care, speed up diagnosis, plan your local services and research new treatments.

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

The NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments can use your confidential patient information for research and planning. You can choose whether your confidential patient information is used for research and planning.

Type 1 Opt-out: medical records held at your GP practice

You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP. If you choose a Type 1 opt-out, you should ask your GP for a National Type 1 Data Opt-out Form.

Type 2 Opt-out: information held by NHS Digital

A Type 2 opt-out is an objection that prevents your personal confidential information from being shared outside of NHS Digital, that is used for research and planning.

Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information that is collected from across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.

From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs.

You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time. To find out more or to make your choice visit https://nhs.uk and/or view the NHS Digital patient Leaflet

Xim Limited expects its Data controllers (Trusts, GP’s etc.), whether solely or jointly with another organisation, to be responsible for ensuring that national data opt-outs are applied in line with the policy.

In some cases, this requires the Controller to instruct xim Limited (acting as a data processor under their instruction) to apply the national data opt-out.

In line with wider legal requirements as a data processor (xim Limited) will comply with written instructions from the data controller in relation to the national data opt-out.

National Data Opt-out

Information about your health and care helps the NHS to improve your individual care, speed up diagnosis, plan your local services and research new treatments.

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

The NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments can use your confidential patient information for research and planning. You can choose whether your confidential patient information is used for research and planning.

Type 1 Opt-out: medical records held at your GP practice

You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP. If you choose a Type 1 opt-out, you should ask your GP for a National Type 1 Data Opt-out Form.

Type 2 Opt-out: information held by NHS Digital

A Type 2 opt-out is an objection that prevents your personal confidential information from being shared outside of NHS Digital, that is used for research and planning.

Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information that is collected from across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.

From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs.

You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time. To find out more or to make your choice visit https://nhs.uk and/or view the NHS Digital patient Leaflet

Xim Limited expects its Data controllers (Trusts, GP’s etc.), whether solely or jointly with another organisation, to be responsible for ensuring that national data opt-outs are applied in line with the policy.

In some cases, this requires the Controller to instruct xim Limited (acting as a data processor under their instruction) to apply the national data opt-out.

In line with wider legal requirements as a data processor (xim Limited) will comply with written instructions from the data controller in relation to the national data opt-out.

Lodging a Complaint

Xim Limited only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.

Xim Limited – Data Protection Officer – Claire Robinson – Email: dpo@lifelight.ai

Information Commissioners Office (ICO) – ICO Head Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Visit: https://ico.org.uk/make-a-complaint

Lodging a Complaint

Xim Limited only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.

Xim Limited – Data Protection Officer – Claire Robinson – Email: dpo@lifelight.ai

Information Commissioners Office (ICO) – ICO Head Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Visit: https://ico.org.uk/make-a-complaint