ACTIVE HEALTH TECH PRIVACY POLICY

PURPOSE OF OUR POLICY

This Privacy Policy applies to each of ACTIVE HEALTH TECH LTD (Company number 10530672) (United Kingdom) and Active Health Tech Pty Ltd (ABN 70 162 052 271) (Australia) (the Active Health Group). When we mention weus or our in this privacy policy, we are referring to the relevant company in the Active Health Group that is responsible for processing your data.

We provide the TrackActive Me (www.trackactiveme.com) and TrackActive Pro (www.trackactive.co) website platforms and mobile applications.

This Privacy Policy aims to give you information on how we process the Personal Information that we collect about individuals.

This Privacy Policy takes into account obligations in the European Union under the General Data Protection Regulation (GDPR) and follows the standards of the Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act).

By publishing this Privacy Policy we aim to make it easy for our customers and the public to understand what Personal Information we collect and store, why we do so, how we receive and/or obtain that information, and the rights an individual has with respect to their Personal Information in our possession.

OUR SERVICE

We offer 2 types of service. TrackActive Pro is available to healthcare practitioners from a range of disciplines (Practitioners) to use and offer services to their patients and clients ( Patients).

TrackActive Me is available to individuals, either directly or via an organization (such as their employer, insurer, health organization or a charity).

TrackActive Pro allows:

  • Practitioners to upload and share instructional videos, images and other content (Exercises) with their Patients.
  • Practitioners to create and edit exercise and rehabilitation programmes (Exercise Programmes) for their Patients;
  • Practitioners to send Exercise Programmes to Patients and monitor Patient progress;
  • Patients can view Exercises, follow Exercise Programmes and log their progress;
  • Practitioners and Patients to communicate with each other; and
  • Certain Practitioners and Patients to create, store and edit electronic health records on the Personal and Health Information of the Patient (EHR).

Both TrackActive Pro & TrackActive Me allow individual users to:

  • Undertake assessment and screening;
  • Access Exercises and lifestyle suggestions;
  • Receive Exercise Programmes;
  • View Exercises;
  • Log progress and symptoms (for example, pain and functional levels) through Exercise Programmes; and
  • Edit information.

Certain provisions of this policy apply only to use of TrackActive Pro. Where you are using TrackActive Pro, your Practitioner will also have access to all of your Personal Information submitted via the service. The Practitioner will be a data controller in their own right in respect of their use of that personal data and will process that personal data in accordance with their own privacy policy.

For the avoidance of doubt, by contrast, where you are using TrackActive Me via your employer organization, your employer organization does not have access to your personal data on the service (except with your express consent).

WHO AND WHAT THIS POLICY APPLIES TO

Our Privacy Policy deals with how we handle ‘personal information’ or ‘personal data’, being data that identifies an individual or data from which an individual is identifiable. In the provision of services, we are also required to process special categories of data (as defined in the GDPR), including health data (and ‘health information’ for the purposes of the Privacy Act in Australia).

We may handle Personal Information of adults and children as users of TrackActive Pro, both in our own right and also for and on behalf of Practitioners.

Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies whose data we process.

The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy.

You must not provide any Personal Information or other information about someone other than yourself unless:

  • With respect to Personal Information about a child, you are that child’s ‘responsible person’ as defined in the Privacy Act (namely a parent or guardian); and/or
  • You have that person’s consent to provide such information for the purpose specified.

THE INFORMATION WE PROCESS

In the course of business we may collect and process certain Personal Information about you.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Health Information. We may process information for an electronic health record (EHR) about the health, injuries, disability, health services, medical histories, prescriptions, allergies and other health information about you;
  • Lifestyle information. We may process personal information that you give us about your lifestyle, including for example, you working or exercise habits;
  • Identity Information.We may process identity details such as your name, date of birth, nationality, ethnic origin, family details and other information that allows us to identify who you are;
  • Contact Information. We may process information such as your email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us to contact you;
  • Financial Information. We may process financial information related to you such as any bank or credit card details used to transact with us and other information that allows us to transact with you and/or provide you with our services;
  • Statistical Information. We may process information about your online and offline preferences, how you use our applications, browser click throughs, transactions with us and other information relating to your use of our website, mobile applications or services;
  • Digital / Device Information. We may process your IP address and device-specific information, such as the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information (including the mobile phone number) to help identify you and provide the system to you;
  • Information an individual sends us. We will process any personal correspondence that you send to us, or that is sent to us by others about you; and/or
  • Location Information. Certain aspects of our services will make use of location data sent from your devices. You can turn off this functionality at any time by turning off the location services settings for the application on the device. If you use these services, you consent to us and our affiliates’ and licensees’ transmission, collection, retention, maintenance, processing and use of your location data and queries to provide and improve location-based services. You may stop us collecting such data at any time by turning off the location services settings on your device.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate Statistical Information to calculate the percentage of users accessing a specific application feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

HOW INFORMATION IS COLLECTED

Most information will be collected in association with an individual’s use of TrackActive Pro or TrackActive Me, a related enquiry or generally dealing with us. However we may also receive Personal Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies, our customers (including organizations and practitioners) and our business partners. In particular, information is likely to be collected as follows:

  • Registrations/Subscriptions. When an individual registers or subscribes for a service, list, account, connection or other process whereby they enter Personal Information in order to receive or access something, including a transaction;
  • Accounts/Memberships. When an individual submits their details to open an account and/or becomes a member with us;
  • Receipt of Services. When an individual uses TrackActive Pro or TrackActive Me, as applicable;
  • Supply. When an individual supplies us with goods or services;
  • Contact. When an individual contacts us in any way;
  • Access. When an individual accesses our premises we may require them to provide us with details for us to permit them such access; and/or
  • Website or Application Use. When an individual uses our website or App we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services.

We will publish changes to the way that information is collected at the point of collection and within this policy.

OUR PURPOSES FOR PROCESSING PERSONAL DATA

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • Where we need to comply with a legal obligation; or
  • Where we have your consent.

Where we process special categories of personal data, we will most commonly rely on the following additional legal basis when processing that personal data:

  • Where we have your explicit consent;
  • Where we are processing personal data which are manifestly made public by the data subject; or
  • Where processing is necessary for the establishment, exercise or defence of legal claims.

For the avoidance of doubt, as set out below, we will only use the special categories of data provided to us by you (including your EHR) for the purposes of providing our service to you, when one of the legal basis set out above applies. That may require us to share that data with third parties, such as Practitioners where you use TrackActive Pro, for that purpose. We may also use special categories of data that we process to put it into an anonymized and aggregated form for statistical purposes. For the avoidance of doubt, once it is anonymized and aggregated, it is no longer your personal data. We will not use special categories of personal data for any other purpose.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity Lawful basis for processing including basis of legitimate interest
To provide the TrackActive Pro or TrackActive Me service Performance of a contract with you. Legitimate interests to provide you with our service where we do not have a direct contract in place with you but you have requested our service from us. To the extent that we process special categories of personal data, your explicit consent or where that personal data has been manifestly made public by you.
To register you as a new customer Performance of a contract with you
To enable us to verify your identity Performance of a contract with you
To process and deliver your order including managing payments and collecting monies owed to us Performance of a contract with you
To manage our relationship with you which will include notifying you about changes to our terms, privacy policy or services or asking you to leave a review or take a survey Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated, to inform you about changes to our service and to study how customers use our products/services)

To enable you to partake in a prize draw, competition or complete a survey Performance of a contract with you

Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To send you marketing communications Consent, where you are a new customer and such communications are sent by electronic means

Legitimate interests, where you are an existing customer (and have not opted out), where you are a corporate subscriber or where those communications are sent by post (to provide you with marketing about our business).

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) Consent
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) Consent
To make suggestions and recommendations to you about goods or services that may be of interest to you Necessary for our legitimate interests (to develop our products/services and grow our business) Consent
Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity Legitimate interests (to ensure that we provide an effective and efficient service)
Necessary to comply with a legal obligation
Performance of a contract with you
Carrying out regulatory checks and meeting our obligations to our regulators Necessary to comply with a legal obligation
As required or permitted by law Necessary to comply with a legal obligation

SHARING PERSONAL DATA

Whether any Personal Information (including your EHR) is shared, it will depend on the system you are using:

(a) TrackActive Pro – where you are using TrackActive Pro the primary reason Personal Information is used or disclosed is to share EHRs with authorised Practitioners, by giving them access to the EHR in TrackActive Pro. Unless we have your consent, we will not disclose EHR in TrackActive Pro for any other purpose than making the individual’s EHR and other related information available to authorised Practitioners, in a manner compliant with the applicable data protection laws in the course of our business.

(b) TrackActive Me – we will not release Personal Information that you input into TrackActive Me to your employer, without your express consent.

We utilise third-party service providers to process information, host or transmit personal data, communicate with an individual and to store Personal Information about them. Such services we currently use include the following:

  • Amazon Web Services: operated by Amazon Web Services Inc. (a company incorporated in the United States of America) that host our systems on servers that may be located in Australia, The United States of America and/or the United Kingdom;
  • Mandrill: operated by The Rocket Science Group LLC, (a company incorporated in the United States of America) for email services;
  • Mixpanel: who provide us with business and web analytics services;
  • Helpscout: who provide us with helpdesk software and related services;
  • MailChimp: who provide us with email services; and
  • Stripe: who provide payment processing services.

We may disclose personal information to third parties:

  • As part of a sale (or proposed sale) of all or part of our business;
  • Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority must be made aware of; and/or
  • As required or permitted by any applicable law.

We may also share your Personal Information with the other companies within the Active Health Group for the purposes of providing relevant services to you.

You may choose to link your account with a third party (such as Facebook, LinkedIn, Twitter or Google+) to our services to enable certain functionality, which allows us to obtain information from those accounts (including your profile picture, friends or contacts). We are not responsible for the privacy practices of third parties. The information we may obtain from those services often depends on your settings or their privacy policies. We recommend that you read the privacy policies of third party service providers so you can understand the manner in which your personal information will be handled by these providers.

Notwithstanding anything to the contrary in this Agreement, nothing shall restrict us from collecting, analysing, using and sharing any personal information on an aggregated and anonymous basis. You consent to such use of aggregated and anonymised data.

INTERNATIONAL TRANSFERS

If your personal data was collected by or in the context of our Australian group company, we will not disclose your Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.

If your personal data was collected by or in the context of our UK group company, we may transfer your personal information outside the EEA, to our group companies or to third party service providers. Where we do so, we ensure a similar degree of protection is afforded to it by ensuring there are adequate safeguards in place, as required under the GDPR, which may include an adequacy decision by the European Commission, standard contractual clauses or, where we use providers based in the US, those providers are EU-US Privacy Shield certified.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

TrackActive Pro personal data is stored within Australia. Where personal data is stored for TrackActive Me users will depend on the regional settings of the individual’s device – being stored either in Australia or the United Kingdom. As set out under the ‘Sharing Personal Data’ heading above, certain information may be transferred to, processed and/or stored outside of Australia and/or the European Economic Area (EEA) (as applicable) including with third parties.

RETENTION OF DATA

We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. Whilst the retention periods vary according to the type of record, in respect of certain EHR in Australia and the United Kingdom we allow for 8 years from (i) the date of last treatment for adult records and (ii) for children, eight years after their 18 birthday or until 25 years of age. In certain circumstances we may be legally required to maintain records indefinitely.

HOW IS YOUR DATA KEPT SECURE?

We may appoint a Privacy Officer to oversee the management of this Privacy Policy and compliance with the applicable data protection law. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.

We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.

We use SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. We also help keep your data secure: by carrying out regular penetration testing, by following internal policies of best practice, by training for staff, and by encrypting personal data. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.

We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.

If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.

We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information, in compliance with the law.

COOKIE POLICY

We use cookies to distinguish you from other users of our websites. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. This helps us to provide you with a good experience when you browse the website and also allows us to improve our systems and services. By continuing to access our websites, you are agreeing to our use of cookies.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our platform. They include, for example, cookies that enable you to log into secure areas of our platform.
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors, track views of content and to see how users move around our platform when they are using it. This helps us to improve the way our platform works, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies. These are used to recognise you when you return to our platform or when you have logged into our platform already. This enables us to personalise our content for you, greet you by name and remember your preferences.
  • Tracking cookies.These enable us to track use of content from our platform (on third party services, such as posts on social media networks), in accordance with your third party settings.
  • Targeting cookies.These cookies record your visit to our platform, the pages you have visited and the links you have followed. We will use this information to make our platform more relevant to your interests. We may also share this information with third parties for this purpose.

You can find more information about some individual cookies we use and the purposes for which we use them in the table below:

Cookie Name Purpose More information
wp-settings-{time}-[UID] This is used to customize users’ view of admin interface, and possibly also the main site interface. Save duration – 1 year
mp_*_mixpanel This cookie is set by Mixpanel Analytics and helps us understand how people are using the site so we can improve the experience. Save duration – 1 year
_gid Used to distinguish users. Save duration – 24 hours
_ga Used to distinguish users. Save duration – 2 years
_atuvc Helps to ensure share counter you see on the website updates properly after you’ve shared something. Save duration – 1 year
1P_JAR Google cookie. These cookies are used to collect website statistics and track conversion rates. Save duration – 1 week

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

YOUR RIGHTS, COMPLAINTS AND DISPUTES

Under certain circumstances, you have the following rights in relation to your personal data:

  • The right to be informed about the collection and use of your personal data;
  • The right of access to your personal data and any supplementary information;
  • The right to have any errors in your personal data rectified;
  • The right to have your personal data erased;
  • The right to block or suppress the processing of your personal data;
  • The right to move, copy or transfer your personal data from one IT environment to another;
  • The right to object to processing of your personal data in certain circumstances; and
  • Rights related to automated decision-making (i.e. where no humans are involved) and profiling (i.e. where certain personal data is processed to evaluate an individual).

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

HOW TO ACCESS AND/OR UPDATE INFORMATION

Users can update their Personal Information held within the TrackActive Pro or TrackActive Me service, as applicable, from within their account or profile.

It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.

CONTACTING US

All correspondence with regards to privacy should be addressed to:

Privacy Officer

Active Health Tech Limited
191 Wood Ln
London W12 7FP
United Kingdom

[email protected]

Active Health Tech Pty Ltd
Level 1, 6 Bridge St
Sydney New South Wales 2000
Australia

We recommend you contact the Privacy Officer by email in the first instance.

CHANGES TO THIS PRIVACY POLICY

If we decide to change this Privacy Policy, we will post the changes on our webpage at www.trackactive.co and www.trackactiveme.com. Please refer back to this Privacy Policy to review any amendments.

We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles, and nothing in this Privacy Policy shall deem us to have not complied with the Australian Privacy Principles.