The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.
Who we are
When we refer to ‘we’, ‘us’ and ‘our’, we mean Proximie Ltd as the “Data Controllers”.
Access to Personal Information and Your Rights
The General Data Protection Regulation (GDPR) requires organizations like us to provide a lawful basis to collect and use your information. Our lawful basis to collect and use information from our EEA users include when:
- We need it in order to provide you with the services and to carry out the core activities related to our provision of the services.
- We need to comply with a legal obligation.
- We have a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the services and to protect our legal rights and interests.
- You give us your consent to do so for a specific purpose.
The right of access (also known as subject access requests).
Under GDPR you have the right to obtain:
- Confirmation that your data is being processed;
- Access to your personal data; and
- Other supplementary information – that largely corresponds to the information provided in this privacy notice.
We will provide this information to you free of charge unless the request is ‘manifestly unfounded or excessive’, when we may choose to charge an administration fee or refuse to respond. We will endeavour to provide the information as soon as possible, and never more than one month after receipt of your request. To ensure data security we will request evidence of identification before we supply any personal data.
The right to rectification
Where you tell us that the information, we hold on our records about you, is incorrect, we will update the data as quickly as possible, and no longer than one month after you have let us know.
The right to erasure (also known as the right to be forgotten)
The GDPR introduces the right to have your personal data erased. However, this is not absolute and only applies in certain and specific circumstances.
Proximie’s lawful basis for processing personal data is ‘for the performance of a task carried out in the public interest or in the exercise of official authority’. The right to erasure does not apply for this lawful basis.
The right to restrict processing
You have the right to request that we restrict the processing of your personal data in certain circumstances. For example:
- You contest the accuracy of the data we hold. In this instance we will restrict your data until we have verified the accuracy of the data;
- The data has been unlawfully processed, but you oppose erasure and request restriction instead. This is unlikely, however if this is the case we will retain your data in this instance;
- We no longer need the data, and it will be removed under our data retention policy, but you require us to retain the information in order to establish, exercise or defend a legal claim. This is unlikely, however if this is the case we will retain your data in this instance;
- You have objected to us processing your personal data under the ‘right to object’ and we are considering whether our legitimate grounds override those of the individual.
The right to data portability
You have the right to request organisations provide you with a copy of your personal data to allow you to move, copy or transfer it from one IT environment to another.
The right to object
You have the right to object to the processing of your personal data in the performance of our tasks.
The right to automated decision making including data profiling
you have the right to object to us using automated processing techniques, such as profiling, in order to provide services – we can confirm that we do not, at present, carry out any automated processing of your data.
The right to stop contacting you for marketing purposes or follow-up on any recruitment process.
Processing and usage of data
Our service enables the effective transfer of clinical and surgical expertise in a simple, scalable and compliant fashion. Our award-winning, patented, augmented reality solution enables healthcare professionals to interact with each other across a wide variety of clinical and surgical applications, regardless of geographical location.
Proximie processes audio visual data of surgical operations performed in a clinical environment. This video is securely live streamed and securely stored on our cloud servers and is only accessible to health care professionals who are securely authenticated on the Proximie platform. The capture of any personal data in audio visual feeds is avoided, unless it is clinically unavoidable. We advise organisations who use the service to avoid capturing any identifiable personal data in audio visual recordings, secure messages and session names.
Even where Proximie has a legitimate interest in processing your personal data, it will not do so to the extent that processing would override your interests, rights and freedoms to protect your personal data.
We may also use your personal data to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use personal data for these purposes when it is necessary to protect, exercise or defend our legal rights, or when we are required to do so by applicable law.
Proximie Ltd uses AWS servers hosted in the US (which are covered by the EU-US Privacy shield), United Kingdom, United Arab Emirates and Kingdom of Saudi Arabia and in other jurisdictions. Proximie is expanding its territories and always seeks to geolocate and protect data where possible.
If you are an EEA resident, your personal data held by Proximie may be transferred to, and stored at, destinations outside the EEA that may not be subject to equivalent data protection laws, including the United States. When you sign up for service with Proximie or inquire about our services, we transfer your information to the United States and other countries as necessary to perform our agreement with you or to respond to an inquiry you make. It may also be processed by staff situated outside the EEA who work for us or for one of our suppliers.
The United States, the United Kingdom, the United Arab Emirates and the Kingdom of Saudi Arabia and other countries where we operate may not have protections for personal information equivalent to those in your home country.
Cookies are files with a small amount of data that are commonly used as anonymous unique identifiers. These are sent to your browser from the websites that you visit and are stored on your device’s internal memory.
This Service does use these “cookies” for session management. The app may use third party code and libraries that use “cookies” to collect information and improve our and their services. Data sent to these third-party’s services will not involve electronic patient health or personal identifiable information. You do not have the option to refuse these cookies. You will not be able to use Proximie without accepting their use.
Links to third-party websites
Individual applicants as part of the recruitment process.
When you apply for a job with us, we will rely on your consent under article 6(1)(a) of the GDPR to process your data. If your application includes any special categories of data, for example relating to a monitoring of our application relating to minorities, disability or any additional needs you may have, we will rely on your explicit consent under Article 9(2)(a).
We need this information to process your application, and to keep a record of the applications made. We may keep your CV and personal contact details in order to offer you further opportunities in the future.
We hold your data for three years after the process is complete, if you are unsuccessful.
Potential clients sourced through individual marketing campaigns
When you respond to our marketing campaigns, we will keep your personal contact details with your consent under article 6(1)(a) of GDPR. We may also collect names and contact details through other suppliers who provide marketing databases. In these cases we will always assure ourselves that we have your consent to contact you. In compliance with the Privacy and Electronic Communication Regulations, we will always offer an ‘opt-out’ as part of these campaigns.
We need your personal data in order to offer our services to you, and we keep a database of contact details in our systems.
We hold your personal data in this respect for three years, or until you tell us you no longer wish to receive marketing contact from us, at which point we delete it.
Important notes concerning data processing
Proximie uses Google Analytics, a web analytics service provided by Google Ireland Limited. If the responsible body for the data processing that occurs via this website has their basis outside of the European Economic area and Switzerland, then the associated Google Analytics data processing is carried out by Google LLC. Google Ireland Limited and Google LLC. will hereinafter be referred to as “Google”.
Google Analytics uses “cookies”, which are text files saved on the site visitor’s computer, to help the website analyze their use of the site. The information generated by the cookie (including the truncated IP address) about the use of the website will normally be transmitted to and stored by Google.
Google Analytics is used exclusively with the extension “_anonymizeIp ()”. This extension ensures an anonymization of the IP address by truncation and excludes a direct personal reference. Via this extension Google truncates the site visitor’s IP address within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional situations will the site visitor’s full IP address be transmitted to Google servers in the United States and truncated there. The IP address, that is provided by the site visitor’s browser in using Google Analytics will not be merged by Google with other data from Google.
On behalf of the site operator, Google will use the information collected to evaluate the use of the website, to compile reports on website activity and to provide other website and internet related services to the site operator (Art. 6 (1)( f) GDPR). The legitimate interest in data processing lies in the optimization of www.proximie.com, my.proximie.com, beta.proximie.com and their mobile clients, the analysis of the use of these websites and the improvement of their content and features. The interests of the users are adequately protected by the pseudonymization of their IP address. No other personal data is collected.
Google LLC has certified their compliance with the EU-U.S. Privacy Shield Framework and on that basis they provides a guarantee to comply with European data protection law. The data sent and linked to the Google Analytics cookies, e.g. pseudonymised IP addresses will be automatically deleted after 50 months. The deletion of data whose retention period has been reached is done automatically once a month.
Proximie utilises Tableau on premise solutions within encrypted AWS workspaces. This data is anonymised at source, never connects to services outside of Proximies virtual private clouds and is utilised to understand legitimate business interests such as:
- Anonymised user churn (logins per month)
- Number of video sessions views
Only high level metrics are derived and utilised for Proximie to understand commercial growth and macro usage of the platform.
Microsoft Dynamics 365
Proximies commercial team may store user data within Dynamics 365 during the commercial lifecycle. Only data which is directly required for contractual agreements will exist in this platform. This data includes:
- User information for contract points of contact
- Number of contact attempts
- Lead times and metrics for client onboarding and support
- Sales targets
Data within Microsoft Dynamics is routinely removed and only used for interim performance metrics, and to make sure client contact remains within SLA agreements..
Proximie utilises Intercom for customer support. When the user logs into Proximie, or enquires as an anonymous user an account is set up within the Intercom platform for the lifecycle of either the Proximie Session or support/inquiry request duration. Within Proximie’s process this data is deleted inline with Intercoms GDPR process and guidelines.
Proximie utilises Atlassian products (JIRA, Jira service desk, confluence) to aid with support response and documentation. When a user files a support request via Intercom, Jira service desk form, or by email, a ticket is filed which includes the user’s details. This data is stored on Atlassian’s servers. Proximies legitimate business interests are to make sure support requests are tracked to the user who flagged themselves for help and lead time metrics until a solution is found. This data is routinely removed on success and metrics gathered. Data is removed following Proximie and Atlassian guidelines.
To support delivery of our Services, Proximie Ltd. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data or Authorized Users Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor.
Proximie currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and notifications (text, push, and email). Prior to engaging any third party Subprocessor, Proximie performs diligence to evaluate their privacy, security and confidentiality practices, and requires of its applicable obligations.
NB: No Electronic Patient Information will exist outside of the Proximie cloud (country or region specific Servers hosting services). Only User information may exist outside of this for communication, support and anonymous analytics tracking only.
|Entity Name||Entity subprocessing activities||Entity Country||Entity policies|
|Slack Technologies||Communications Platform||United States of America||https://slack.com/intl/en-gb/privacy-policy|
|Microsoft Azure||Servers hosting services||United States of America||https://azure.microsoft.com/en-gb/support/legal/|
|Sahara Net||Servers hosting services (for use in KSA only)||Kingdom of Saudi Arabia||https://security.sahara.com/|
|Amazon Web Services||Servers hosting services||United States of America||https://aws.amazon.com/privacy/|
|Microsoft Dynamics 365||Analytics and CRM Services||United States of America||https://privacy.microsoft.com/en-gb/privacystatementhttps://docs.microsoft.com/en-gb/dynamics365/get-started/gdpr/|
|Microsoft Office 356||Communications and Documentation Platform||United States of America||https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-information-protection-for-gdpr?view=o365-worldwide|
|Google Cloud Firebase (previously Google Analytics)||Analytics and Communications services||United States of America||https://firebase.google.com/support/privacyhttps://firebase.google.com/policies/analyticshttps://policies.google.com/privacy|
|Atlassian (Jira Service Desk, Confluence, Jira)||Communications, documentation and customer support services services||United States of America||https://www.atlassian.com/legal/privacy-policy|
|Tableau||Analytics services||United States of America||https://www.tableau.com/en-gb/legal/regional-privacy-laws|
|Intercom||Communications and customer support services services||United States of America||https://www.intercom.com/legal/terms-and-policies|
Depending on the nature of the Services provided, Proximie may also engage one or more of the following Affiliates as Sub-processors to deliver some or all of the Services provided to a Customer:
|Proximie SAL||Registered in the Republic of Lebanon in the Register of Commerce of Beirut|
|Proximie INC||Registered in the Commonwealth of Massachusetts in the United States of America.|
Proximie has implemented administrative, physical, and technical safeguards to help protect the personal data that we transmit and maintain. Secure services and tools used by Proximie include:
- ISO 9001, HIPAA, Cyber Essentials and NHS DSPT Certification
- Encryption of video in transit and at rest using 128 and 256 AES encryption
- Mandatory internal security, GDPR, and HIPAA training for all staff
- Regular (CREST accredited) penetration testing.
- Adherence to the Secure Software Development Lifecycle which includes static analysis and manual security processes within Product and Engineering.
- Use of AWS and Azure ISO 27001 certified cloud services.
However, no system or service can provide a 100% guarantee of security, especially a service that relies upon the public internet. Therefore, you acknowledge the risk that third parties may gain unauthorized access to your information. Keep your account password secret and please let us know immediately if you think your password was compromised. Remember, you are responsible for any activity under your account using your account password or other credentials.
Your Rights as a California Resident
This section applies only to California consumers. It describes how we collect, use, and share California consumers’ personal information in our role as a business, and the rights applicable to such residents. For purposes of this section “personal information” has the meaning given in the California Consumer Privacy Act (“CCPA”). Proximie does not sell your personal information or your end users’ personal information.
We process your personal information only in order to provide the services and we do not retain, use, or disclose your personal information outside of the scope of the agreement we have with you.
How We Collect, Use, and Share your Personal Information
We have collected the following statutory categories of personal information in the past twelve (12) months:
- Identifiers, such as name, e-mail address, mailing address, fax number and phone number. We collect this information directly from you or from third party sources.
- Information collected in connection with your use of our services, including communications usage information and the communications content processed through the services.
- Internet or network information, such as browsing and search history. We collect this information directly from your device.
- Geolocation data, such as IP address. We collect this information from your device.
- Financial information, such as payment details or financial account numbers in the process of providing you with our services. We collect this information from you.
- Inferences based on your use of the services and browsing history.
- Other personal information, in instances when you interact with us online, by phone or e-mail in the context of receiving support from our sales and customer service teams
Your California Rights
You have certain rights regarding the personal information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law.
- The right of access means that you have the right to request that we disclose what personal information we have collected, used and disclosed about you in the past 12 months.
- The right of deletion means that you have the right to request that we delete personal information collected or maintained by us, subject to certain exceptions.
- The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.
- Proximie does not sell personal information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199).
- “California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California consumers asking about the businesses’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. Alternately, such businesses may have in place a policy, as we do, only to disclose personal information of consumers to third parties for the third parties’ direct marketing purposes if the consumer has opted into such information-sharing.
Right to Know
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The specific pieces of Personal Information we collected about you
- The categories of Personal Information we collected about you.
- The categories of sources from which the Personal Information is collected about you.
- Our business or commercial purpose for collecting or selling that Personal Information.
- The categories of third parties with whom we share that Personal Information.
- If we sold or disclosed your Personal Information for a business purpose
Right to Delete
You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the rights of other consumers to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
How to Exercise your California Rights
You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent’s identity to protect your personal information.
Please email us at CCPA@Proximie.com if you would like to exercise your rights pursuant to CCPA or learn more about your rights or our privacy practices.
This policy is effective as of 2020-04-29
Data Protection Officer
The Harley Building
77 New Cavendish Street
In the unlikely event that you wish to lodge a complaint about our collection, transfer or processing of your personal data, you can lodge a complaint with the Information Commissioner’s Office (ICO) via their website www.ico.org.uk or in writing to:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF