At Innersight our mission is to provide an accessible and reliable surgery planning service to all hospitals. We are passionate about high-quality and convenient surgery planning tools. We are also passionate about privacy. We strive to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and to be true leaders when it comes to healthcare, security and privacy.

This policy explains how we use your personal data from the point of view of patients and clinicians. We want to help you understand how we work with your data, so that you can make informed choices and be in control of your information. We invite you to spend a few moments understanding this policy. We may update this policy from time to time but the latest version will always be available here. By continuing to use our products and services after the changes have been made and we have notified you of them, the way we use your personal data will be subject to the terms of the updated policy.

This policy explains how we use your personal data for our healthcare services and products, including, amongst others, our surgery planning software (Innersight3D).
‍

This policy covers:

1. Who we are
2. What personal data we hold and how we get it
3. What we use your personal data for
4. Sharing your personal data
5. Retention
6. Data security and transfers
7. Your rights

If you have any further questions about how we process your information, please don't hesitate to get in touch by contacting our Data Protection Officer at support@innersightlabs.com.
‍

1. Who we are ?

Our surgery planning services are delivered by Innersight Labs Limited (UK company number 09586858) and this service is called Innersight3D. When this policy talks about ‘Innersight’, ‘us’ or ‘we’, it means Innersight Labs Limited. We provide tertiary care services commissioned by public and private hospitals. For clinicians, we are the data controllers of your personal data which you provide to us in connection with using our healthcare services. For patients, we are the data processors of your personal data which your healthcare provider shares with us, under strict usage conditions, to allow us provide enhanced surgery planning tools to your surgeon and the theatre staff.

2. What personal data we hold and how we get it ?

We use the following categories of personal data:

Patients personal and medical details

When your healthcare provider commissions us to assist with planning your operation, an anonymised copy of your surgery planning medical scan is shared with Innersight alongside your unique hospital number. This hospital number is not related to the state of your clinical health and is thus not patient confidential data. However, it is patient identifiable data and is thus treated with the utmost of care, security and protection. This number is required to allow your clinician correctly and uniquely identify your case.

Clinican personal details

When you register with us, you complete forms and provide us with basic information about yourself, such as your name, email address and telephone number (optional). You are responsible for the accuracy of the information that you provide to us. To monitor our service quality, we may retain records of when you contact our support teams via email. Please refer to the ‘Retention Periods’ section of this policy.

Financial information

None for patients or clinicians.

Technical information and analytics

When you use our our website, we may automatically collect the following information where this is permitted by your device or browser settings:

• technical information, including your login information, system and operating system platform type and version, device model, browser or app version, time zone setting, and
• information about your visit (such as when you first used the website and when you last used it, and the total number of sessions you have had), including products and services you viewed or used, interaction information (such as button presses or the times and frequency of your interactions with the communications we deliver to you).

We work with partners who provide us with analytics and advertising services (for our services only and not for third party advertising). This includes helping us understand how users interact with our services, providing our advertisements on the internet, and measuring performance of our services and our adverts. Cookies and similar technologies may be used to collect this information, such as your interactions with our services. You can prevent the setting of cookies by adjusting the settings on your browser or your mobile phone.

3. What we use your personal data for ?

The purposes for which we use your personal data and the legal grounds on which we do so are as follows:

Providing you a service

• We obtain and use your personal details in order to establish and deliver our contract with you and/or your healthcare provider.
• We obtain and use your medical information because this is necessary for medical purposes, including the provision and assistance of healthcare or treatment.

Keeping you up to date

• We will not initialise contact with patients. We will of course respond to any requests for information from a patient. General enquiries are invited from the public, but case specific questions should be submitted through the clinician to ensure fidelity of the request.
• Clinicians: We use your email address and/or phone number to contact you or present you with occasional updates based on our legitimate interest in marketing our services to you and subject to your right to opt out at any time.

Other uses

• Based on our legitimate interest in managing and planning our business, we may analyse data about your use of our products and services to troubleshoot bugs within our website, forecast demand of service and to understand other trends in use, including which features users use the most and find most helpful, and what features users require from us. This does not involve making any decisions about you that would have a significant legal effect on you – it is only about improving our website so that we can deliver better services to you. Strict confidentiality and data security provisions will apply at all times.
• Where necessary for safety, regulatory and/or compliance purposes, we may audit your interactions with our services. Strict confidentiality and data security provisions will apply at all times to any such audit and access.
  ‍

4. Sharing your personal data with others

Information sharing with other healthcare providers

We will, where necessary for your treatment or care, share your information with your other health and social care providers if explicitly approved by your clinician. For example, your surgeon may wish to get a second opinion from an expert outside of your healthcare provider organisation. Such a request from your surgeon must be made in writing either by letter or email.

Innersight3D service

We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of our services or the physical safety of any person.

Except as described above, we will never share your personal information with any other party without your consent.

5. Retention periods

We retain your medical records in accordance with national best practice guidance – in particular, advice provided by the Department of Health (2006) Records management: NHS code of practice, and summary guidance issued by the British Medical Association. The below is a summary of our retention policy, but we may retain records that do not identify you for legitimate business purposes such as managing or planning our business, or records for other periods as required by law or regulation.

6. Data storage, security and transfers

We do not store your personal health data on your mobile device. We store all your personal data on secure servers.

Where you have chosen a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

We do not store any credit or debit card information.

We encrypt data transmitted to and from the website. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Your data is processed and stored in servers within the UK in accordance with data protection law and subject to strict safeguards. We work with third parties who help deliver our services to you and we select those servers to be located within the UK. For further information on the safeguards we take to keep your data within the UK, contact support@innersightlabs.com.

7. Your rights

As indicated above, whenever we rely on your consent to process your personal data, you have the right to withdraw your consent at any time by contacting us.
‍
You also have specific rights under the GDPR and DPA to:

• wherever we process data based on your consent, withdraw that consent at any time by contacting us;
• understand and request a copy of information we hold about you, subject to our retention periods;
• ask us to rectify or erase information we hold about you, subject to limitations relating to our obligation to store medical records for medical treatment and regulatory transparency for prescribed periods of time;
• ask us to restrict our processing of your personal data or object to our processing; and
• ask for your data to be provided on a portable basis.