Privacy Notice

Effective 10 May, 2022

Who are we

We are Feebris Ltd, registered at Companies House under number 10814733.

We are based at Accelerator London, 35 Kingsland Road, London, E2 8AA, UK and any queries relating to data protection can be addressed to privacy@feebris.com

We are registered with the ICO. Our registration number from the ICO is: ZA742834  

Our Role

Feebris plays multiple roles when it comes to processing your data. In some situations, we act as a

Controller, in some we are a Joint Controller, and in others we are the Processor. In circumstances where we are just a Processor of personal data, we are doing so purely on the instruction of another company(the Controller). In all circumstances our intent is to minimise the data we hold on you. 

If you are a patient or healthcare professional, then the Controller is likely to be your care provider or employer. To find out more about how your data is protected by them, you should contact them directly.

Your Rights

You have rights in respect of our processing of your personal data.

  • Your right of access: You have the right to ask us for copies of your personal information.
  • Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.  
  • Your right to object to processing: You have the right to object to our processing your information in certain circumstances. Your right to object to marketing is absolute.
  • Your right to data portability: In some circumstances you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if you gave us the data, and if we are processing information based on your consent or under a contract, or in talks about entering into one, and the processing is automated.
  • Your right to not be subject to automated decision-making and profiling: You have the right to not be subject to a decision based solely on automated processing, including profiling. (However, please note that Feebris does not currently have any automated decision-making)

If you want to exercise any of these rights, please just contact us on privacy@feebris.com. We will acknowledge receipt within 48 hours and respond fully in line with the GDPR timeframes (usually 30 days, but may be extended for a further 60).

You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the ICO whose details are here: https://ico.org.uk/make-a-complaint/.

Technical and Operational Security

All data is password protected, access controlled, backed-up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. Data Privacy by Design and Default is an integral part of our development processes. All devices are protected by leading enterprise mobility management technologies.

We are certified to Cyber Essentials, meet the standards of the NHS Data Security and Protection Toolkit, and are working towards our ISO27001 certification audit.

What Happens If Our Business Changes Hands

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to Our Privacy Policy

We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date. If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.

Cross-site Tracking and Do Not Track

Feebris does not track users across other websites so our practices will not change if you have set a "do not track" signal on your browser. We encourage you to make sure you set your browser settings to match your preferences. For more information on Do Not Track signals, see all about do not track.

Website Browsing Privacy Notice

Data that we hold and how we use it

When you browse our website we only drop non-essential cookies and trackers with your consent, based on your choices when presented with our cookie banner.

To see the details of cookies and similar technologies used, and control your preferences at any time, please click on the triangular “C” icon in the bottom right-hand corner of your screen whilst on our website.

If you provided your company contact details in our “contact us”, “book a demo” or other online form captures, we will use this data for those purposes, and also give you the ability to opt-out of receiving further communications from us regarding our services. At this point you should read the “Potential Corporate Client” Privacy Notice.

When you follow links to any third party websites from our own, you will fall under that third party’s Privacy Policy.

Lawful basis for processing

Our lawful basis for processing your data is a combination of consent for cookies and trackers, and legitimate interest for Business to Business marketing.

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody.

Retention Periods

Cookie and tracking data is held for two years to enable us to see trends in the use of our website.

Employee Privacy Notice

If you are an employee of Feebris, please refer to the FairProcessing Notice that is in the team drive.

Potential Employee Privacy Notice

Data that we hold and how we use it

As a potential employee we hold the following data on you: contact details, your professional profile (including your social media handles), CV, interview notes, and email correspondence with you.

This data will either have come directly from you or we will have sourced your data from a 3rd party such as LinkedIn.

If you are successful in gaining employment with Feebris then you will fall under the Employee Privacy Notice going forward. We also carry out pre-employment checks, as legally obligated to do so by HMRC and various visa requirement bodies. If you have provided referees, then we will contact them and process any reference they supply.

If we sourced data from a 3rd party, we will let you know within 30 days of sourcing it that we are processing your data and where we found it.

Lawful basis for processing

Our lawful basis for processing your data is a combination of contract and legitimate interest. We process references we receive under legitimate interest. When you applied for a job it was with a view to entering into an employment contract with us, so a majority of the data will be held under contract. If we sourced your data from a 3rd party, then we use legitimate interest to process it. If we decide not to go forward with your application then we use legitimate interest to retain the data for 2 years (see Retention Periods below).

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We also transfer your data to our lawyers for contracting and to support with the visa sponsorship process if applicable. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody  

Retention Periods

If we sourced your data from a 3rd party and you tell us that you are not interested in working for Feebris at the moment then we will keep your data on file for 2 years should your situation change. If you are not at all interested in working for Feebris, we will keep limited data only just so that we do not reach out to you again.

If your application to Feebris is unsuccessful for any reason, we will retain all applicants’ data, irrespective of the source, for a minimum of 6 months, then as per the paragraph above.

If you want us to remove your data at any point then please let us know.

Care Provider Privacy Notice

Data that we hold and how we use it

As a corporate client, we hold the contact and financial transaction details required to carry out our contract with you, data to manage our relationship and keep you up to date with changes and improvements to our services. This data would have been sourced from you directly.

Lawful basis for processing

Our lawful basis for processing your data is a combination of Contract and Legitimate Interest. We use legitimate interest when we use your data to keep you up to date with changes and improvements to our goods and services. Our legitimate interest balancing test indicates that this is a legitimate purpose; it is necessary for the purpose of keeping you updated and growing our business, and unlikely to cause you risk or harm.  

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We also transfer your data to our accountants to ensure we are paid appropriately. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody.  

Retention Periods

We hold data on Corporate Clients for the length of time that you are a client of ours, then another 7 years in case of any dispute. We suppress the data for marketing purpose if you ask us to.

Potential Care Provider Privacy Notice

Data that we hold and how we use it

As a potential client, we hold your name, job title and corporate contact details so we can build a relationship with you. This data will have been sourced directly from you at an event, from our website capture, network, from your company website, or from a similar publicly available source. We only hold your data if we legitimately think you will have an interest in using our product.

Lawful basis for processing

Our lawful basis for processing your data is a Legitimate Interest for marketing purposes. As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). We give you the chance to opt out of all marketing on anything that we send you. We only share details of our own goods and services in our marketing. If your data was not sourced directly from you, then we contact you once we have the data to let you know that we have your data and give you the chance to opt out. Our legitimate interest balancing test indicates that this is a legitimate purpose: you would not be surprised to hear from us based on the nature of your job role, and our processing does not cause any harm or risk to you as a data subject.

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody.  

Retention Periods

We hold data on Potential Corporate Clients for 2 years after the last relevant contact, or until the point at which you opt out of communications. At this point you are added to a suppression list so we do not contact you again. When you become a Corporate Client, then the Privacy Notice for Care Providers will apply.

App User Privacy Notice

Data that we hold and how we use it

We process data about the way you use our apps (both mobile and web), including your actions taken within the app, crash reports, device details and version details. 

We capture this data to protect our system from illegal use and fulfil our obligations regarding Post Market Surveillance under the applicable Medical Device Regulations, which are not aggregated. Data collected by our apps will not be shared or processed for any reason other than those outlined in this privacy notice.

Lawful basis for processing

When we are obligated to capture this for Post Market Surveillance, then our lawful basis is legal obligation. We use legitimate interest when we use it to protect our system from illegal use. Our legitimate interest balancing test indicates that this is a legitimate purpose; you would not be surprised to hear from us to help you fix a technical issue, and our processing does not cause any harm or risk to you as a data subject.  

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody and we do not share it with anyone other than our contracted processors.

Retention Periods

For log data (including any bug reporting) used for Post Market surveillance, we have to keep your data for 10 years after our last product goes to market. For log data used to protect our system from illegal use, we keep your data for the length of time that you are a client of ours, then another 7 years in case of any dispute.

Patient Privacy Notice

Data that we hold and how we use it

As a patient of a care provider, we act as a processor for some of your data, a joint controller of some of your data, and as a sole controller of the rest. We also anonymise and aggregate all data for research purposes and to ensure that our technologies are developed and improved to offer the best level of care and service. Once anonymised, this data no longer falls under the GDPR.

For details of the non-anonymised data processed, see below:

Data
Role
Joint Controller
Why we use the data
Lawful Basis
Identity data (name, DOB, gender, GP details and NHS number) and inputted health data (symptoms, vital sign measurements)
Processor
Care Provider
On instruction from your Care Provider to create your record and ensure that clinical-users can identify you
Identity data and health data which forms part of analysis (ID, medical history, symptoms, sensor readings, results and recommendations)
Joint controller
Care Provider (JC)
To enable our Feebris decision support solution to work together with your healthcare professional in the delivery of your care.
If Joint Controller is a registered healthcare provider (e.g. NHS) then Legitimate Interest and Provision of Health and Social Care). Otherwise, Consent.
Identity data and health outcomes (diagnosis and treatment results)
Controller
Post Market Surveillance  (PMS) against medical device regulatory requirements.  
Legal Obligation
Identity data, health data, and health outcomes
Controller
To facilitate the transfer of data from your healthcare professional to Feebris
Consent
Health data and health outcomes
Controller
To anonymise the data for the purposes of research, continuous improvement, and technology development
Legitimate Interest plus Article 9.2J (Archiving in the Public Interest for Statistical /Scientific Purposes)
Full patient record in the Feebris system (not by default)
Controller
If you move to a new care provider we give you the option to transfer the data to Feebris temporarily to facilitate the handover
Consent

Data Sharing and Transfers

If you have consented for us to hold your record as part of an agency handover (we call that “passporting your data”), then we will transfer that data to your new care provider upon your request.

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody and we do not share it with anyone other than our contracted processors.

Retention Periods

If you have consented to us processing your data for passporting purposes (see above),we will keep that data until you move to a new care setting, upon which, we will ask for your consent again. If you withdraw consent, we will no longer hold your data for this purpose.

When we are a controller or a joint controller, we hold your health data, associated to your identity, for 8 years, in line with the NHS Records Management Code of Practice for Health and Social Care 2016.

For any data used for Post Market surveillance, we have to keep your data for 10 years after our last product goes to market.

Investor/Shareholder Privacy Notice

Data that we hold and how we use it

As an investor or private shareholder in Feebris Ltd, we hold your contact and investment details. This data will have been sourced directly from you in the course of your investment.

We use this data to pass to the regulators*, to issue your share certificates** and to manage our relationship with you**.

Lawful basis for processing

Our lawful basis for processing your data is a legal obligation* and contractual obligation**.

Data Sharing and Transfers

We share your contact details in line with our regulatory requirements, so will be listed in official documents such as company filings and would be used in any potential data room.

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody.

Retention Periods

As a shareholder/investor we hold your information for as long as we are legally required to do so.

Supplier and Third-Party Privacy Notice

Data that we hold and how we use it

As a supplier, we hold the contact and payment details required to manage our relationship and pay you for the services you provide. This data would have been sourced from you directly.

Lawful basis for processing

Our lawful basis for processing your data is a combination of Contract and Legitimate Interest. We use legitimate interest when we use your data to let you know about other services we might require. Our legitimate interest balancing test indicates that this is a legitimate purpose: we are sure you will want to hear from us when we might require additional services, and it is unlikely to cause you risk or harm. We use contract when we process data to manage our relationship with you (e.g. to pay you). 

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We also transfer your data to our accountants to ensure you are paid appropriately. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example US Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody and we do not share it with anyone other than our contracted processors.

Retention Periods

We hold data on our Suppliers for the length of time that we are engaged together, then another 7 years in case of any dispute.

Potential Supplier and Third-Party Privacy Notice

Data that we hold and how we use it

As a potential supplier, we hold your name, job title and corporate contact details so we can build a relationship with you in case we need something that we believe you may be a good fit to provide. This data will have been sourced directly from you at an event, or from your company website, referral or a similar publicly available source.  

Lawful basis for processing

Our lawful basis for processing your data is legitimate interest and contract. When we connected it was with a view to entering into a service contract together. If either party decides not to go forward then we use legitimate interest to retain the data should we require additional services. Our legitimate interest balancing test indicates that this is a legitimate purpose: we are sure you will want to hear from us when we might require additional services, and it is unlikely to cause you risk or harm.

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. We may also transfer your data to our lawyers for contracting purposes. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody and we do not share it with anyone other than our contracted processors.

Retention Periods

We hold data on Potential Suppliers for 2 years after our last contact.

Potential Investor Privacy Notice

Data that we hold and how we use it

As a potential investor, we hold your name, job title and corporate contact details so we can build a relationship with you. This data will have been sourced directly from you at an event, from our website capture, network, from your company website or a similar publicly available source. We only hold your data if we legitimately think you will have an interest in investing in us.

Lawful basis for processing

Our lawful basis for processing your data is a Legitimate Interest for marketing purposes. As you are a corporate entity, we also abide by the Privacy and Electronic Communications Regulations (PECR). We give you the chance to opt out of all marketing on anything that we send you. We only share details of our own goods and services in our marketing. If your data was not sourced directly from you, then we contact you once we have the data to let you know that we have your data and give you the chance to opt out. Our legitimate interest balancing test indicates that this is a legitimate purpose: you would not be surprised to hear from us based on the nature of your role, and our processing does not cause any harm or risk to you as a data subject.

Data Sharing and Transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. For transfers to the EU, we rely on the adequacy agreement that is in place. We do not sell your data to anybody.

Retention Periods

We hold data on Potential investors for 2 years after the last relevant contact, or until the point at which you opt out of communications. At this point you are added to a suppression list so we do not contact you again. When you become an investor then the Privacy Notice for Investors will apply.