Latest version: 31 May 2019
Last updated: 23 January 2019
Virti serves a number of users in different ways. References to products in this statement include Virti’s services, which are offered through our websites and our apps.
Please read product-specific details in this privacy statement for additional information.
This policy applies to any users of the services of Virti or its affiliates anywhere in the world, and to anyone else who contacts Virti or otherwise submits information to Virti, unless noted below.
In this policy, "we", "us" or "Virti" means VirtiHealth Limited t/a Virti, with its registered office address at Front Suite, First Floor, 131 High Street, Teddington, TW11 8HH. We are registered with the ICO as a data controller under registration number ZA601432.
Full details are set out in the relevant sections of this policy. In brief:
Type of Data
|Purpose/Activity||Legal Basis for Processing|
App and service engagement data, cookies, IP address, third-party aggregate data
|Analysing the use of, and improving, our platform, apps and services, diagnosing and resolving product issues (including those identified by users and communicated through customer support), and security monitoring. Decisions on product development and evaluations of product performance are based on aggregated (non-personal) data.|
To ensure your experience with our products is seamless, we continuously re-examine and iteratively optimise user journeys on our platform.
|Our legitimate interests|
|Correspondence and contact details||To communicate with you. If you have indicated your interest in our business, products or services (or have an account with us) then we may also process correspondence data to provide you with occasional news about our services and marketing communications (although you will be free to unsubscribe at any time).||Our legitimate interests, namely properly administering our business and communications, developing our relationships with interested parties and addressing user concerns and queries.|
Where correspondence relates to marketing, our legitimate interests in developing our business.
Where correspondence relates to registered use of our Site, or to any contract or potential contract with you, then our legal basis may be for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you
|Account registration data, app and service engagement data|
|Operating our site, platform, apps and services, providing them, ensuring their security, verifying logins, and communicating with you. We may use your data to validate your status as a clinical professional before providing you with access to certain products which are intended only for professional use.|
To provide you with notifications. We are motivated to provide products which offer outstanding resources for medical professions, including verified surgical content and resources tailored to a user’s specific role, stage of training, location and medical specialty. To enhance your enjoyment and productivity on our platform, we identify and recommend the most relevant content through personalised notifications, based on your profile and recent activities.
We infer your location from your device IP address in order to geo restrict certain content on our platform.
|Performance of a contract with you (i.e. delivering our services to you).|
Our legitimate interests, namely properly administering our business, services and communications.
|Contact details (registered users)||Direct communications|
Communications sent by Virti come in the form of emails to the email address you provided during the registration process and through notifications delivered to your device. Virti may send you communications relating to new and existing product and content releases and updates. We send such communications so that you are aware of changes we are making to the content or features of our products, or new releases, which could affect the usefulness of our core services to you. We may also ask you to complete product surveys from time to time, although you have the option to unsubscribe.
Third party communications
We will ask you during registration whether you want to receive third party communications such as promotional material related to furthering your training outside of our platform. You, of course, have the right to opt out of such email communication at any time by using the unsubscribe link, found at the bottom of every email, or by updating your account setting in the app. Virti will not send you communications unrelated to its core services, unless you specifically tell us you are interested in receiving them.
|Performance of a contract with you (when providing you with service-related communications).|
Our legitimate interests in developing our business and our relationships with our commercial partners (when providing you with promotional or third party communications).
|Videos||Developing and testing machine learning techniques, generating data which provides insights enabling us to build features of, and improve, our products and services.||Our legitimate interests, namely the development and improvement of our products and services.|
|Commercial information||Administering our commercial relationship with those with whom we do business.||Performance of a contract with you.|
Our legitimate interests, namely properly administering our business and communications, and developing commercial relationships.
|Any personal data||For the purposes of legal compliance (e.g. maintaining tax records)||Compliance with our legal obligations (Art 6.1(c) GDPR)||For the purposes of bringing and defending legal claims||Our legitimate interests, namely being able to conduct and defend legal claims to preserve our rights and those of others.|
|Record-keeping and hosting, back-up and restoration of our systems||Our legitimate interests, namely ensuring the resilience of our IT systems and the integrity and recoverability of our data.|
Your privacy is important to us. This privacy statement explains what personal data VirtiHealth LTD ("Virti", "we", "us", "our") collects from you, through our products and how we use that data.
Virti serves a number of group of users in different ways. References to products in this statement include Virti services, which are offered through our websites and app.
Please read product-specific details in this privacy statement, which provide additional information about some Virti products.
This policy applies to any users of the services of Virti or its affiliates anywhere in the world, and to anyone else who contacts Virti or otherwise submits information to Virti, unless noted below.
1. Data Protection Principles
We are committed to complying with data protection law and principles, which means that your data will be:
Processed lawfully, fairly and in a transparent way;
Collected for specific, explicit and legitimate purposes stated in this policy and not used in any way that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary for those purposes;
Accurate and, where necessary, kept up to date;
Kept for no longer than is necessary for those purposes; and
2. Collection of Personal Information
Virti acts as the data controller for the information you provide or that is collected by Virti or its affiliates. Virti collects data to operate effectively as a business and to provide you, the user, with tailored services and products. You have choices about the data we collect. When you are asked to provide personal data, you may decline. But if you choose not to provide data that is necessary in order for us to provide services to you, you may not be able to use that product. We provide further information, below, on the types of personal data we obtain and how we use them, throughout your use of our service and products.
Data provided during account registration
At the registration process on the Virti platform, you are asked to provide the following information:
Your first and last name
Your email address
Your medical speciality
Your profile password
This basic information is necessary to complete your user registration and for you to use our app and services (for more information on what we use your data for, see section 3) If you decline to provide this information during the registration process you will not be able to create an account on the app and use our services. We do not store additional personal information captured on onboarding processes of legacy products, e.g past versions of the app collected additional information that we do not collect anymore. Virti reserve the right to confirm the accuracy of registration data for medical verification purposes using external third party sources, such as publicly available sources such as open government databases or other data in the public domain. In order to optionally complete your Virti profile, we ask for you to also provide your registered hospital. We do not specifically ask for location data but we do infer your location based on your IP address during registration and for opt-ins. In addition to IP address, our platform automatically collects data about your device, including the model, platform, locale code and UUID (universally unique identifier). If you are a surgeon or organisation contributing content through one of our platforms, you will be asked for your email address which we will store, along with your questionnaire responses, in accordance with this policy.
App and service engagement data
When you begin to use our app or services, we monitor engagement and feature usage on our platform by recording every interaction you have with products you are registered on. This includes, but is not limited to, page visits, surgical content viewed and assessments taken on our platform (including performance metrics associated with assessments such as score and duration).
Cookies and other data collection technologies
Third party aggregate data
Our third parties may gather non-persona digital properties to enrich aggregate analytics, including Firebase-Fabric, Braze, AppSee and Google Analytics.
3. How Virti uses Personal Information
Virti uses your personal information for the following reasons:
To operate effectively as a business and to perform essential business operations, including developing and providing products optimised for medical professionals.
We are motivated to provide products which offer outstanding resources for medical professions, including verified surgical content and resources tailored to a users specific role, stage of training, location and medical specialty. To enhance your enjoyment and productivity on our platform, we endeavour to identify and recommend the most relevant content through personalised notifications, based on your profile and recent activities. To ensure your experience with our products is seamless, we continuously re-examine and iteratively optimise user journeys on our platform. We infer your location from your device IP address in order to geo restrict certain content on our platform. Product issues, identified by users and communicated through customer support, are effectively diagnosed and resolved using data collected from interactions on the platform. Decisions on product development and evaluations of product performance are based on aggregate analysis and business intelligence based on non personal data. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We only allow them to process your personal data for specified purposes and in accordance with our instructions. In addition to the specific disclosures of personal data set out in this section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
To deliver communications of personal interest including product and content releases, motivational training prompts and in response to product queries or support requests.
Direct communications Communications sent by Virti come in the form of emails to the email address provided by you during the registration process and through notifications delivered to your device. Virti may send you communications relating to new and existing product and content releases and updates. We send such communications so that you are aware of changes we are making to the content or features of our products, or new releases, which could affect the usefulness of our core services to you. Third party communications We will ask you during registration whether you want to receive third party communications such as promotional material related to furthering your training outside of our platform. You, of course, have the right to opt out of such email communication at any time by using the unsubscribe link, found at the bottom of every email, or by updating your account setting in the app. Virti will not send you communications unrelated to its core services, unless you specifically tell us you are interested in receiving them.
To inform commercial partners of aggregate engagement and interactions on branded content hosted on our platform.
Some surgical content on our platform may be created in partnership with a medical device or pharmaceutical partner, incorporating a branded device. We share aggregate (non-personal) engagement metrics with our partners to allow them to track the quantity of users viewing and interacting with their content. Metrics can be aggregated by profession, medical specialty, location and hospital affiliation. Additionally, we share aggregate (non-personal) performance metrics of assessments related to their content. Commercial partners use shared metrics only for the purposes of product development and improving delivery of content and training to medical professionals. We will never share your personal information with commercial partners without your explicit consent, which we would obtain separately. You will be informed clearly and in a transparent manner, what type of personal data will be shared. Circumstances where we share your personal information include, but are not limited to, registering your interest for targeted campaigns placed in our products on behalf of our commercial partners. Examples of campaigns include registering for conferences and training events, connecting with a medical device specialist and for marketing research purposes. In order for the commercial partner to verify you as a medical professional and contact you, we will share your name and email address, but only with your explicit permission. Please note that Virti adheres to the NAI, a set of self-regulating principles that require companies to provide notice and choice with respect to Interest-Based Advertising and Ad Delivery and Reporting activities. Moreover, we adhere to the Digital Advertising Alliance (DAA) and European Interactive Digital Advertising Alliance (EDAA) and the Digital Advertising Alliance of Canada (DAAC).
To track and report your performance on relevant Virti training tools to a curriculum/teacher/tutor/program director, with your prior knowledge and consent.
If you accept an electronic invitation to a part of an organisation (or training body), you grant Virti permission to share your Virti profile and relevant activity metrics on the Virti platform with the owner(s) of the organisation. Owners of organisations include, but are not limited to academic institutions, medical device companies and pharmaceutical companies. Activity metrics are limited to content on the platform that belongs to the curriculum. You have the right at anytime to opt out of a curriculum by given written request to email@example.com.
4. Choices and Transparency
In this section, we have summarized the rights that you have under data protection law. The information we provide in this section is a brief summary of your rights under data protection law and you should still read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. Your principal rights under data protection law are:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability
the right to object; and
rights in relation to automated decision making and profiling.
You have the right to confirmation as to whether or not we hold or process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data, or do one of the following:
We may ask you to verify your identity, or ask for more information about your request; or
Where we are legally permitted to do so, we may decline your request, but we will explain why if we do so.
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data being unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary, for example: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. You have the right to request that your personal data is no longer processed for example, due to the inaccuracy of the data or the reason for the data being processed. If you have given additional consent for your data to be shared to a third party, including academic institutions, medical device companies and pharmaceutical companies, you have the right to withdraw this consent at anytime. You have the right to request that your personal data be transferred to another party. If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. If you opted in to third party marketing communications when you registered, you may opt-out at any time within the app, or by emailing firstname.lastname@example.org. Lastly, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making. You may exercise any of your rights in relation to your personal data by written notice to us or by any of the methods specified in section. To contact us in relation to any of these requests, please use the email address email@example.com.
5. Duration of Data Retention
Virti retains personal data for as long as necessary to provide our products and fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly. The general rule that establishes a baseline for data retention is the length of time required to store and analyse the data for the purpose it was collected (as described in section 3). Moreover, we are required to maintain appropriate business records, including records of surgeon assessments used for compliance.
6. Information Security and International Transfers
Virti is committed to protecting the security of your data by endeavouring to ensure appropriate technologies and processes are maintained to avoid unauthorised access or disclosure. We utilise, for all data storage and processing purposes Amazon Web Services ("AWS") and for processing purposes Google’s G Suite and Braze. Specifically, all our AWS storage containers and databases are located in Ireland (EU) (with possible transit through US storage containers). We have offices in United States of America, Canada and New Zealand, therefore we may have to transfer your data out of the EEA. The European Commission has made an "adequacy decision" with respect to the data protection laws of each of these countries. Transfers to each of these countries will be protected by appropriate safeguards.