On The Mend undertakes a wide range of business activities within its target sector and is constantly developing new services to bring to market. These services include supplying digital support tools to healthcare payer and provider organisations via a mobile application for patients and through a web portal for healthcare professionals. Our goal is to build the first digital platform to improve the experience and outcomes for everyone involved with physical rehabilitation.
Below is some quick guidance on terminology to help you clearly understand this Policy: -
Anonymous Data means Personal Data that has been amended to the extent that it no longer contains any identifying information and thus, no longer constitutes Personal Data;
Children means any person under the age of 16;
Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed as outlined in the Data Protection Legislation.
Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
Personal Information has the meaning given to it in the Data Protection Legislation and is any information relating to an identified or identifiable living person.
Processor means any natural or legal person who processes the data on behalf of the Controller.
On The Mend is committed to protecting your Personal Data and privacy. We are certified to an internationally recognised security standard (ISO/IEC 27001), with a UKAS accredited body.
We have security measures in place designed to prevent the loss of data, preserve data integrity, and to control access to the data and know that ensuring the accuracy and security of your Personal Data is essential to retaining your confidence and trust.
On The Mend's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
When collecting and using Personal Data, our policy is to be fair, lawful and transparent about why and how we process Personal Data.
4. How do we treat Personal Data in respect of Children?
The App is not targeted at Children. We do not knowingly collect data relating to Children under the age of 13. We are particularly concerned to ensure that Children are able to exercise their rights (set out in Section 16 below) and encourage any Child with any questions about their Personal Data is processed to contact us.
5. Important information and who we are
For the purposes of the Data Protection Legislation, when you access our Services we are acting as the data controller (this is a legal term that describes a person or entity that controls the way your data is used and processed). We are registered under the Data Protection Act 2018 with the Information Commissioner’s Office (the UK data protection regulator). Our registration number is ZA790023 and our registration details can be viewed online at www.ico.org.uk. You can also access useful guidance and information about your rights in relation to your Personal Data on that website.
as a Patient User, who has been invited by your healthcare professional to download and use the App as part of your care and recovery process pre- or post- treatment, or invited to use the App as part of your involvement in a pilot study;
as a Healthcare Professional (HCP) User, being an individual who accesses the Web Portal in your capacity as a person responsible for the medical care and treatment of Patients, and with permission from those Patients to monitor such activity and other data as they may submit to the App in order to inform their care pre- and post- treatment, or as a person administering a study or providing support services;
as a Healthcare Administrator, being an individual or entity responsible for the management and oversight of a healthcare institution and its HCPs, or an employee of a healthcare organisation, and who is a registered user of the Web Portal for the purposes of managing and/or supporting HCPs engaged in medical care and treatment, as well as viewing practice summaries and statistics for your clinical practice, or being an administrator involved in a pilot study or research project; or
as a Partner, being an entity (or individual acting on behalf of an entity) involved in research and development relating to services provided by On The Mend and the treatment and care of patients and support patient safety, and who is a registered user of the Web Portal in order to access information relating to Patients pre- and post- treatment of health conditions and diseases and the use and effectiveness of digital health support tools.
6. Personal Data we may collect from you
We collect Personal Data about you if you:
download and use our App; or
access our Web Portal.
We may collect, use, store and process the following different kinds of Personal Data about you that you submit through your use of the Services:
Identity information including your first and last names, date of birth and gender that you provide by completing forms on the Site, the App or the Web Portal, including if you register as a user of the Services, upload or submit any material via the Services, or when you request any information;
Contact information including your email address and telephone number;
Login information including information in connection with an account sign-in facility, such as your login and password details.
7. What we do with your Personal Data
7.1. If you are Patient User
7.1.1. Why we use your Personal Data
We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your Personal Data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data, where more than one ground has been set out in the table below.
For the avoidance of doubt, this table is not exhaustive of the ways in which On The Mend may use your Personal Data and there may be occasions where we require additional information.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, or request your consent.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7.1.2. Our legal basis for using your Personal Data
The processing of your Personal Data is based upon the lawful basis of consent in respect of Health Data only where we have sought your explicit, freely given, positive affirmation of consent to us processing your Health Data.
8. Information sharing
8.1. If you are a Patient User
8.1.1. Who we may share your Personal Data with
We may share your Personal Data, including information that you submit to the App, with the following:
the healthcare professional responsible for your care and other non-clinical healthcare personnel involved in the administration of your care, for the purposes explained above so they can understand and evaluate your condition and recovery progress;
On The Mend’s technology providers who we engage to support our operations and/or host our data;
if required or authorised by law or a legal process, such as to law enforcement bodies to assist in their functions and courts of law; and
third-parties in connection with negotiations prior to any merger, sale of our assets, financing or acquisition of part or all of our business to another company (at this stage, we would only share Anonymous Data and not your Personal Data).
carefully selected partners who we work with who may use pseudonymised data to support the development of more effective and safer care for patients like you.
We may share aggregated or anonymised data with third-parties, who use this data to improve products and services for more effective and safer care.
In the event that we undergo re-organisation or are sold to a third-party, you agree that any Personal Data we hold about you may be transferred to that re-organised entity or third-party.
We may disclose your Personal Data if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Services or the rights, property or personal safety of any person.
We may disclose aggregate statistics about visitors to the Site and users of the App and Web Portal in order to describe our services to prospective partners, sponsors and other reputable third-parties and for other lawful purposes, but these statistics will include no personally identifiable information.
9. Information collection
9.1. If you are a Patient user
9.1.1 What Personal Data we may collect
By providing us with additional information about you and your recovery, we are able to provide better and more personalised services and information to you and the healthcare professionals responsible for your treatment, and as a result your healthcare professional will be able to better tailor the care to your individual needs. We may collect the following additional Personal Data (including health data):
Treatment-specific health information including information about your surgery or treatment, including pre- and post- treatment care information, such as the dates and details of your treatment and the details of your healthcare team;
Other health information including data relating to you, your treatment, and how your recovery is progressing, including pain scores, exercise compliance data, and responses to surveys and questionnaires, as well as any other content that you choose to create and post or upload to the App (including. but not limited to, exercise videos;
Third-party health app data including data collected where, if you install the App on to an Android or Apple device, we will request access to third-party health app data such as your exercise and fitness level through your device. You will be prompted by your device to allow access the first time this content is requested by us and, even if you grant us access, you can stop this access at any later point by changing the settings on your device. You are under no obligation to provide this information. However, if you should choose to withhold requested information, this may reduce our ability to provide you and your healthcare team with information on your recovery from treatment;
Communication and App usage information including details of any communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Services or content made available through the Services; information from videos you have watched or surveys that we may, from time to time, run on the Services for research purposes, if you choose to respond to, or participate in, them; and
Location information including information provided by your device to enable us to authenticate the use of the Services. We may approximate your location from your device using the GPS connection information used by your device to help your healthcare team understand your recovery from treatment, for example to understand your activity levels. You can disable location sharing at any time through the settings of your device.
9.2 If you are a HCP User or Healthcare Administrator
9.2.1. What information we may collect
The only information we collect about you is the identity information of the HCP users of the service.
9.3. How your Personal Data is collected
We use different methods to collect Personal Data from and about you, including through:
Direct interactions: you may provide us with your identity and contact details when you register to use our Services. You may provide further Personal Data by submitting information to the App or Web Portal, responding to surveys or providing feedback.
Automated technologies or interactions: when you interact with our Services, we will automatically collect technical data about the device you are using, your browsing actions and patterns and (if you enable location sharing you location and activity data).
10. How we use your Personal Data and purposes for processing your Personal Data
We take the protection of your Personal Data very seriously and will only ever use your Personal Data lawfully and in accordance with the requirements of Data Protection Legislation.
11. Common legal grounds for processing your data:
The legal grounds of processing your Personal Data are (i) performance of contract with you, (ii) necessary for our legitimate interests and (where we have secured explicit, freely given, positive affirmation of consent) consent, and we may need to comply with a legal or regulatory obligation.
Due to the nature of our Services, if you are a Patient User accessing the App we will collect and process certain types of data about you which are classified by law as being Special Category Data. This includes information about your health and other medical data, which we collect in order to effectively provide our Services to you. In order to lawfully process such data, we will only do so where you have given your explicit consent to such processing of your personal data.
12. How long we keep hold of your data
For the purposes of improving care delivered to you and others with similar conditions, we may retain your Personal Data for as long as it is clinically relevant. In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for your Personal Data and other documents created is 50 years.
Aggregate or anonymised data will be kept indefinitely for the purpose of improving healthcare delivery and research. You cannot be identified from aggregate information retained or used for these purposes. You can contact us at any time if you would like to have your personal data redacted. Please contact [email protected].
13. Statutory or Contractual Requirement
The provision of your Personal Data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract, nor are you obliged to provide the Personal Data, however without data in relation to your health condition it will not be possible to benefit from the On The Mend application.
14. Automated Decision Making & Profiling
We do not make any decisions in relation to your Personal Data, solely by automated means without any human involvement (e.g. we do not conduct automated decision making).
15. Limited Use Disclosure
The use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements.
16. On The Mend’s contact details
The Data Controller is On The Mend (registered in England under Reg No: 10758082 and with its registration address at 1-3 Worship Street, 2nd Floor C/O Buckworths, London, England, EC2A).
Post: Data Protection Officer, 1-3 Worship Street, 2nd Floor C/O Buckworths, London, England, EC2A.
Email: [email protected].
17. Your rights
Under certain circumstances, you have the rights under data protection laws in relation to your Personal Data. These rights are summarised below but if you would like more information on these rights, please go the ICO’s website. Additionally, if you wish to exercise any of these rights listed below, please contact us using any of the contact details provided via the contact details above.
17.1. Access to your Personal Data
You have a right of access to Personal Data held by us as a Data Controller which is (commonly known as a Data Subject Access Request or DSAR). We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (1 month under GDPR).
17.2. Correcting your Personal Data
You have a right to request amendment(s) to your Personal Data. Wherever practically possible, once we are informed that any Personal Data processed by us is no longer accurate, we will make the necessary amendments based on the updated information.
17.3. Restriction of Processing of your Personal Data
In certain circumstances, you have the right to request the restriction or suppression of your Personal Data. This effectively allows you to limit the way that we use your persona data.
17.4. Object to Processing
In certain circumstances, you have the right to object to the processing of your Personal Data. This effectively allows you to ask us to stop processing your Personal Data.
Where we have told you that any use of information is based on ‘legitimate interest’, you can raise an objection to that use. When you make an objection, we’ll have up to one month to respond to you. We will stop using the information in this way unless we disagree that we should because of a compelling legal justification for continuing to use it. We’ll always tell you what the justification is.
You have a right at any time to stop us from contacting you for marketing purposes or giving your information to other agencies. If you no longer wish to be contacted for marketing purposes, please contact us at the above email or address.
17.5. Erasure (also known as “the right to be forgotten”)
In certain circumstances, you have the right to request the erasure of your Personal Data.
In certain circumstances, you may have the right to obtain and reuse your own Personal Data, that you provided to us, for your own purposes across different services. This data will be provided in a structured, commonly used and machine-readable format and we can transmit this data directly to other parties at your request.
17.7. Withdrawal of consent
Where we process your Personal Data based on consent, you have a right to withdraw consent at any time.
If you would like to request to withdraw your consent, please contact us using the contact details provided here. Alternatively, to stop receiving our Marketing emails, please click on the unsubscribe link in the any of the emails we have sent to you.
18. How to complain
In the event you wish to complain about our use of your Personal Data, please send an email with the details of your complaint to [email protected]. We will look into and respond to any complaints we receive as soon as reasonably practicable.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK’s data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website: www.ico.org.uk.
If we believe that the changes are material, we’ll let you know by posting the changes on this website and sending you a communication about the changes.