Privacy and Data Protection Policy
In this document the terms ‘the Company’, ‘Us’ ‘Our’ and ‘We’ refer to Cambridge Medical Innovation Ltd., its employees and agents.
It is important for both us and you, as well as a legal requirement, that you know what data we collect from you through this web site and what we do with it. This privacy notice explains how we collect, use, communicate, disclose and otherwise make use of personal information in the course of providing our Services, which include but are not limited to, the vision and hearing tests (the Tests) on the web site.
This notice, which is required by law, explains the steps the Company has taken through its Data Protection Policy to ensure that our activities comply with the European General Data Protection Regulation [Regulation (EU) 2016/679] (GDPR) as applied by the Data Protection Act 2018 (DPA 2018).
Cambridge Medical Innovation Ltd is registered with the Information Commissioner’s Office.
This is a summary of the provisions of our Data Protection Policy in relation to personal information:
- Any personal information collected will be done by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
- Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
- We will collect and use personal information solely for fulfilling those purposes specified by us and for other ancillary purposes, unless we obtain the consent of the individual concerned or as required by law.
- Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.
- We will protect personal information by using reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
- We will make information about our policies and practices relating to the management of personal information readily available to customers.
- We will only retain personal information for as long as necessary for the fulfilment of the purposes.
- Personal data collected within this app may be used for digital analytics.
Section 1: Our responsibilities
Cambridge Medical Innovation Ltd. has several legal responsibilities to you in regard to the collection and processing of your personal data:
Cambridge Medical Innovation Ltd. has a responsibility to be accountable and transparent in how and why we collect, store and process your data, which we do by means of this Privacy Notice and our Data Protection Policy. Company staff and contractors with access to your data are bound by this policy.
Cambridge Medical Innovation Ltd. has a responsibility to only collect, store, and process your data on a lawful basis. The Company asserts that it has a legitimate interest to do so in order to ensure that our services work as intended and that this interest constitutes a lawful basis for data collection, storage, and processing.
Cambridge Medical Innovation Ltd. has a responsibility to ensure that data is managed in accordance with this policy.
Cambridge Medical Innovation Ltd. has a responsibility to report any data breaches to the appropriate authorities and will do so without prejudice, undue delay or hesitation.
Section 2: Collected Data
2.1 Why we collect data
The data we collect allows us to personalise your experience, improve our website and assist you with any issues using our services.
2.2 Hearing Test Data
Cambridge Medical Innovation Ltd. does not currently store nor collect Personal Identifiable Data (PID) or any Medical Data as part of the DigiBel testing service. If and when this situation changes, this policy will be updated.
Test information, such as test codes and timestamps for certain actions (such as test start and completion times) may be collected and stored to help us improve our services, compile anonymized aggregate data, and to allow us to track service usage.
If another organisation or business is sponsoring your test, they may request that the data generated by the test (the test results), are sent directly to them. In this case, you will be advised of this before commencing the test, and your positive consent will be required to continue.
Any such data will be appropriately and securely transmitted in line with our Data Handling and Protection policies (see below).
2.3 Non-personal statistical information (analytics)
In the normal course of connecting to our services, certain non-personal statistical information will be collected. Some of our Services use a third party service, Google Analytics; you can access their policies here.
Analytics allows us to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only collected and processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Cookies are small files that a web site or its service provider transfers to your computer’s hard drive through your web browser. If you agree to receive these files, they enable the site or service provider’s systems to recognize your browser and capture and remember certain information.
- Understand and save your preferences for future visits. These include your language preferences, sign-in details or locale. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services.
- Compile aggregate, non-personal data about site traffic and site interactions in order to offer better site experiences and tools in the future. We also use trusted third-party services (such as Google Analytics) to track this information on our behalf.
- Retain your test connection details in case you disconnect in the course of a test.
2.5 Log Files
Cambridge Medical Innovation Ltd. may use visitor’s IP (internet) addresses to analyse trends, administer its website, track user's movements, and gather broad demographic information for aggregated use. IP addresses are associated with individual users to enhance security by allowing authorised persons to inspect audit logs in the event of any security breach.
2.6 Transfer to third parties
Your personal data held by the Cambridge Medical Innovation Ltd. is not permitted to be sold or rented in any form without your permission.
However, in order to provide you with these services, some data may be held by third parties, which is outwith the Cambridge Medical Innovation Ltd.’s control. This may be is required, for example when a company or business is sponsoring your test, as described in Section 2.2 and will require your consent. Data provided to third parties will be transmitted in accordance with our data handling and protection policies.
2.7 Links to Outside Websites
This site may contain links to other websites. Please be aware that Cambridge Medical Innovation Ltd. is not responsible for the privacy practices or policies of such sites. Cambridge Medical Innovation Ltd. encourages its visitors to be aware when they leave its website and to read the privacy statements of each website that collects personally identifiable information. This privacy statement applies solely to information collected by Cambridge Medical Innovation Ltd. and its services.
Section 3: Data Handling and Protection
3.1 Data Security
Cambridge Medical Innovation Ltd. employs standard methods of encryption to safeguard data, such as TLS encryption for accessing data via a web browser. Cambridge Medical Innovation Ltd. also implements additional change-audit scripts and monitors to provide visibility into server activity.
IP Address and asymmetric based security settings are used to only allow server access to authorised users or servers.
All data generated throughout the Tests remains on the devices used to access the website, and is stored in memory only, such that it is deleted when you navigate away from the page. Communications between your desktop and mobile device are achieved using an end-to-end encrypted network, and no PID or test-generated PID is transmitted using this method.
3.2 Data Risks
The main specific risks to the security of data are:
- Phishing attacks to gain server level access,
- Access by means of trojan or keylogging programs on users' systems, and
- Access by unauthorised staff members who have been granted access
Mitigation of the first two risks is firstly by screening all individuals before granting access and secondary, encouraging staff who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by access logging and reverting changes made by those who misuse access.
3.3 Data Recording and Storage
Data is held on servers located in the European Economic Area (EEA). However, any data which is transferred to the USA will be protected in accordance with the EU-U.S. Privacy Shield Framework
Data is stored in standard file systems and databases. Access to these systems is controlled by secure direct access to the controlling machine or application, or via a secure web interface. Access is further controlled and protected against unauthorized access using standard measures, such as role-based access control.
3.4 Data retention
Cambridge Medical Innovation Ltd. will not keep your personal data for any longer than is necessary to provide you with the Services. Other data will be retained for as long as the Company deems it commercially necessary.
Section 4: Your rights
You have the right to be informed why we collect your data and this policy explains these reasons to you. However, you have the right to object to our legitimate interests. While your objection is being considered, processing of your data may be suspended, and this may restrict your ability to connect to our services.
You have the right to view the data collected about you. A copy of this data will be released to you on written request to Cambridge Medical Innovation Ltd., providing there is no legal basis to refuse such a request. To protect the privacy of other individuals, certain information may be redacted, so long as this does not censor your personal data.
You have the right to ask us to rectify data you believe to be inaccurate. If you believe other data held about you is incorrect, you may contact Cambridge Medical Innovation Ltd. to have it corrected.
You have the right to withdraw or restrict your consent for Cambridge Medical Innovation Ltd. to collect and / or process your personal data at any time. If this affects Cambridge Medical Innovation Ltd.’s ability to provide you with the Services, we may restrict your ability to use our Services.
You also have the right to request erasure of your personal data.
How to make a request in accordance with your rights
To make a request in accordance with your data access or any other right, please use the contact form on this web site, or write to us at the address below.
Cambridge Medical Innovation Ltd. will make all reasonable efforts to comply within one month of the request being received unless circumstances make this impossible, in which case an extension of up to two further months will apply.
Cambridge Medical Innovation Ltd. will verify the identity of anyone making a request under this section before handing over any information or making changes to the data.
For any queries relating to these policies, please contact Cambridge Medical Innovation Ltd. using the contact form, or write to:
PO Box 1220, Duxford
Cambridge CB22 4ZJ
This policy was last updated on 1st July 2020.