Doxy.me Inc.
EU/UK/CH Privacy Policy — https://doxy.me/en/eu-policy/
European Union: the GDPR
United Kingdom: UK GDPR
Switzerland: Swiss Data Protection Act 2020
Effective November 17, 2023
This EU/UK/CH Privacy Policy describes Our policies and procedures for the collection, use and disclosure of Your information when You use the Doxy.me Service or visit the Website from the European Union (EU), European Economic Area (EEA), Switzerland (CH), or the United Kingdom (UK) or are a citizen in those areas. It also explains legal basis for compliance with the applicable privacy laws comprising the GDPR, Swiss Data Protection Act (nFADP—New Federal Act on Data Protection), and the UK GDPR (known previously as the UK Data Protection Act 2018), Your privacy rights, and how the applicable law protects You.
This EU/UK/CH Privacy Policy is supplemental to the main Privacy Policy available at https://doxy.me/en/privacy-policy/ and collectively both are referred to as the “Privacy Policy”. Capitalized terms not defined herein are in the Privacy Policy.
Simply put,
- We only collect enough information for You to use the Doxy.me Service and some of that information is deleted once the Session (an audio/video conference) concludes;
- We do not sell Your information to third parties;
- You have the right to modify and delete all information in Your account;
- The Session is not recorded or otherwise stored on Our servers;
- If You have any questions regarding the Service and how it uses Your Personal Data, You may contact Us;
- The Session does not directly collect or require any data that might be considered “sensitive” such as health information;
- Data transfers from the EU, UK, and CH to the United States (U.S.) are legally protected using legal documents and frameworks.
We use Your Personal Data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Policy. This Privacy Policy is maintained by the Doxy.me legal department.
From May 2018, the GDPR has direct effect in EU member states. After the UK left the EU, the GDPR was converted into UK law (with some amendments) under the European Union (Withdrawal) Act 2018. It is widely recognized that the UK GDPR mirrors the EU GDPR.
In September 2020, the Swiss Federal Parliament passed the nFADP that became effective September 1, 2023.
For purposes of providing the Doxy.me Services, Doxy.me is a “data processor” and the Provider is the “data controller.” As related to a User who only visits the Website as either a Patient or guest, it is possible, depending on what the User does, that Doxy.me could be a “data controller” (such as purchasing a product or making a support inquiry).
Retention of Your Personal Data
We will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, to comply with applicable laws), resolve disputes, and enforce our legal agreements and other policies.
We will also retain Usage Data for internal analysis purposes. Usage Data are generally retained for a shorter period of time, except when this data are used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company's operating offices and in other places where data processing systems are located. This means that information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those in Your jurisdiction.
Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.
We will take all steps reasonably necessary to ensure that Your data are treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place regarding the security and privacy of Your Personal Data.
Disclosure of Your Personal Data
Business Transactions
If We are involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data are transferred and become subject to a different privacy policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency) or subpoena.
Other legal requirements
We may disclose Your Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation;
- Protect and defend Our rights or property;
- Prevent or investigate possible wrongdoing in connection with the Service;
- Protect the personal safety of users of the Service or the public; or
- Protect against legal liability.
Security of Your Personal Data
Protecting Your Personal Data is important to Us but no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially reasonable and standard means to protect Your Personal Data, We cannot guarantee its absolute security. Part of protecting Your account and data, as a Provider, is to ensure best practices to protect Your account with a strong password and never share Your account with anyone else.
EU GDPR
This section has been prepared based on the Regulation (EU) 2016/679 otherwise known as the General Data Protection Regulation or the “GDPR”. Any capitalized terms in this GDPR section not defined elsewhere in this policy have the same meaning as defined in Article 4 of the GDPR.
Generally, these principles also apply to the Swiss and UK data protection acts.
In addition to the obligations in the Data Privacy Framework section below, doxy.me processes Personal Data as a Data Processor on behalf of the Provider, who may also be referred to as the Data Controller, and may include one or more Data Subjects (as these terms are defined in the GDPR).
Doxy.me’s obligations include, but are not limited to:
- Article 28, Section 1: providing sufficient guarantees to the controller that it has implemented appropriate technical and organizational measures to ensure the protection of the rights of the data subject.
- Article 28, Sections 2 and 4: notifying the controller prior to engaging in another processor as related to the Services. Doxy.me will post any additional processor’s information on this Privacy Policy. The Provider grants doxy.me a general authorization to enable an additional processor without prior consent. The Provider must object to the additional processor within sixty (60) days of when the additional processor was engaged.
- Article 28, Section 3: providing a data processing agreement to the Provider upon request.
- Article 29: only processing Personal Data on instructions from the Provider.
- Article 32, Section 1: implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect the ongoing confidentiality, integrity, availability and resilience of processing systems and services and other obligations stated in this article.
- Article 32, Section 2: using industry best methods and the measures described in Annex 3 to prevent personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
- Article 33, Section 2: notifying the Provider without undue delay and at most 72 hours after becoming aware of a Personal Data Breach.
- Articles 44, 45, and 46: to the extent any processing or sub-processing of Personal Data takes place in any country outside the EEA, ensure that the country is an Adequate Country (see below for more details).
Methods of processing
We take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of Personal Data.
Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In some cases, Personal Data may be accessible to certain types of persons in charge, involved with the operation of doxy.me (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, communications agencies) appointed, if necessary, as Data Processors by Us. The updated list of these third-parties are listed below.
Legal basis of processing
We may process Personal Data relating to You if one of the following applies:
- You have given Your consent for one or more specific purposes.;
- provision of Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which We are subject;
- processing is related to a task that is carried out in the public interest or in the exercise
of official authority vested in Us; - processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party.
In any case, We will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Locations
Personal Data are processed at Our operating offices, secure data centers in the United States, and in Our third-party secure data centers whose location may be found by visiting their respective websites or viewing the Sub-processor list (see below).
Depending on Your location, data transfers may involve transferring Your Personal Data to a country other than Your own.
You are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by Us to safeguard Your Personal Data.
To find out more about the place of processing of such transferred Data, please read the sections below containing details about the processing of Personal Data.
Retention time
Personal Data shall be processed and stored for as long as required by the purpose they have been collected for. In addition, the Provider is fully in charge of the account and may delete any or all data, and the account itself, at any time. Doxy.me does not, in the normal course of operations, delete accounts or account data.
Therefore:
- Personal Data collected for purposes related to the performance of a contract between Us and You will be retained until such contract has been fully performed.
- Personal Data collected for the purposes of the Our legitimate interests shall be retained as long as needed to fulfill such purposes (such as billing and contract information). You may find specific information regarding the legitimate interests pursued by Us within the relevant sections of this policy.
We may be allowed to retain Personal Data for a longer period whenever You have given consent to such processing, as long as such consent is not withdrawn. This would typically require a contractual obligation negotiated by both You and Us. Furthermore, We may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The purposes of processing
Personal Data are collected to allow Us to provide Our Services, comply with legal obligations, respond to enforcement requests, protect rights and interests (or those of our users or third parties), detect any malicious or fraudulent activity, as well as the following: Analytics, Registration and authentication, Handling payments, Hosting and backend infrastructure, Managing contacts and sending messages, Traffic optimization and distribution, User database management, Access to third-party accounts, Infrastructure monitoring, Operations, Data transfer outside the EU, Commercial affiliation, Backup saving and management, Contacting the User, Displaying content from external platforms, Tag Management, Content performance and features testing (A/B testing) and Advertising.
Data breach reporting
We will report a personal data breach according to the relevant GDPR articles without undue delay and no later than 72 hours after first being made aware. The following information, if or when available, will be provided, either in an email or posted on our Website:
- a description of the breach;
- the categories and approximate number of individuals impacted;
- the categories and approximate number of personal data records impacted;
- the name and contact details of Our data protection officer or another contact point to obtain more information;
- a description of the likely consequences of the incident; and 6
- a description of the measures taken or proposed to be taken, to deal with the breach as well as measures taken to mitigate any possible adverse effects.
It may happen that it’s not possible to provide immediately all the information listed above. You may be provided such information in phases.
UK Data Protection Act 2018 / UK GDPR
Some information based on the ICO web site.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before in most cases. Both decisions are expected to last until 27 June 2025. The General Data Protection Regulation has been kept in UK law as the UK GDPR.
Data protection principles
We follow “data protection principles” to sure Your information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant, and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information such as religion and health.
Your Rights
Under the UK GDPR, you have the right to find out what information We store about you. These include the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances
You also have rights when We use your personal data for:
- automated decision-making processes (without human involvement)
- profiling, for example to predict your behaviour or interests
Please also refer to the GDPR section above for other rights you may have.
Swiss Data Protection Act (nFADP)
Information based on the Swiss confederation web site.
The new Data Protection Act (nFADP) is Switzerland’s new law that updates the previous 1992 privacy law and aligns, in most respects, with the EU GDPR. Thus, cross border data flow between CH and EU will be maintained.
One key difference between nFADP and the GDPR is that only natural persons, not legal entities, are covered. Thus, if you are a Provider working under a legal entity, the nFADP does not apply to that legal entity.
If you are a Swiss natural person (citizen), please see the EU GDPR section above as Your rights and Our obligations are similar with the nFADP.
Per nFADP, We have created a data protection impact assessment (also known as a privacy impact assessment) for internal use that meets other obligations as defined in Article 10, paragraph 3 as related to the duties of a data protection officer.
In the event of a data security breach involving Swiss national person data, We will contact the Federal Data Protection and Information Commissioner (FDPIC) and comply with any instructions.
Data Privacy Framework (DPF)
On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF) entered into force. The EU-U.S. DPF Principles were effective as of the same date.
Doxy.me has applied to be self-certified and compliant with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
If approved, there will be a separate policy specifically related to the framework.
The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) provide important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
- All Member States of the European Union will be bound by the European Commission’s adequacy decision for the EU-U.S. DPF, the United Kingdom and Gibraltar will be bound by the UK Government’s data bridge for the UK Extension to the EU-U.S. DPF, and Switzerland will be bound by the Swiss Federal Administration's recognition of adequacy for the Swiss-U.S. DPF once those government actions enter into force;
- Participating organizations are deemed to provide “adequate” data protection (i.e., privacy protection), a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP); and
- Because adequate protection is provided by participating organizations, contracts with such organizations for mere processing do not require prior authorization.
Independent Recourse Mechanism (IRM)
The EU-U.S. DPF, and Swiss-U.S. and UK extension to the EU – U.S. Data Privacy Framework require participating organizations to provide, at no cost to the individual, an Independent Recourse Mechanism (IRM) by which each individual’s complaints and disputes can be investigated and expeditiously resolved. Doxy.me has chosen International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA) to be Our IRM.
Personal Data transfer outside the EU, UK, and Switzerland
We are allowed to transfer Personal Data collected within the EU to third countries (i.e. any country not part of the EU) only pursuant to a specific legal basis. Any such Data transfer is based on one of the legal bases described below.
As of this Privacy Policy date, We do not transfer data to third countries. However, if that changes, the information below would apply.
Other legal basis for Data transfers abroad
If no other legal basis applies, Personal Data may be transferred from the EU to third countries only if at least one of the following conditions is met:
- the transfer is necessary for the performance of a contract between You and Us or of pre-contractual measures taken at Your request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of You and Us and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for establishment, exercise or defense of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. In such cases, We will inform You about the legal bases the transfer is based upon.
Personal Data transfers abroad based on consent
If this is the legal basis, Personal Data of Users shall be transferred from the EU to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards. In such cases, the Provider shall inform its Users appropriately and collect their explicit consent.
Sub-Processors
Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party's site. We strongly advise You to review the terms of service and privacy policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services not directly related to providing the Doxy.me Services.
However, we do assume responsibility for sub-processors that are required to provide the Doxy.me Services. By using the Services, you agree to the use of these sub-processors including any future changes (additions, deletions) to that list provided that each sub-processor be fully vetted as required by applicable privacy law(s).
For a list of sub-processors, please visit https://doxy.me/en/sub-processor-list/
Changes to this Privacy Policy
We may update this policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page. Such changes are effective when they are posted on Our Website.
We will let You know via email and/or a prominent notice on Our Service prior to the change becoming effective and update the "Last updated" date at the top of this policy.
You are advised to review this policy periodically for any changes.
Contact Us
If You have any questions about this policy, You may contact us at this link: https://doxy.me/en/about/contact/