Viz.ai GDPR and DPA 2018 Privacy Notice for Viz.ai Customers Using the Viz.ai Application and Cloud Services in the UK, EU, Israel and South Africa

This Privacy Notice applies to the processing of Personal Data by Viz.ai Netherlands BV of

• Customers of Viz.ai Netherlands BV and their employees, contractors or agents based in the UK, EU, Israel or South Africa
• The organisation (your employer, or another entity or person) that has entered into a Customer Agreement for the provision of mobile application and cloud-based services by Viz.ai Netherlands BV.

Viz.ai Netherlands and its associated business entities within the Viz.ai Group, acting as Data Processors are responsible for processing your Personal Data as described in this Privacy Notice. Viz.ai Netherlands BV and Viz.ai Group business entities and their contact details are listed here.

Viz.ai Netherlands uses several suppliers outside of the Viz.ai Group to process Personal Data as a part of its business activities. A list of these suppliers can be found here.

Viz.ai Netherlands BV processes Personal Data collected both online via its website and offline when the Viz.ai mobile application and cloud-based services are used. 

• Offline Personal Data is collected when your employer or organisation signs a contract for the use of the Viz.ai mobile application and cloud-based services. Offline data is also collected for sales and marketing purposes to develop, establish or maintain a business relationship with you.
• Online Personal Data is collected when you use the Viz.ai mobile application and cloud-based services and the Viz.ai website.

Examples of specific information Viz.ai Netherlands BV collects includes:

• Names, address, email address and telephone number
• Company data such as the name of the company you work for and your role in the organisation
• Cookie information when you use the Viz.ai website and you consent for data to be collected
• Information relating to contract or pre contract activities that may involve you.
• Services metadata such as the time you logged into our service and what you accessed
• Location and device information from your mobile device
• Conversation data held securely within the Viz.ai mobile application when you use the application to communicate with your colleagues as subscribers to the Viz.ai cloud based service.

Viz.ai may use your Personal Data for the following business purposes

• To fulfil obligations with your employer or organisation.
• To make available a platform to provide you with information about a patient of your employer or organisation where the Viz.ai application is used as an aid in diagnosing or communicating an illness such as a stroke.
• To provide a platform to allow you and team members to communicate and to respond to information or requests about patients.
• To deliver technical functionality to our mobile application and cloud-based services.
• To manage the security of our mobile application, networks, systems, and cloud-based services.
• To provide support services to you, your employer or organisation.
• To comply with legal obligations, applicable laws, regulations and to operate our business.
• To sell our services or to maintain a contract with you or your employer or organisation.
• To update you with the latest information about our products or services.

To fulfil Viz.ai Netherlands BV contractual obligations with your employer or organisation

When your employer or organisation orders products or services from Viz.ai Netherlands BV we will process Personal Data about you as an employee of our customer and as a user of our products and services on behalf of your employer or organisation. We do this to administer and engage in relevant transactions directly related to the fulfilment of the contract. These include the creation of an account, recording the products and services ordered by your employee or organisation and your relationship to them, our administration of contracts, support and use of our products and any requests you may make around them.

To provide a platform to provide you with information about a patient of your employer or organisation where the Viz.ai application is used as an aid in diagnosing or communicating an illness such as a stroke.

When you, your employer or organisation use our mobile application or cloud-based services we use our technologies to detect suspected conditions in your employer or organisations patients. We provide information about their suspected condition and communicate this back to the users of the mobile application and cloud-based services. When doing so, we facilitate communications within the mobile application so medical teams can exchange information, messages, and view patient images that aid in patient condition diagnosis.

To deliver technical functionality to our mobile application and cloud-based services

We may process your Personal Data to analyse, improve, develop, and optimise the Viz.ai mobile application and cloud-based services. This processing may be based upon your interaction within the Viz.ai application or via direct feedback from you or you employer.

To manage the security of our mobile application, networks, systems, and cloud-based services

We may collect Personal Data from our mobile application, networks, systems, and cloud-based services that is used to inform security and operations management to help keep our website, networks, and systems secure. We can also use this information to investigate or prevent cyber-attacks or to detect bots as well as to assist our customers in diagnosing any specific incidents or security related concerns.

To provide support services to you, your employer or organisation

There may be occasions where you need to contact us to get support and assistance with the use of our mobile application and cloud-based services. When you contact us, we will open a support ticket that will contain details about you, your employer or organisation and the support that you need from us. 

To comply with legal obligations, applicable laws, regulations and to operate our business

There are occasions where Viz.ai Netherlands BV may need to process Personal Data to comply with a legal obligation, applicable law, or regulations. For example, we may need to defend a legal claim or respond to a request from a regulator. Viz.ai Netherlands may also process Personal Data in the operation of our business where certain investigations may require access to your Personal Data. Where a legal obligation exists, Viz.ai Netherlands will ensure that it is a genuine obligation and where applicable and lawful, may notify your employer or organisation of the obligation and Viz.ai Netherlands intended action and response to meeting the obligation.

To sell our services or to maintain a contract with you or your employer or organisation

Viz.ai Netherlands BV may collect data from online and offline sources to sell our products and services and to maintain a contract if there is already one in place. 

To update you with the latest information about our products or services

If you have previously agreed to receive information from Viz.ai Netherlands BV or, if using Legitimate Interest in certain jurisdictions, we will share information  with you that we may feel is relevant about our products and services.

Viz.ai Netherlands BV  must have a lawful basis for the processing of your Personal Data in the UK or EU. Our lawful basis for processing includes:

a) Legitimate Interest

To communicate with you and to respond to your requests in some EU jurisdictions we rely upon a Legitimate Interest to process your Personal Data.

We may process your Personal Data for marketing and sales activities based upon Legitimate Interest in certain jurisdictions.

We may also rely upon Legitimate Interest to analyse, develop, improve and optimise our website, products and services and to use your Personal Data to maintain and improve the security of our website, networks and systems.

b) Consent

We sometimes rely upon your consent to process your Personal Data where this is indicated to you at the time your personal data is collected.

c) Performance of a Contract

When we engage in transactions with customers, suppliers, or business partners we need to process your Personal Data to either enter into or to meet our obligations under a contract.

d) To Comply with Applicable Laws and Regulations

There are certain legal obligations that must be met by companies such as Viz.ai Netherlands BV. Where there is a need to comply with applicable laws and regulations, we may be legally obliged to share your Personal Data.

Viz.ai Netherlands BV retains information for the following retention periods

The information we collect about you when you use our mobile application and cloud-based services your data will be retained for the duration of the transaction or services period and will be deleted ninety days after your employer or organisations contract has expired or sooner if requested or contracted to do so.

Where there is a legal obligation to retain records for a legal or compliance purpose information will be kept for a longer period in line with statutory retention periods for the data in question.

Contact information such as your email address or phone number that has been collected from online or offline activities will be retained for as long as we have an active relationship with your employer or organisation. We treat you as an active contact if you have interacted with Viz.ai Netherlands BV or if you have updated your contact details and preferences in the past eighteen months and you have not made a deletion or do not contact / opt out request.

Personal Data needed to retain your opt-out preferences is kept for a period of two years or longer if required by applicable laws. Opt-out data includes your name and email address and it is used purely to ensure that we do not contact you by facilitating a table lookup.

As an international organisation Viz.ai Netherlands BV shares information about you throughout its Viz.ai Group international operations to the extent necessary to perform its business with you, its suppliers and business partners. All Viz.ai Netherlands and Group employees, suppliers and business partners are only authorised to access personal information to fulfil a lawful, applicable and specific purpose and to perform their job functions.

Sharing with Third Parties

Viz.ai Netherlands BV acts a Data Processor when you use our mobile application and cloud-based services. We share Personal Data with third parties when you interact with the application and services for the following reasons or business purposes:

• Third party service providers providing services such as support fulfilment, customer relationship management, communications, information technology and related infrastructure, security, data protection, customer service, email delivery, information storage, auditing, and legal.
• As required by law to comply with legal obligations in any relevant jurisdictions
• With our business partners to administer contracts, or accounts for our products or services. 

Where information is shared with a third party, Viz.ai Netherlands BV has undertaken the appropriate amount of due diligence to ensure that the necessary contractual, technical, and organisational measures are in place to ensure that your Personal Data is processed only to the extent that is necessary, consistent with this Privacy Notice, and shared in accordance with applicable laws.

A list of current third-party processors can be found here.

Where data is exported by Viz.ai Netherlands BV it is only transferred to a recipient that resides in a country that has adequate data protection measures is place , or a recognised international transfer mechanism is in place by law. Where this is not possible, we will ensure that adequate measures including risk and transfer impact assessments and contractual obligations such as EU Model clauses along with appropriate organisational and technical measures are used to protect your Personal Data. 

Viz.ai Netherlands BV is a subsidiary company of Viz.ai Inc. In the United States Viz.ai Inc is a regulated entity under the Health Insurance Portability and Accountability Act (HIPAA) and has implemented several key security and privacy standards, controls, and measures to adhere to this act and to meet the requirements of others such as the GDPR. These are shared with Viz.ai Netherlands BV.

The security standards and controls currently met or used by Viz.ai Netherlands BV and Viz.ai Group include that are applicable to your Personal Data includes:

• Internal risk assessments / audit.
• ISO27001 and ISO27002 controls (global) and certification (US and Israel only)
• ISO27701 Security techniques, extension to ISO27001 for Privacy Information Management (applied globally but certified for US and Israel)
• US Health Insurance Portability and Accountability Act (applied globally)
• GDPR compliance via policies, processes, and audits (applied globally)
• NIS Directive compliance (applied globally)

The Viz.ai Group management team are accountable for the development, implementation and upkeep of Viz.ai Group and Viz.ai Netherlands BV  information security management system, security measures and associated certifications. Day to day responsibility for the Viz.ai Group and Viz.ai Netherlands BV ISMS resides with Viz.ai’s Group Chief Information Security Officer (CISO)

All third-party business partners and suppliers are contractually obligated to meet the requirements of Viz.ai Group and Viz.ai Netherlands BV security policies and this Privacy Notice. 

You have several choices in respect of the Personal Data we process about you:

1. Opt Out or Withdrawal of Consent

You may opt out of or withdraw consent for any previously provided consent given to Viz.ai Netherlands BV for processing your Personal Data.

2. Deletion of Personal Data

You may ask us to delete all or some of the Personal Data we have about you under certain circumstances such as where you feel that the use of Legitimate Interest affects your rights. Where we are unable to delete this data, we will inform you of why we are unable to delete your data. Example reasons preventing this deletion include contractual or legal obligations. Should we not be able to delete your data, you have the right to contact a Supervisory Authority for their view on the matter.

3. Change or Correct Personal Information

You can ask us to change or update information about you in certain cases, such as if the information we have on you is inaccurate.

4. Object to, or Limit or Restrict the Use of your Personal Data

You can ask us to stop using some or all of the personal data that we hold about you, for example where we have no legal right to keep using it. You can also ask us to limit the use of your Personal Data if it is inaccurate or if you disagree with our legitimate interest justification for the use of your data.

5. Right to Access or Have Your Information Provided to you.

You can ask for a copy of the information we hold about you. Where possible we will provide this in a machine-readable format. Where we are unable to do so, we will provide you with a reason why we cannot provide it in a machine-readable form. 

6. How do I Contact Viz.ai Netherlands BV if I want to Exercise my Rights?

If you would like to contact us to exercise your rights under data protection laws, please send an email to DPO@viz.ai and our Data Protection Officer will assist you.

For data protection matters relating to the US or other Jurisdictions please contact the US office listed at the end of this document.

For Viz.ai Group representative offices, please write to the relevant representative listed here.

For data protection matters in the UK or EU please write to the UK and EU Data Protection Officer at

Mr Paul Benedek
Excis Networks Limited,
3-4 Bower Terrace,
Tonbridge Road
Maidstone
Kent
ME16 8RY

Paul Benedek is registered and a DPO with the ICO in the United Kingdom and in the Netherlands with the Autoriteit Persoongegevens (AP) which is the EU data protection supervisor where Viz.ai Netherlands BV is established.

For all data protection matters, you can send an email directly to DPO@viz.ai where we will endeavour to assist you.

If you have any complaints regarding Viz.ai Netherlands BV compliance with this Privacy Notice or to other data protection matters, please contact us in the first instance at DPO@viz.ai and we will investigate. We will attempt to resolve any complaints or issues that you may have in accordance with this Privacy Notice and Applicable Law.

If you are unhappy with the investigation or attempts to resolve your complaint, you have the right to compliant to the Supervisory Authority in your country or jurisdiction. A list of these Supervisory Authorities and how to contact them can be found here https://iapp.org/resources/article/how-to-provide-dpo-contact-information-to-your-dpa/ .