Privacy Policy

Introduction
Welcome to the privacy policy for Open-OH. Open-OH is a long-term condition and occupational health support platform which includes a user app (the app) which can be installed on Android and iOS devices or accessed through web browsers, and the open-oh.com website (the website). This policy explains how your data is used by Open OH.

GDPR Statement
Open-OH respects your privacy rights and complies with the European Union’s General Data Protection Regulation (GDPR) to ensure the lawful processing of your personal data. Our commitment to GDPR includes:

  1. Lawful Basis for Processing: We process your personal data based on your consent, contractual necessity, legal obligation, or legitimate interests.
  2. Data Subject Rights: We uphold your rights under GDPR, including the right to access, rectify, erase, restrict, or object to the processing of your personal data. You also have the right to data portability and to withdraw consent at any time.
  3. Data Minimization and Retention: We collect only the data necessary to fulfil the purposes outlined in this Privacy Policy and retain it only for as long as needed or required by law.
  4. International Transfers: When transferring data outside the EU, we ensure that appropriate safeguards are in place to protect your data, such as using Standard Contractual Clauses or other lawful mechanisms.

HIPAA Statement
Open OH is committed to protecting the privacy and security of your health data in accordance with the Health Insurance Portability and Accountability Act (HIPAA). We implement stringent safeguards to ensure that your Protected Health Information (PHI) is handled with the utmost care and confidentiality. Our practices include:

  1. Data Protection: We use advanced encryption methods and access controls to protect your PHI from unauthorized access, use, or disclosure.
  2. Privacy Practices: We adhere to HIPAA’s Privacy Rule, ensuring that your health data is only used or disclosed for permitted purposes, such as treatment, payment, and healthcare operations, or with your explicit consent.
  3. Security Measures: We regularly review and update our security protocols to safeguard your data against threats and vulnerabilities.

What sort of data do we collect?
Open OH collects two types of data, non-identifiable, and identifiable data (personal data).

  1. Non-identifiable means that we cannot determine the identity of the subject to whom the data pertains. This data can include non-identifiable personal data, such as aggregated healthcare or demographic data, and non-personal data such as technical data provided by your device (e.g the operating system of your device, the time you accessed Open OH etc.). This data allows us to improve the functionality of Open OH, including making technical improvements and ensuring that content is relevant and useful.
  2. Identifiable data (personal data) is data that directly identifies the subject or allows the identity of the subject to be identified through reasonable efforts.

Identifiable data gathered by Open OH includes:

  1. Registration data: To access the Open OH app, you must register for an account. This will require you to provide your full name, gender, email address, date of birth and a password.
  2. Health data: As part of registration for the app, you must complete a C19-YRS questionnaire, which requires you to provide details about your long-term conditions. You may also choose to provide other sensitive health data whilst using the app, such as through health symptom questionnaires, or diaries. This data may include biometric details (height, weight, heart rate, blood pressure), activity data such as sleep and exercise duration, details about your symptoms or details about past medical history such as medications and hospital visits. This data may be manually input by you, or automatically uploaded to the system by an accessory device such as a smart-watch. Some of this data may be categorised as PHI according to HIPAA, and all necessary actions will be taken to ensure that PHI is protected as per requirements.
  3. Voluntary data: You may choose to provide additional data voluntarily, such as by completing contact forms on the website or contacting our support or throughout your use of the app.
  4. Device data: We may gather data from users of the app and website, including data about your location, device identifiers such as IP addresses, and service usage details such as page views and click-throughs.

Use of the app requires that users read and agree to our terms and conditions and privacy policy. Any data, whether identifiable or not, that you input into the app is done so voluntarily and with explicit consent for the use and sharing of your data as specified by this policy.

If you refuse to provide certain data, as is your right, please bear in mind that the range and function of features available to you may be affected, and in some cases, you may be unable to use the app or website completely.

Cookies Policy
At Open-OH, we use cookies and similar technologies to enhance your experience on our website. This Cookies Policy explains what cookies are, how we use them, and how you can manage them.

Cookies are small text files placed on your device by websites you visit. They help us remember your preferences, improve site functionality, and provide insights into site usage. The cookies we use fall into the following categories.

  1. Technical Cookies: These cookies are essential for the website to function properly. They enable core features such as secure login and session management.
  2. Performance Cookies: These cookies collect data on how you use our website, such as which pages you visit and any errors you encounter. This helps us improve the website’s performance and user experience.
  3. Functional Cookies: These cookies allow us to remember your preferences and choices, such as language settings, so we can provide a more personalized experience.
  4. Analytics Cookies: We use these cookies to gather information about how visitors use our website, which helps us analyze trends and enhance our services.

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies, or to receive notifications when cookies are set. However, please note that disabling cookies may affect your ability to use certain features of our website.

Our website may also include cookies from third-party services, such as analytics providers or advertising networks. These third parties have their own privacy policies and we encourage you to review them.

How do we use your data?
We collect data through both our website and app to enhance your experience, improve our services, and contribute to research in long-term condition management. Below is an overview of how we use the different types of data collected.

Website Data
When you visit our website, we may collect technical data and site usage statistics using cookies and similar technologies. We may use this data to:

  1. Monitor and improve website performance and user experience.
  2. Understand user behaviour and preferences to optimize our website content.
  3. Analyse trends and gather insights for research and development purposes.

App Data
The Open OH app collects various types of data including personal data to provide personalized support and insights into your long-term condition. We may use this data to:

  1. Provide personalized health support and recommendations based on your specific condition and symptoms.
  2. Enable you to monitor and track your symptoms and condition over time, helping you to gain insights into your health.
  3. Enhance the app’s functionality and user experience by tailoring content and features to meet your needs.
  4. Support research to improve the understanding of long-term conditions and support the development of new treatments and interventions.
  5. Share aggregated and de-identified data with third-party researchers and partners to advance medical research and contribute to broader public health initiatives.

Data that you provide through the app or website may be aggregated or anonymized, so that you can no longer be personally identified by this data alone. Data that has been processed in this way is not restricted by this Privacy Policy, allowing us to distribute it freely for any purpose. We may share this anonymized or aggregated data with others for legitimate purposes, such as for research and statistical analysis. PHI data used in this way will be de-identified in compliance with HIPAA standards.

Who is responsible for the app
Open-OH is managed by ELAROS 24/7 Limited (ELAROS) a company registered in England and Wales under No. 07469441 and whose registered office is at Electric Works, Sheffield Digital Campus, Sheffield, S1 2BJ.

ELAROS respects personal privacy and is committed to protecting personal data and fully complying with the legal obligations in territories where the app is available, including HIPAA, EU GDPR, and the Data Protection Act 2018.

ELAROS have appointed a data protection officer to support the management of data protection at ELAROS and for dealing with any questions you may have in relation to this privacy policy. You may contact ELAROS using the contact details given above, or directly at dpo@elaros.com.

ELAROS hosts the system and cloud-based software through a third-party hosting provider, PNP Digital (https://pnp.digital).

Who is your personal data shared with?
Staff at ELAROS are only granted access to personal data when it is necessary to carry out their role.

To process the data you provide through the app or the website, ELAROS requires the support of another company called PNP Digital Ltd. PNP Digital are a UK-based software development company composed of app developers, cloud software engineers, web designers and business experts, focused on delivering bespoke digital app and cloud software solutions.

PNP Digital manages the hosting of the app on behalf of ELAROS but are not permitted to process the data collected within it unless instructed by ELAROS for necessary purposes, such as account retrieval, or conducting data access requests. For more information on PNP Digital’s storage policies, visit https://pnp.digital/policies/

Data used to support research
At Open OH, we are committed to advancing the understanding and treatment of long-term health conditions through research. To achieve this, we may use your data for research studies aimed at improving health outcomes and developing new interventions. The following outlines how your data is used for research purposes:

  1. Separate Consent: Participation in research studies is entirely voluntary and will require your explicit consent. You will be provided with a separate consent form that details the specific study’s objectives, methods, and potential risks.
  2. Ethics Approval: All research studies conducted by Open OH are subject to rigorous ethical review and approval by relevant authorities to ensure compliance with applicable laws and ethical standards.
  3. Data Anonymisation: When possible, we will anonymize your data to ensure that it cannot be linked back to you personally. Anonymized data helps protect your privacy while allowing us to derive meaningful insights from the research.
  4. Data Use: Your data may be used to analyse trends, evaluate the effectiveness of interventions, and contribute to scientific knowledge in the field of long-term health conditions. The results of these studies may be published in scientific journals or presented at conferences.
  5. Withdrawal: You have the right to withdraw your consent for the use of your data in any research study at any time, without affecting your access to the Open OH platform or its services.

If you have any questions or concerns about your participation in research studies or the use of your data for research purposes, please contact us at support@elaros.com.

What are your data protection rights?
You have certain rights granted by data protection law. If you wish to understand more about your rights please visit the Information Commissioner’s Office website https://ico.org.uk.

GDPR Data Privacy Rights

  1. Right to Access: Individuals have the right to request and obtain a copy of their personal data held by an organization, as well as information about how that data is processed.
  2. Right to Rectification: Individuals can request correction of inaccurate or incomplete personal data to ensure that their data is accurate and up-to-date.
  3. Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  4. Right to Restriction of Processing: Individuals can request that an organization restricts the processing of their personal data under specific conditions, such as while verifying data accuracy or when processing is unlawful.
  5. Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another organization without hindrance.
  6. Right to Object: Individuals can object to the processing of their personal data for specific purposes, such as direct marketing, or when processing is based on legitimate interests or public interest.
  7. Right Not to Be Subject to Automated Decision-Making: Individuals have the right to not be subject to decisions based solely on automated processing, including profiling, that have significant effects on them, without human intervention.
  8. Right to Withdraw Consent: Individuals can withdraw their consent for data processing at any time if the processing is based on their consent, without affecting the lawfulness of processing before withdrawal.
  9. Right to Lodge a Complaint: Individuals have the right to file a complaint with a supervisory authority if they believe their data protection rights have been violated.
  10. Right to Be Informed: Individuals have the right to be informed about the collection and use of their personal data, including the purposes of processing, data retention periods, and who the data will be shared with.

HIPAA Data Privacy Rights

  1. Right to Access: Individuals have the right to access and obtain a copy of their Protected Health Information (PHI) maintained by covered entities, such as healthcare providers and insurers.
  2. Right to Request Amendment: Individuals can request corrections to their PHI if they believe it is incorrect or incomplete, and the covered entity must respond to such requests.
  3. Right to an Accounting of Disclosures: Individuals have the right to request a list of disclosures of their PHI made by a covered entity, except for those related to treatment, payment, and healthcare operations.
  4. Right to Request Restrictions: Individuals can request restrictions on certain uses and disclosures of their PHI, although covered entities are not required to agree to all requests.
  5. Right to Request Confidential Communications: Individuals have the right to request that a covered entity communicate with them in a specific manner or at a specific location to maintain confidentiality.
  6. Right to Revoke Authorisation: Individuals can revoke their authorization for the use or disclosure of their PHI at any time, except to the extent that action has already been taken based on the authorization.
  7. Right to Receive a Notice of Privacy Practices: Individuals have the right to receive a written notice from covered entities outlining how their PHI will be used and disclosed, and what their privacy rights are under HIPAA.
  8. Right to File a Complaint: Individuals have the right to file a complaint with the U.S. Department of Health & Human Services if they believe their HIPAA rights have been violated.

If you wish to exercise any of your data protection rights then please email support@elaros.com with the details of your request.

Contacting ELAROS
You can contact ELAROS by writing to us at ELAROS, Electric Works, Sheffield Digital Campus, Sheffield, S1 2BJ, emailing us at support@elaros.com or by calling us on 0114 286 6200.

Contacting the regulator to make a complaint
If you feel that your data has not been handled correctly, or are unhappy with our response to any requests made to us regarding our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office, the UK supervisory authority in relation to data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address any such concerns before you approach the ICO so please contact us in the first instance.

The ICO can be contacted by calling 0303 123 1113 or by going online at www.ico.org.uk/concerns.

If a data subject is based outside the UK, you have the right to lodge a complaint with the relevant data protection regulator in your country of residence.

Further information
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to dpo@elaros.com.

ELAROS keeps this privacy policy under regular review and will ensure that the most recent version of the policy is always available through the Open-OH.com website, and in the app itself.

27 September 2024, Version 1