Policy & Data

PRIVACY POLICY

INTRODUCTION

Welcome to Sanius Health’s privacy policy.

This privacy policy relates to the Sanius Health programme that we have designed in order to monitor your health and related data to try and gain better knowledge and understanding of Sickle Cell Disease. This policy will inform you about how we look after your personal data when you register with us specifically as a member of Sanius, and when you use the accompanying Sanius Health platform (the “Platform”) and website (located at https://www.saniussignup.com – the “Website”). It sets out your privacy rights and explains how the law protects you, and how we protect your data.

Depending on how you use the our products and services, we may ask you to sign an Genetic Data Upload Consent form that describes certain aspects of our products and services and asks for your consent to process your information. Please review our section on Genetic Data to better understand our practices with respect to genetic data. To the extent that there is a conflict between this privacy policy and an Informed Consent form that you have signed, the Informed Consent form will control.

1. Important information and who we are 

PURPOSE OF THIS PRIVACY POLICY

This privacy policy aims to give you information on how Sanius Health collects and processes your personal data through your involvement in Sanius Health. Data collected includes any data you may provide when you complete forms and give us basic information about yourself, such as your name, date of birth, physical address and email address. You are responsible for the accuracy of the information that you provide to us.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

CONTROLLER

Shelford Capital Ltd (Sanius Health), having its registered office at 19 Abbots Business Park, Primrose Hill, Kings Langley, Hertfordshire, United Kingdom, WD4 8FR trading at 39th Floor One Canada Square, Canary Wharf, London, England, E14 5AB (company number 11365821) (“Sanius Health”).

Sanius Health (also referred to as “we”, “us” or “our” in this privacy policy) is the controller and is therefore responsible for your personal data. Sanius Health respects your privacy and is committed to protecting your personal data.  

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us via email using the following email address: [email protected]. 

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

We keep our privacy policy under regular review.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. See below for contact details.

THIRD-PARTY LINKS

Our Website and Platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website or Platform, we encourage you to read the privacy policy of every website you visit.

2. The data we collect about you

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been completely removed and the data therefore cannot be re-identified (anonymous data). Data protection law does not apply to data that has been anonymised.

We may collect, use, store and transfer different kinds of personal data about you. We have grouped together those categories of data as follows:

• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Financial Data includes bank account and payment card details.
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased / received from us.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website.
• Platform Data includes information about your visit (such as when you first used the Platform and when you last used it, and the total number of sessions you have had on that Platform), including products and services you viewed or used, Platform response times and updates, interaction information (such as button presses or the times and frequency of your interactions with the communications we deliver to you in the Platform or otherwise) and any phone number used to call our customer service number.
• Profile Data includes your username and password, orders made by you, your interests, preferences, feedback and survey responses.
• Usage Data includes information about how you use our Website, products and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Health and Medical Data includes information about your health, symptoms, treatments, consultations, medications, and procedures. This includes details of your consultations with your GP, hospital appointments, and interactions with our digital services. We may also collect hospital data from Electronic Medical Records (EMR) (including Inpatient, Outpatient, Emergency Department, Pathology, Radiology and Pharmacy information), genetic information about the specific disease type that we are currently monitoring or researching, patient reported condition information (including physiological and mental wellbeing) (please refer to our section on Genetic Data below), genetic output, and Biometric data.

We get some of this information directly from you, when you register with us and when you use our services. We will receive your medical history from your GP / healthcare provider in accordance with the consent or authorization form that you provide or pursuant to the consent or authorization processes required by your GP / healthcare provider (such as authorizing the release of your medical records to us via your patient portal). We will also collect some of this information from wearable devices and linked mobile phone health applications, or from other third party sources, including laboratories, companies, and organizations not related to or operated by us that you may use to obtain genetic testing and results.

The purposes for which we intend to use the data we collect from you can be found in Section 5 below.  Please also see the Annex for additional details about how and why Sanius Health uses some of your Health and Medical data.

Genetic Data

We will only collect, use, and disclose your Genetic Data with your Informed Consent. When we use the term “Genetic Data” we are referring to genotypic and phenotypic information obtained from analyzing raw sequence data. “Genetic Data” does not include deidentified data.

If you have not provided us with your informed consent, please do not provide us with any Genetic Data. 

We collect your Genetic Data in the following ways:

• From you. 
• From third party sources, including laboratories, companies, and organizations not related to or operated by us that you may use to obtain DNA testing and results. We receive information about your genotypes that is generated by and that you obtain from these third party sources.

With your consent, process your Genetic Data in order to provide our products and services, which includes analyzing Genetic Data and to help you better understand your genetics and where risk factors may lie. 

You may revoke your consent for the use of your Genetic Data at any time by either deleting your data at [link] or contacting us at [contact information]. If you revoke your consent, we discontinue the use of your data going forward. Revoking your consent does not affect or nullify how we used your data in the past, including where your data has been aggregated or anonymized. Further, if you revoke your consent, some of the services and functionalities may no longer work for you. 

We may disclose your Genetic Data as follows:

• To you
• With our service providers​, as necessary for them to provide their services to us.
• With qualified research collaborators​, only if you provide your explicit consent.

SaniusHealth will use industry standard security measures to encrypt your Genetic Data both at rest and in transit. For more information on how we maintain Genetic Data, please see the section below regarding Data Security and Data Transfer. 

SaniusHealth will not sell, lease, or rent your individual-level information to a third party for research purposes without your explicit consent.

• We will not​ share your data with any ​public databases​.
• We will not​ provide any person’s data (genetic or non-genetic) to an ​insurance company​ or ​employer​.
• We will not​ provide information to ​law enforcement​ or ​regulatory authorities​ unless required by law to comply with a valid court order, subpoena, or search warrant for genetic or Personal Information.

Aggregated Data

We also collect, use and share aggregated data. This means grouping deidentified patient data used for research purposes. We are committed to ensuring that all best endeavours are taken to protect patients’ identifiable data. However, we cannot always guarantee that some specific patient characteristic would not allow for patients to be identified in a research environment. Some of our research focuses on the use of statistical or demographic data, for which use cases extend to rare and common diseases. 

Aggregated data could be derived from your personal data but is not considered personal data in law, as such data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website or Platform feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will then be used in accordance with this privacy policy.

We may also hold information about you and your health from other apps, devices, and services, and third parties where you have given your consent or authorization to that data being shared with us. Examples include where you decide to share information with our Platform which has been collected from a smart watch or similar device, or when you provide us with your medical information from your healthcare provider or another third-party source.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

3. Children

We are committed to protecting the privacy of children as well as adults. A parent or guardian of a child may provide information related to their child. The parent or guardian assumes full responsibility for ensuring that the information that they provide is accurate.

As noted in the Terms of Use, the use of the Platform is limited to individuals who are age 18 or older. As such we do not knowingly collect or solicit personal data about children under 13  years of age; if you are a child under the age of 13, please do not attempt to register for or otherwise use our products or services or send us any personal data. If we learn we have collected personal data from a child under 13 years of age, we will delete that information as quickly as possible. If you believe that a child under 13 years of age may have provided personal data to us, please contact us at [support email].

4. How is your personal data collected?

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your Identity, Contact, Health and Medical and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
• apply for our products or services; 
• create an account on our Platform; 
• use our Platform; 
• subscribe to our service or publications; or 
• give us feedback or contact us.
• Automated technologies or interactions. No automated only decisions are made – these are at most 80% and the remaining is driven by human decision making. As you interact with our Website or our Platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We will also collect Health and Medical Data through your use of our Platform. We collect this personal data by using cookies, server logs and other similar technologies. More information about our cookie policy can be found here. Please note that because of our use of cookies, we do not support “Do Not Track” requests sent from a browser at this time.
• Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below:
• Technical Data from the following parties: analytics providers.
• Health and Medical data from the following parties:
• GPs;
• Hospitals or other health care providers;
• Treatment centres;
• Community pharmacy; and/or
• 23andMe / genomic kits.

5. How we use your personal data

We will only use your personal data when we have a lawful basis for doing so. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into, or have entered into, with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we have your explicit consent to process your special category personal data.

To find out more about the types of lawful basis that we will rely on to process your personal data please see the Glossary at Section 11 below.

We will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Our patient consent process involves all patients agreeing to the processing and use of their personal data as part of the Sanius Health programme. Our patient consent process normally involves a Data Subject Access Request, which allows us to process and work with your personal data to provide you with visibility of your own data and records whilst supporting research. 

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

PROMOTIONAL OFFERS FROM US THIRD-PARTY / MARKETING / OPTING OUT

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by logging into the Website or Platform and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of product/service experience or other transactions.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules.

6. Disclosures of your personal data

We may share your personal data with the types of parties set out below for the purposes set out in the table above.

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners will be permitted under the terms of the transfer to use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We disclose your personal data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of your personal data. For more information, please refer to the state-specific sections below.

• Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
• Hosting, technology and communication providers.
• Security and fraud prevention consultants.
• Support and customer service vendors.
• Product fulfilment and delivery providers.
• Payment processors.
• Our payment processing partners, which collect your voluntarily-provided payment card information necessary to process your payment.
• Advertising Partners. These parties help us market our services and provide you with other offers that may be of interest to you. They include:
• Ad networks.
• Marketing providers.
• Analytics Partners. These parties provide analytics on web traffic or usage of the Products and Services. They include:
• Companies that track how users found or were referred to the Products and Services.
• Companies that track how users interact with the Products and Services.
• Business Partners. These parties partner with us in offering various services. They include:
• Businesses that you have a relationship with.
• Companies that we partner with to offer joint promotional offers or opportunities.
• Parties You Authorize, Access or Authenticate
• Third parties you authorize through the Products and Services.
• Other users 

Legal Obligations

We may share any personal data that we collect with third parties in conjunction with meeting our legal requirements and enforcing legal terms, which may include any of the following activities:

• Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
• Protecting the rights, property or safety of you or another party.
• Enforcing any agreements with you.
• Responding to claims that any posting or other content violates third-party rights.
• Resolving disputes.

Business Transfers

All of your personal data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Data that is Not Personal Data

We may create aggregated, de-identified or anonymized data from the personal data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Products and Services and promote our business, provided that we will not share such data in a manner that could identify you.

7. Data Security and Data Transfer

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any actual or suspected personal data breach and will notify you and/or any applicable regulator of a breach where we are legally required to do so.

No patient identifiable data is transferred outside of the UK. Only aggregated research data is managed on other servers.

We operate under strict security certifications and compliances. Our team continuously strives to work with and adopt new technology to provide valuable insights to our various client base, and protection of the sensitive data we process is important. As such, we are compliant with the following:

1. ICO 
2. ISO 27001 
3. Cyber Essentials 
4. Data Security and Protection Toolkit 
5. Cyber Security Centre Web Checker.

Sanius Health, alongside our IT partners, are committed to complying with data protection legislation and industry standards. As such, we work closely together to keep you and your data safe in the following areas:

1. System access levels and user authentication controls;
2. System auditing functionality and procedures;
3. Operating system controls such as vulnerability scanning and anti-virus/anti-malware software;
4. Network security such as firewalls and penetration testing; and
5. Encryption of special category personal data.

Our current process focuses on ensuring that there are strong levels of patient de-identification across the entire Platform and Sanius Health programme as a means of protecting the identity of patients who have joined Sanius Health, as well as a means of insulating these patients from any potential cyber security issues during the programme or in the future. As part of the process, we take steps to ensure that we are compliant with all penetration testing protocols to ensure the protection of patients and their data – this remains the highest priority of Sanius Health.

Data transfer and storage is managed by the data teams at Sanius Health, Draper & Dash and Clevacloud, the resulting infrastructure comprised of an Internet of Things (IOT), referring to a system of interlinked and internet-connected devices able to collect and transfer data in an automated fashion over a wireless network; a Microsoft Azure Database, which works as an Al-powered, automated, and fully managed cloud database for data storage; and Virtual Machine, acting as a computer created within a computer with its own virtual hardware and network interfaces, for web platform hosting.

All data transferred between devices and the Platform’s cloud database will be protected with full encryption, and cyber security will be provided by Microsoft Azure, which creates a highly secure cloud foundation using multilayered, built-in security controls and real-time global cybersecurity intelligence to detect and respond to threats as soon as they arise. Ongoing assessment of ecosystems by the research team’s technical experts will occur, should a more secure provider be identified over the course of the study. Security is an important concern and will be evaluated at each stage within the infrastructure. We will be utilising Azure Security Centre to monitor the security of all Azure assets, and firewall settings will limit access to Windows authenticated users within the Sanius Health infrastructure.

Clevacloud itself functions as our Information Commissioner’s Office (ICO) registered IT partners, in strict compliance with data protection legislation and industry standards. This involves ensuring safety of any data transferred and stored across the aforementioned areas.

Physical security sees our data and disaster recovery sites held within RapidSwitch and Microsoft Azure data centres, both strictly compliant to ISO 27001, ISO 9001 and PCI DSS standards. Manned security and monitoring of these centres occurs on a 24/7/365 basis, with biometric access policies, internal and external CCTV systems, as well as security breach alarms.

Network security follows similarly stringent measures, with access to cloud platforms / resource infrastructure and data strictly controlled through distinct access levels dependent on employee roles – limited to specific parts of cloud platforms, or solely aggregated data – and all access requiring 2 Factor Authentication, complex password protection, and prior authorisation. Furthermore, production databases are not available in any manner outside of the internal environment, preventing direct hacking of databases, and web server access to the cloud platform is accessible only by our developers through secure web panel or SSL (Secure Sockets Layer) encrypted FTPS (File Transfer Protocol Secure) connections. Finally, all internet-facing services are placed within securely segregated DMZ (DeMilitarised Zone) networks that sit between the internal and external network, providing virtual or physical networks isolated from core services by dedicated firewalls with strict access controls – firewalls also utilised for interior network zoning to separate service infrastructure tiers.

Cloud Applications security is provided through firewall clusters enabled with IDS (Intrusion Detection System), server operating systems patched weekly for regular updates, data encrypted using FIPS 140-2 compliant AES256bit encryption, secure communications provided by SSL and TLS (Transport Layer Security), and security credentials encrypted using a one-way hashing model.

8. 8. Data retention

HOW LONG WILL YOU USE MY PERSONAL DATA FOR?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

We reserve the right to retain anonymised copies of your data for use in ongoing research purposes. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. Examples of how anonymised data may be used includes expanding the knowledge base for identifying correlations between risks, pathologies, outcomes and optimal treatment pathways. Anonymised data and insights may be used by clinicians, researchers, and other third parties for the improvement of patient care and therapeutic options. Anonymised data will be supported by the use of, and merging with, in-depth multi-source, historic, and live worldwide data.

9. Your legal rights

Our lawful basis for processing your personal data is your consent. Under certain circumstances, you have rights under data protection laws in relation to your personal data. Generally, your rights under data protection laws fall into the following categories:

• Request access to your personal data (commonly known as a “data subject access request”).  Please note that there are also various other ways through which you can access your own data (see ‘How my data can be accessed’ in Section 10 below).
• Request correction of the personal data that we hold about you.
• Request erasure of your personal data where there is no good reason for us continuing to process it. 
• Object to processing of your personal data where we are relying on a legitimate interest in order to process it.
• Request restriction of processing of your personal data.
• Request the transfer of your personal data to you or to a third party.
• Withdraw consent at any time where we are relying on consent to process your personal data. 

Withdrawal of Consent

You have the right to withdraw your consent and require we erase your personal data which we are processing at any time, where at least one of the following grounds applies:

• the processing is no longer necessary in relation to the purposes for which your personal data were collected or otherwise processed;
• our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
• you object to the processing as set out in the “right to object” section of this policy and we have no overriding legitimate interest for our processing;
• the personal data have been unlawfully processed; and
• the erasure is required for compliance with a law to which we are subject.

State Privacy Rights under US Law

California Resident Rights

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at [SUPPORT EMAIL]. 

If you are a resident of California, you have a right to file a complaint alleging a violation under the Genetic Information Privacy Act (“GIPA”) with California’s Attorney General or other applicable state officials. To file a complaint alleging a violation under the GIPA, please contact:

California’s Attorney General:

• Webform: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
• Phone number (toll-free in California): (800) 952-5225

District Attorney:

• Contact information for county district attorneys is available at: https://www.cdaa.org/district-attorney-roster

If applicable, you may also file a complaint alleging a violation under the GIPA by contacting the applicable state officials listed below:

• County counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance;
• City attorney of a city having a population in excess of 750,000;
• City attorney in a city and county (for example, city attorneys listed at: https://www.cdaa.org/city-attorney-roster); or
• With the consent of the district attorney, a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California.

Nevada Resident Rights

Please note that we do not sell, or have plans to sell, your personal data as sales are defined in Nevada Revised Statutes Chapter 603A. However, if you would like to submit a request to opt-out of future sales (if any), please contact us at [SUPPORT EMAIL] with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.

10. How my data can be accessed

The means by which your personal identifiable data or aggregated, de-identified data can be accessed are as follows:

1. By You – personal identifiable data collected by Sanius Health will be made accessible to you via the accompanying Sanius Health Platform.
2. By Your Clinical Team – personal identifiable data collected by Sanius Health will be made accessible to your clinical team via the accompanying Sanius Health clinician web portal. This requires a secure 2FA (Two-Factor Authentication) system in order to enter the web portal, and clinicians will only be able to view the identifiable data of patients registered to them.
3. By Other Clinicians or Researchers – de-identified, aggregated data processed by Sanius Health will be made accessible to clinicians and researchers outside of your direct care team via the Sanius Health analytics dashboard. This will be presented only on an anonymised / pseudonymised basis for wider understanding of research questions regarding cohort-level clinical outcomes, care pathways and treatment options.

11. Glossary 

LAWFUL BASES ON WHICH WE MAY RELY

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

12. Contact Us

If you have any questions about the processing of your personal data, please contact our Data Protection Officer, Sanius Health at [email protected].

If you are not happy with how we have processed your personal information, you have the right to make a complaint to the Information Commissioner’s Office. Please see www.ico.org.uk for more information on how to do this.

PRIVACY POLICY ANNEX

Additional details about how and why Sanius Health uses some of your data

The Personal Data you consent to share with us may include the types described below. This Annex provides some further detail about how and why certain special category personal data is processed by Sanius Health.  Due to the sensitive nature of this data, we are keen for you to have as clear as possible an understanding of what we do with it and why.

General Health Information (Medical Records)

1. Details of your diagnosis; to create an understanding of how your disease type links to clinical outcomes and your overall health in order to help you and your clinical team to best manage your condition.
2. Healthcare Provider Contact Details; to help you combine and manage aspects of your care within the Sanius Health Platform.
3. Medication and Treatment Pathways; to help you and your clinical team track the impacts of your medications on your health at both a historic and real-time level, through additional linkage to your wearable biometric data.
4. Medical Appointments and Healthcare Utilisation; to help you and your clinical team better understand the natural history of your disease and what factors might impact your subsequent contacts with, and need for, healthcare.
5. Symptoms and Side Effects; to help you and your clinical team see where particular symptoms and side effects have arisen over your care journey, highlighting the causes, potential effective interventions taken in the past, and subsequent outcomes.
6. Pathology and Radiology Tests; to help you and your clinical team track your progress throughout your care journey, creating a picture of where your blood tests, scans and other investigations may reflect or predict other key events in your medical history.
7. Gender and Ethnicity; to allow healthcare professionals and our partners to better understand how treatment pathways and medications affect different people, prescribing and developing them to be more effective.

Live Health Related Biometrics (Withings ScanWatch)

1. Sleep Quality; to help you track your progress over time and for Sanius Health to build the picture of where variations in each component of your sleep may link to other metrics, as well as which factors may impact this.
2. Activity Levels; to help you track your progress over time and for Sanius Health to build the picture of where your variations in activity level may link to other metrics, as well as which factors may impact this.
3. Heart Rate; to help you track your progress over time and for Sanius Health to build the picture of where your heart rate variations may link to other metrics, as well as which factors may impact this.
4. Blood Oxygen Saturation (Sp02); to help you track your progress over time and for Sanius Health to build the picture of where variations in your Sp02 may link to other metrics, as well as which factors may impact this.
5. ECG; to help you track your progress over time and for Sanius Health to build the picture of where any instances of atrial fibrillation (irregular heart rhythm) may arise and link to other metrics, as well as which factors may impact this.

Other Health Related Metrics (Sanius Health Platform and 23andMe Genetics Testing Kit)

1. Self-Reported Pain and Psychological Wellbeing Scores, EQ-5D Questionnaires and other Quality of Life-related Questionnaires; to help you track your physical and emotional wellbeing over time, linking these to other health metrics in order to better understand the impact of each factor. This will support you in your disease self-management, your clinical team in identifying what the best care options are through their effect on your Pain and Psychological Scores, as well as Sanius Health in predicting where signs of an upcoming event may be on the horizon to alert you and your clinical teams in advance.
2. Height and Weight; to help you track your progress throughout your care journey.
3. Genomics Output; to help you better understand your genetics and where risk factors may lie. At a de-identified level, this will help clinical teams and researchers to understand which genotypes and variations may link to certain clinical outcomes or responses to treatment.

ANALYTICS AND PREDICTIVE CAPABILITIES OF THE PLATFORM

Upon providing your explicit informed consent for Sanius Health to collect your Health and Medical Data, we process the following information to drive the analytic and predictive capabilities of the Platform and apply it as follows:

1. We hold, among other things, Health and Medical relating to you (as described in Section 2 of the privacy policy) collected from various sources including you, your GP and hospital, as well as wearable devices and linked mobile phone health applications used by you.
2. We process the above referenced information and make it available on an: 

1. individual, identifiable basis to you through the Sanius Health Platform.
2. individual, identifiable basis to your hospital team.
3. aggregated, identifiable basis to your hospital team.

1. We process the information and make it available on an aggregate, anonymised or pseudonymised basis to clinicians outside of your hospital team and to our research partners.
2. We only require, store and process the data that you supply that your clinician or hospital require to further your care.
3. We deploy a data security infrastructure that ensures only a specific member of Sanius Health has access to your identifiable data in managing the cloud database. No other members of the Sanius Health team or any other third parties will have access to this identifiable data.

This data will be combined to establish associations between key live data metrics and aspects of your medical history, in order to build a better understanding of the disease’s natural history, identify potential triggers of pain crises or severe pathologies such as end organ damage, and elucidate the optimal treatment pathways based upon both deviation from your own baseline biometrics, as well as the outcomes of (de-identified) matched patient profiles.

By understanding your medical history and ongoing care journey, we will be able to predict where your health may show signs of deterioration or an upcoming clinical event, and prompt your clinical team to investigate and provide swift, pre-emptive intervention where appropriate.