- Who we are (identity of the data controller)
- What personal data do we collect and when?
- How we use your personal data?
- Legal basic for data processing
- How do we store, process, and protect your personal data
- Children’s Data
- Sharing and storing information
- How long we retain your personal data
- Your rights as a subject data
- Questions and Complaints
- Changes to this privacy notice
As a responsible healthcare provider, Forward Clinical Ltd (trading as Pando Access), value the trust you place in us when you share your personal data. We are committed to protecting the privacy of everyone who uses our sites and services and anyone who supports our work through our supplier and customer network.
This Privacy Notice contains our obligations and promises to you about the different types of personal data we might collect about you when you browse this site, contact us and use our healthcare platforms. It explains how we will store, handle, and protect that data.
2. Who we are (identity of the data controller)
We are an English company with registered company number: 10420044 and our registered office is at 300 St John Street, London, EC1V 4PA. We are the data controller responsible for your personal information and we are registered at the UK Information Commissioner’s Office with registration number ZA237861.
The following laws will apply to the protection of your personal data when use this website:
- If you are a resident of the United Kingdom, the UK GDPR as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
- If you reside in any other country, the applicable data protection laws, and regulations in your country of residence.
- Please note that the Pando Access service is only offered to residents in England and Wales at this time due to regulatory requirements. If you are outside England, you should not use the Pando Access service although you may still visit this website.
- Pando Access is currently providing a pro-bono service to aid the humanitarian crisis created by the war in Ukraine. Our usual operating restrictions do not apply to users accessing this service. A separate risk assessment has been performed for this initiative and the legal basis of processing is to protect the vital interests of people that have been denied access to traditional medical care by the conflict.
3. What personal data do we collect and when?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together, as follows:
- Identity Data includes name, gender, date of birth, address, telephone number, email address, optional NHS number (for some services).
- Contact Data includes email address and telephone numbers.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website and our apps.
- Special Categories of Data includes sensitive medical details such as symptoms, conditions, biometrics, family history, medication, and any other health data you provide to us (voluntarily) by consenting to use our service.
- Usage Data includes information about how you use our website, products and services.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature in the app. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we collect personal data in order for the information to be forwarded via the Access site to the GP practice you have chosen and you fail to provide that data when requested, we may not be able to share the information with the GP practice. This does not affect your ability and freedom to visit your medical practitioner. Not all services will include forwarding to your GP and we will always ask for your permission to share data in this way.
We collect the information in the following circumstances:
- Direct interaction, such as when you register on our website or app.
- When you have given a third-party permission to share with us the information they hold about you (for example, if you are directed to our site from another service that you subscribe to).
- When you allow social media sites to provide your data to us.
- When you contact us by telephone or email.
- When completing any of our surveys or leaving us a review.
- When completing any forms for transactional, employment or other purposes.
- When you enter a contract with us.
- When you visit our website our servers record data about your internet browser, I.P. computer address (which is the unique numerical address given to every computer connected to the internet), the time and duration of your visit and which pages you looked at.
- We also collect information about how our website is used and track which pages users visit when they follow links in Pando emails.
Third parties or publicly available sources.
We may receive personal data about you from various third parties and public sources as set out below
- Technical Data from the following parties:
- analytics providers such as Google based outside the EU;
- advertising networks;
- search information providers based inside or outside the EU.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the EU
- Identity, Contact, Profile, Usage, Marketing and Communications Data from data brokers or aggregators based inside or outside the EU
- Identity and Contact Data from publicly available sources such as LinkedIn, Companies House and the Electoral Register based inside the EU.
- Like many other websites, the https://access.hellopando.com/ website uses ‘cookies’ which are small files stored on your computer that allow websites to recognise you when you visit the next time. They store data about your browsing history but do not identify you as an individual. We use this information to monitor and improve our website, services and activities which helps us to deliver a better more personalised service.
- You can switch off cookies in your browser preferences but doing so may result in a loss of functionality when using our website.
- The https://access.hellopando.com/ website may include links to other sites, not owned or managed by us. We cannot be held responsible for the privacy of information collected by websites not owned and managed by Forward Clinical Ltd. When you leave our website, we encourage you to read the privacy notice of every website you visit.
4. How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
We process your personal data, which may include but not limited to, your name, address, phone number, image for identification purposes, email address, General Practitioner (GP), GP address, Date of Birth, NHS number, prescribed medications, supplied medications and other details about your medical history that you choose to provide and share with us.
We process this information for the following purposes;
- To provide you with products and services including healthcare services.
- Internal record keeping.
- To improve our products and services.
- For the purpose of employee training and to improve our quality of service, we may obtain some personal information from monitoring or recording calls.
- In the event of a business sale or merger, personal data will be transferred to the new business owner in line with regulatory requirements.
- Keeping you informed about new products, special offers or other information which we think you may find interesting. If you no longer wish to receive such emails, you can ask us to stop at any time.
- Market research, we may, from time to time, contact you for market research purpose.
5. Legal basis for data processing
- The lawful basis we rely upon for processing all this data varies depending upon the way it has been collected, and the purpose of the processing.
- We will use personal data firstly to fulfil any contractual obligations that exist between us. Where we request personal data be provided to meet the terms of any such contract you will be required to provide the relevant personal data, or we will not be able to deliver the goods and/or services you have requested. In such cases, the lawful basis of us processing the personal data is that it is necessary for the performance of a contract or necessary to collect prior to entering that contract.
- We also process your data when it is necessary with your consent, for a legal obligation, a task carried out in the public interest, necessary for the vital interests of you or another person, necessary for legal proceedings or for preserving yours or someone’s legal rights, necessary for medical purposes or for our own legitimate interests or the interests of a third party with whom we might disclose data to, except where there is unwarranted prejudice to yours or others legitimate interests.
- Patient data is considered to be a special category of data under the UK and EU General Data Protection Regulation and is processed under section 6(1)(c) “necessary for compliance with a legal obligation to which the controller is subject “and 9(2)(h) “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or member State law pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
- We may also process patient data, when it is necessary, for the performance of a task carried out in the public interest or in the exercise of official authority…’in accordance with GDPR 6(1)(e).
- For all individuals, users, and non-user contacts we rely on separate, explicit consent for direct marketing. You may withdraw your consent for further processing, fully or for specific purposes at any time by emailing firstname.lastname@example.org or by opting out from the link on the communication that is sent to you. It is important to note that this may affect the services we are able to offer you, and we may need to continue to process data relating to your request to withdraw consent.
- We sometimes need to use your data to help us run our business. For example, to action any changes to your account that you request, or to personalise the services we provide – with the aim of improving your customer experience. We will only use your data in these instances, where doing so does not materially impact your rights, freedom, or interests. In this case, your data is processed under legitimate interest.
- We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
- Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your personal data where more than one has been set out in the table below.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register you as a new customer or supplier||Identity|
|Performance of a contract with you|
|To process and deliver or receive your order including:|
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(c) provide technical support to you as a customer
(d) provide you with training
Marketing and Communications
|Performance of a contract with you|
Necessary for our legitimate interests (to recover debts due to us)
|To enable you to have access to an online consultation via the app and, either to send your details to your chosen GP practice or instead to recommend that you seek more urgent care||Identity|
Special Category of Data
|necessary for compliance with a legal obligation to which the controller is subject processing is necessary for the purposes of preventive or occupational medicine|
|To manage our relationship with you which will include:|
(b) Asking you to leave a review or take a survey
(c) respond to enquiries from you received through the website or otherwise
(d) respond to a request for a demo of our product
(e) to respond to a clinical incident you raised
Marketing and Communications
|Performance of a contract with you|
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services and respond to your enquiries or provide you with a demo)
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, customer feedback, reporting and hosting of data)||Identity|
|Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
Necessary to comply with a legal obligation
|To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||Identity|
Marketing and Communications
|Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||Technical|
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To send you communications, invite you to events, and feedback groups to share best practice, functionality, product updates and clinical networking sessions to make suggestions and recommendations about our existing service that may be of interest, if you are a customer or a potential customer||Identity|
Marketing and Communications
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. How do we store, process, and protect your personal data?
The personal data that we collect from you is stored in the European Union on (Europe) Cloud Servers of Amazon Web Services with all primary processing taking place in the UK. This data may, however, be processed by sub-processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement if the additional requirements for processing in third countries are compliant with an appropriate level of protection in the third country and appropriate guarantees (such as standard data protection clauses, or exceptional circumstances). A full list of our third-party sub-processors and details of their privacy policies can be found below.
When you visit our site, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Sensitive information between your browser and our website is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.
Where you communicate with us via our site, the nature of the Internet is such that we cannot guarantee or warrant the security of any information that you transmit as no data transmission over the internet can be guaranteed to be 100 % secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your personal data.
Please contact our Data Protection Officer if you would like further details on the specific safeguards applied to the export of your personal data outside the UK/EEA.
Processors and sub-processors
• Amazon Web Services, Inc https://aws.amazon.com/privacy/
• Intercom – https://www.intercom.com/legal/privacy
• Stripe – https://stripe.com/gb/privacy
Customer feedback, engagement, analytics and support
• Amazon Web Services, Inc – https://aws.amazon.com/privacy/
• HubSpot –https://legal.hubspot.com/privacy-policy
• MailChimp https://mailchimp.com/legal/privacy/
• Slack –https://slack.com/intl/en-gb/privacy-policy
7. Children’s Data
We never knowingly collect personal data from children under 16. However, we encourage parents and legal guardians to monitor their children’s Internet usage and to help us to enforce this notice by instructing children never to provide personal data to us.
Sometimes we will share your personal data with trusted third parties. We will do this in the following circumstances:
- To process an order e.g., with third party payment service providers
- To handle complaints e.g., with our Customer Services call centre
- To detect any fraudulent activity, or assist law enforcement authorities
When we share information with third parties, we will ensure that:
- We only provide the data they need to perform their specific function
- They only use the data provided as intended
- They have the requisite measures in place to protect your data and delete it once the function has been performed, or delete it when we cease working with them
Some of our partners and third parties who may receive your personal data are based outside of the European Economic Area. In such cases, we conduct due diligence to ensure that our partners are contractually bound to protect your data to the same degree that is required in the European Union.
9. How long we retain your personal data
We only keep your personal data for as long as is necessary for the purpose for which it was collected (subject to any legal requirements). Once it is no longer necessary, we will either delete the data, or anonymise it. The use of anonymised data helps us to optimise our customer service.
If you ask us to delete your data, then we may not be able to provide you with all of the services offered from this website.
10. Your rights as a data subject
You have the following rights which you can ask us to comply with:
Your right to rectification – You have the right to correct any information we store which might be incorrect, incomplete, or out of date. You can do this by contacting our Customer Services Team who will give you step-by-step advice on how to do this. You can contact them by emailing: email@example.com
Your right to restrict processing – If we are processing your personal data on the basis of our legitimate interest, you have the right us to ask us to stop. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Your right to object –You have the right at any time to stop us sending you marketing material. You can do this in the following ways:
- Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from reaching your inbox.
- Contact our Customer Services Team by emailing: firstname.lastname@example.org
- Email or write to: The Data Protection Officer
registered office as before.
Please note that if you follow a link which clicks through to a third-party site, this notice will not apply and you will need to review that third party’s privacy terms and conditions.
Your right of access – You have the right to ask us what data we hold which concerns you. Such requests are usually free, but we will ask you to submit your query in writing and include the following:
- Full name (we will ask you to verify your identity)
- Full address
- Email address
- Phone number
- Specific details on what you require or are requesting
We will process your request and will either respond within 30 days or contact you to gather more information before we fulfil your request. In the event that we might refuse to fulfil your request (for example if it is unreasonable), we will give a full explanation as to why.
Please submit your requests through the following channels:
FAO: The Data Protection Officer,registered office as before.
Or send an email to: email@example.com
Your right to be informed – This Privacy Notice together with our Cookies Policy provides your right to be informed about the collection and use of our personal data.
Your right to erasure –You have the right to obtain from us the erasure of your personal data when the processing is based on your consent and such consent is withdrawn. To exercise your ‘right to be forgotten’, please contact us at firstname.lastname@example.org and we will comply with your request within 30 days from the date that we have identified you. Please note that your right to erasure does not apply to data related to any of your transactions as we have a legal obligation to keep the same.
Your right to data portability –You have the right to receive a copy of the personal data that we hold about you and/or have such personal data transmitted from us to another data controller if this is technically achievable.
11. Questions and Complaints
Should you wish to discuss a complaint, please contact email@example.com and we will be happy to assist you.
Alternatively, if you are unsatisfied with the DPO’s response to your concern, Under Article 77 of the GDPR you have the right to lodge a complaint directly with the Information Commissioner’s Office. Under Article 80, you may authorise certain third parties to make a complaint on your behalf (such as legal representation).
You would also have the right to opt-out of the sale of your personal information.
Finally, you have the right not to be discriminated against for exercising any of the rights described in Section.
12. Changes to this privacy notice
We reserve the right to make changes to this Privacy Notice at any time without prior consultation. Any changes to this Privacy Notice will be posted on our site so that you are always aware of what personal data we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use personal data in a manner significantly different from that stated in this Privacy Notice, or otherwise disclosed to you at the time it was collected, we will notify you by email.