Privacy at heart.

Welcome to Abtrace’s privacy policy. Abtrace respects your privacy and is committed to protecting your personal data.

1. Scope

Important:

• This privacy policy applies to personal data used by or on behalf of Abtrace, where Abtrace has overall control and legal responsibility for the use of your personal data (data controller). This includes how Abtrace uses your personal data when you visit our website, interact with us, and enquire about or use our products. This privacy policy sets out how Abtrace uses such data and how you can contact us for more information and to exercise your privacy rights.
• This privacy policy does not apply where another organisation has overall control and legal responsibility for the use of your personal data (data controller), and Abtrace is appointed by the data controller under a contract to process the personal data strictly on their behalf and in accordance with their instructions (data processor). This includes the use of patient data on behalf of a healthcare institution that uses our products. For more information and to exercise your privacy rights in respect of this, you should contact the data controller directly.
• This privacy policy does not apply to our employees, workers and contractors.
  

2. Introduction

Abtrace is a trading name of the legal entity Abtrace Limited, which is a registered Limited company in England and Wales (Company No.11535661). The office location is: 8 Hermitage St, Paddington, London W2, 1BE, UK.

Abtrace is the data controller responsible for the Abtrace website and any use of personal data carried out under Abtrace’s control. Abtrace is registered with the Information Commissioner’s Office (ICO) under registration no ZA517064.

This privacy policy tells you how Abtrace uses your personal data when you visit our websites, interact with us, and enquire about or use our products.

It also tells you about your privacy rights and how the law protects you.

It is important that you read this privacy policy, together with any other privacy policies we may provide, so that you are fully aware of how and why we are using your data.​

This privacy policy was updated on 01/Jul/2024 in compliance with the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018.

If you have any questions, or would like to exercise your privacy rights, please see ‘How to contact Abtrace about privacy’ below.​

3. Your personal data and how we use it

Personal data, or personal identifiable information (PII), is information about an identified or identifiable individual. It does not include data which is not about an identified or identifiable individual or personal data rendered anonymous in such a manner that the individual is no longer identifiable (anonymous data).

Through our website at www.abtrace.co, you can contact us through the available form, chatbot, email or telephone provided. This website is not intended for children aged under 16.

We do not request or knowingly collect:

• Data relating to children;
• Special Categories of Personal Data (personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation); or
• Criminal Offence Data (personal data relating to criminal convictions and offences).

We aim to collect the minimum amount of information required for each specific purpose and roles by which you might interact with us. Below you will find what personal data is collected and how and why it is collected and used by Abtrace:

3.1 Visitors to the Abtrace website:

• Direct contact with us through our form or chatbot: we collect your First & Last Name, your email address, and any other information you chose to share with us. We might ask, at a later stage, additional information which can include your Job role, your Institution’s Name & ODS code, Address and Telephone number. We use this information to respond to your query. We use a third party Customer Relationship Management (CRM) system to store this information, which is retained for up to 24 months.
• If you interact with us through social media, this may include your social media user name.
• Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Usage Data: includes information about how you use our website.
• Tracking Data: includes information we or others collect about you from cookies and similar tracking technologies, such as web beacons, pixels, and mobile identifiers.
• Marketing and Communications Data: includes your preferences in receiving direct marketing from us and our third parties and your communication preferences.

We may collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law, as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect:

• any Profile Data, Financial Data or Transaction Data through the Abtrace website.​
• any Special Categories of Personal Data or Criminal Offence Data about you via the Abtrace website.

3.2 Healthcare Institution Representatives

Healthcare Institutions are the intended buyers of our software products. In the role of representative, we collect different types of personal data to fulfil specific purposes including:

• Prospective client: First & Last Name, your Job role and Email, your Institution’s Name ODS code (when applicable) and Address and Email, email content and metadata. We use this information to support conversations about our software products. We use a third party CRM system to store this information, which is retained for up to 48 months after last action.
• New client: First & Last Name, your Job role and Email, your Institution’s Name, ODS code and Address, email content and metadata. We use this information to support setup of the Data Processing Agreement (DPA) with your institution, which will outline the specific privacy policy for contracted customers, including an outline of the data which we will collect and/ or process about you and your institution. The DPA will describe how we will collect, store, protect and retain your data. We will never collect this data via our website. This information is stored in third party systems for our CRM, email and document management systems and retained according to the agreement signed.

3.3 Health and Care Professionals

Health and Care Professionals are the intended Users of our software product. In that role, we collect different types of personal data to fulfil specific purposes:

• Registration at the Abtrace User Management Portal: we collect your First & Last Name, the Name of the Institution you work at and your email address. We collect this data to associate you to your organisation, get you onboarded and be able to provide the best possible support to you as a user. Data is stored and retained according to the agreement signed with your institution.
• Ongoing Use of the Abtrace Software: We record when and how you use the product, to troubleshoot any technical issue occurring with usage of the product. Data is stored and retained according to the agreement signed with your institution.‍
• Direct contact with us through the Abtrace website: see section 3.1 above.
  

3.4 Patients

Patients are the intended beneficiaries of our software product, which is used by healthcare institutions to aid delivery of their care.

• Usage of the Abtrace Software: this is outside the scope of this privacy policy (see section 1 above). Healthcare institutions retain overall control and legal responsibility for the use of patients’ personal data as part of their care (data controller), and Abtrace is appointed by the data controller under a contract to process the personal data strictly on their behalf and in accordance with their instructions (data processor). For more information and to exercise your privacy rights in respect of this, you should contact the healthcare institution directly.
• Usage of the Patient Portal: Healthcare institutions may use the Abtrace Software to send SMS or Email with an invitation link which patients can use to directly book, or request, appointments via the Patient Portal. The consent to communication recorded in the medical record is respected. As described in ‘3.4 Patients - Usage of the Abtrace Software’, this is outside the scope of this privacy policy (see section 1 above).‍
• Direct contact with us through the Abtrace website: see section 3.1 above.
  

3.5 Job applicants

When you apply to our open positions, we collect different types of personal data according to the stage of the recruitment process.

• Direct contact with us through our website: see section 3.1 above.
• Recruitment process: we may additionally collect personal information from you, your agent, your referee about your right to work. We retain this data for 6 months after end of employment.

3.6 Disclosures of your personal data

We may share your personal data (with the parties set out below for the purposes set out in this privacy policy. We may also share your personal data if the law otherwise requires or allows it.

We may share personal data with the following category third parties:

• Suppliers and service providers to Abtrace (such as technology, software as a service and data hosting providers, payment processing and fraud prevention providers, manufacturers and post and courier services);
• Auditors, compliance organisations and professional advisers like bankers, lawyers, accountants, standards auditors, accreditation and certification framework organisations and insurers; and
• Government, regulators, and law enforcement.

We do not currently share personal data of any type with third parties connected to advertising other than our website provider, which has inbuilt analytics services.

We may share data with third parties to whom we may, in the future, choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

4. Our lawful basis for using your personal data

Under data protection law we must have a valid lawful basis to use your personal data.

Our main lawful basis for using or disclosing your personal data that is it is necessary for the purposes of our legitimate interests as a business, to enable us to promote, provide, manage and develop our products; to manage our business and staff; and to protect you, our business, staff and customers. We make sure that we consider and balance any potential impact on you before we process your personal data for such purposes. You also have a right to object to us doing so (see section 8 below) and may contact us for further information (see section 9 below).

We may also use or disclose your personal data where it is necessary for compliance with a legal obligation that we are subject to.

We do not request or knowingly collect any Special Categories of Personal Data or Criminal Offence Data.

Where we are acting as a data processor only, the data controller determines the lawful basis and you should contact them for more information (see section 1 above)

5. International transfers

Whenever we transfer your personal data out of the UK or EEA, we will comply with applicable data protection law. This includes ensuring appropriate safeguards are in place to protect your personal data and your privacy rights.

Some of our external third-party providers are based outside the UK and EEA, so their processing of your personal data will involve a transfer of data outside the UK and EEA.

6. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. This is outlined in our IT Security Policy. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Third-party links

The Abtrace website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy policy of every website you visit.

8. Your legal rights

You have rights under data protection laws in relation to your personal data:

• The right to be informed – that’s an obligation on us to inform you how we use your personal data (and that’s what we’re doing in this privacy policy);
• The right of access – that’s a right to make what’s known as a ‘data subject access request’ for copy of the personal data we hold about you;
• The right to rectification – that’s a right to ask us to correct personal data about you that may be incomplete or inaccurate;
• The right to erasure – that’s also known as the ‘right to be forgotten’ where in certain circumstances you can ask us to delete the personal data we have about you (unless there’s an overriding legal reason we need to keep it);
• The right to restrict processing – that’s a right for you in certain circumstances to ask us to suspend processing personal data;
• The right to data portability – that’s a right for you to ask us for a copy of your personal data in a common format (for example, a .csv file);
• The right to object – that’s a right for you to object to us processing your personal data (for example, if you object to us processing your data for direct marketing); and
• Rights in relation to automated decision making and profiling – that’s a right you have not to be subject to a decision based solely on automated processing, including profiling, which has legal effects concerning you or similarly significantly affects you. Please note that we do not undertake such automated decision-making.

​These rights are subject to certain rules around when you can exercise them and when we may refuse your request. You can see a lot more information on them, if you are interested, on the UK Information Commissioner’s Office website.

If you wish to exercise any of the rights set out above, please contact us (see section 9 below).

​You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.​

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

​We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.​

We have appointed a Data Protection Officer (DPO), who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the DPO using the details in section 9 below.​

You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). The ICO will, however, typically expect you to have given us the opportunity to resolve your concerns directly before you approach the ICO, so please contact us in the first instance.​

9. How to contact Abtrace about privacy

If you have any questions about this privacy policy, or would like to exercise any of your rights, please email us at dpo@abtrace.co, heading your email with the title ‘Information Governance Query’ or write to us with your letter addressed to: Data Protection Officer, Abtrace, 8 Hermitage St, Paddington, London W2, 1BE, United Kingdom.

10. A small request from Abtrace to you

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. You can do this by emailing us. Thank you.

​11. Changes to this privacy policy

We may update our privacy policy to reflect changes that may occur to our website and/or the services we offer. Be sure to check in and have read every now and then. Thank you.