Jul 5, 2023
Version #0.1.0 • Created: Wed, 03 Aug 2022 12:45:45 -0400 • Last Modified: Fri, 13 Jan 2023 08:52:26 -0500
Momentum Health - Privacy Notice
• Created: Wed, 03 Aug 2022 12:45:45 -0400
• Last Modified: Fri, 13 Jan 2023 08:52:26 -0500
Introduction and Scope
This document is provided as a template to assist the privacy officer and legal counsel in generating a privacy notice to users and data subjects about the use and processing of their personal data. It is recommended that a thorough review of all privacy and other legal requirements are considered when drafting the formal privacy notice and publishing it for data subjects to review before the collection of their personal data.
Data Controller and Data Processor
Momentum Health (“we”, “us”, “our”) application can be used as an intermediary tool between a physician and his patient for remote management and monitoring of spine deformities. In such case, physicians are our business customers and act as data controllers for most of the information that is entered into the Momentum Health mobile application (“App”) and web application (physician app), website, and supporting systems or that is shared periodically with Momentum Health employees to deliver services (collectively with the App, the “Platform”),. This positions us as the data processor for most personal data stored and processed through the Platform.
It is also possible to use the App as a standalone service for users to monitor their spine deformities themselves without being followed by a physician (collectively, the “Services”). In this situation, we mainly act as the data controller of your personal data.
In both situations there are some pieces of information that are collected directly by us to facilitate security, logging, and application performance. For these pieces of information, Momentum Health acts as the data controller and processor.
The purpose of this privacy notice is to describe how we collect, use, disclose, retain and otherwise process personal data in the course of our services. While scoliosis and other spine deformities frequently affect individuals of young age, we must ensure that this notice is directed to the right person and must therefore validate that we obtain consent to the processing of personal data from
· the patient’s parent in any situation where the “patient” is under 13 years old; or
· the patient her/himself where she/he is 13 years old or older.
For the purpose of this privacy notice, “you” means either of these two persons as applicable, and “patient” means the individual whose spine deformities would be managed or monitored through the App, with the understanding that “you” may be the patient as long as you are 13 years old or older. If you’re reading this but are under 13 years old, this document is not for you, but rather for mom, dad or you legal tutor who must read this and provide verifiable consent in accordance with applicable privacy laws.
If you have any questions or concerns about the processing and handling of patient personal data, you may reach out to Momentum Health’s Privacy Officer at firstname.lastname@example.org.
Types of Data Collected
The App/Platform collects the following types of personal data about patients: email address, phone number, first name, last name, province, state, country, ZIP/Postal code, city, address, video of patient’s body (with patient’s face blurred to the extent video is captured in accordance with our instructions) to generate 3D model, shoulder symmetry, trunk shift, patient’s physician name, patient’s weight and height as well as patient’s surgical history. If using the App as a standalone service, we will collect this data directly from you, and if the App is used as part of the Platform with a physician, it is generally collected through the physician.
Mode, Place, and Methods of Processing the Data
Momentum Health takes appropriate security measures to prevent unauthorized access, disclosure, modification, or data destruction. Those include physical, administrative, technical and technological safeguards designed to protect personal data taking into account its quantity, sensitivity, and the underlying risks for data subjects’ rights and freedom. Notably, we use multi-factor authentication and encrypt any sensitive personal data in our database when saving and decrypt when viewing.
Personal data is processed using computers or tech-enabled tools, following organizational policies and procedures strictly related to the purposes indicated. In some cases, data may be accessible to Momentum Health employees involved with our App our Platform’s operation, solely on a need-to-know and need-to-access basis. Data may also be accessible to external parties appointed, if strictly necessary, as data processors or sub-processors by us. External parties may include third-party technical service providers, hosting providers, and IT companies, which are bound by binding written agreement with provisions required under applicable law, including restrictions limiting their processing to only what is necessary for them to provide their services needed from us in the context of our own services. Those parties are listed in this privacy notice (see below).
Legal Basis of Processing
Momentum Health may process personal data relating to users if one of the following applies, to the extent provided or permitted under applicable privacy law:
You have given consent for one or more specific purposes.
Provision of personal data is necessary for the performance of an agreement with you.
Processing is necessary for compliance with a legal obligation.
Processing is necessary for the legitimate interests pursued by the controller or by a third party.
In any case, Momentum Health will gladly help clarify the specific legal basis that applies to the processing, mainly whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract.
The data is processed at Momentum Health’s operating offices, hosting facilities, and, for some data, third-party sub-processors. The majority of data is stored and processed within Canada. In some cases data may be stored within the US or EU via third-party sub-processors to the extent permitted under applicable laws.
Depending on the user’s location, data transfers may involve transferring the user’s data to a country other than their own. To find out more about the processing of such transferred data, users can consult the section containing details about the processing of personal data. Users are entitled to learn about cross-border data transfers. If any such transfer occurs, users can find out more by checking the relevant sections of this document or inquiring directly with Momentum Health.
Personal data is processed and stored for as long as required to fulfill the purpose for which it is collected.
Personal data collected for the performance of a contract between Momentum Health and a business customer is retained until such contract has been entirely performed or the business customer asks for the data to be deleted.
Personal data collected for Momentum Health’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding Momentum Health’s legitimate interests within the relevant sections of this document or by contacting Momentum Health.
Momentum Health may be allowed to retain personal data for a more extended period whenever the user has given consent to such processing, as long as the purpose of processing disclosed to the user has not been accomplished and such consent is not withdrawn. Furthermore, Momentum Health may be obliged to retain personal data for a more extended period whenever required to perform a legal obligation or upon order of an authority.
Once the retention period expires, the user’s personal data will be securely deleted.
The Purposes of Processing
The data concerning the user is collected to allow Momentum Health to provide its services, as well as for the following purposes: user database management, managing contacts and sending messages, handling payments, interaction with external social networks and platforms, contacting the user, hosting and backend infrastructure,.
Users can find further detailed information about such purposes of processing and the specific personal data used for each purpose in the respective sections of this document.
Detailed Information on the Processing of Personal Data
Personal data is collected for the following purposes and using the following services and third parties:
Performing the Services
To perform the Services, we collect and process video of patient’s body (with patient’s face blurred to the extent video is captured in accordance with our instructions) to generate 3D model, shoulder symmetry, trunk shift, patient’s physician name, patient’s weight and height as well as patient’s surgical history.
Contacting the User
Mailing List or Newsletter (The Momentum Health Web Application)
By registering on the mailing list or for the newsletter, your email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning the Momentum Health web application. Your email address may also be added to this list due to signing up via the Momentum Health website or the Momentum Health web application, or after making a purchase. You may unsubscribe at any time from commercial emails and other types of commercial electronic communications by clicking the unsubscribe mechanism provided within such communications.
Personal data collected: address, city, company name, cookies, country, email address, first name, last name, phone number, job role, province, state, usage data, and ZIP/Postal code.
Phone Contact (The Momentum Health Web Application)
Users that provide their phone number might be contacted for commercial or promotional purposes related to the Momentum Health web application (to the extent permitted under applicable laws, including in accordance with consent requirements where applicable) or for fulfilling support requests.
Personal Data collected: phone number.
Contact Form (The Momentum Health Web Application)
By filling in the contact form with patient’s personal data, you authorize the Momentum Health App to use these details to reply to requests for information, quotes, or any other kind of request as indicated by the form’s header.
Personal data collected: address, city, company name, country, email address, first name, last name, phone number, job role, province, state, and ZIP/Postal code.
Displaying Content from External Platforms
This type of service allows users to view content hosted on external platforms directly from the pages of the Momentum Health web application and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when users do not use it.
Payment processing services enable the Momentum Health Platform to process payments by credit card, bank transfer, or other means, through the Apple Pay or Google Pay functionalities of your mobile device. The Platform shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of these services may also enable sending timed messages to you, such as emails containing invoices or notifications concerning the payment.
Hosting and Back-End Infrastructure
This type of service has the purpose of hosting data and files that enable the Momentum Health Platform to run and be distributed. Additionally, these services provide the infrastructure to run specific features or parts of the application. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the personal data is stored.
Azure is a hosting and backend service provided by Microsoft Inc.
Managing Contacts and Sending Messages
This type of service makes it possible to manage a database of email contacts, phone contacts, or any other contact information to communicate with you.
User Database Management
This type of service allows Momentum Health to build user profiles by starting from an email address, a personal name, or other information that the user provides to this application and then tracking user activities through analytics features. This personal data may also be matched with publicly available information about the user (such as social networking profiles) and used to build private profiles that the Momentum Health can display and use for improving this application.
Some of these services may also enable sending timed messages to the user, such as emails based on specific actions performed on the Momentum Health website and Momentum Health web application.
Selling Goods and Services Online
The personal data collected is used to provide the user with services or goods, including payment and possible delivery. The personal data collected to complete the payment may include the credit card information or the bank account used for the transfer, or any other possible means of payment. The kind of data collected by this application depends on the payment system used.
Further Information about Personal Data
The Rights of Users
You may exercise certain rights regarding patient’s personal data processed by Momentum Health.
Depending of the circumstances including the jurisdiction in which patients are located, you may be entitled to a variety of rights regarding their personal data. Those may include the following:
Withdraw their consent at any time. You have the right to withdraw consent after you have previously given you consent to the processing of patient personal data. Please note, however, that you must be informed that consent withdrawal may prevent us from fulfilling request for services, providing our services or some of them depending on the data involved.
Object to processing of their data. You have the right to object to the processing of patient data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access their data. You have the right to learn if Momentum Health is processing patient personal data, obtain disclosure regarding certain aspects of the processing, and obtain a copy of the data undergoing processing.
Verify and seek rectification. You have the right to verify patient personal data accuracy and ask for it to be updated or corrected.
Restrict the processing of patient data. You have the right, under certain circumstances, to restrict the processing of patient data. In this case, Momentum Health will not process patient personal data for any purpose other than storing it.
Have patient personal data deleted or otherwise removed. You have the right, under certain circumstances, to obtain the erasure of patient personal data from Momentum Health.
Receive patient data and have it transferred to another controller. You have the right to receive patient data in a structured, commonly used, machine-readable format, and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on your consent, on a contract that you are part of, or on pre-contractual obligations.
Lodge a complaint. You have the right to bring a claim before their competent data protection authority.
Details About the Right to Object to Processing
Where personal data is processed for the public interest, in the exercise of an official authority vested in Momentum Health or for the legitimate interests pursued by Momentum Health, you may object to such processing by providing a ground related to their particular situation to justify the objection.
How to Exercise These Rights
Any requests to exercise those rights can be directed to Momentum Health’s Privacy Officer through the contact details provided above. They are subject to the validation of your and the patient’s identity and other legal requirements as the case may be. These requests can be exercised free of charge and will be addressed by Momentum Health as early as possible and always within one month, subject to exceptions and other specific provisions provided under applicable laws.
Additional Information about Data Collection and Processing
Patients’ personal data may be used for legal purposes by Momentum Health in court or the stages leading to possible legal action arising from improper use of this application or the related services. You declare you are aware that Momentum Health may be required to reveal personal data upon request of public authorities.
Additional Information About Users’ Personal Data
In addition to the information contained in this privacy notice, this App may provide patients with additional and contextual information concerning particular services or the collection and processing of personal data upon request.
Information Not Contained in This Notice
This Notice does not cover the processing activities of our customers (physicians) and other independent third parties, which are responsible to adopt, maintain and display their own privacy notice describing their practices over which we have no control. Please read their privacy notice carefully.
More details concerning the collection our processing of personal data may be requested from Momentum Health’s Privacy Officer at anytime. Users may use the contact information at the beginning of this document.
How “Do Not Track” Requests are Handled
This application does not support “Do Not Track” requests.
To determine whether any of the third-party services it uses honor “Do Not Track” requests, users should read their privacy policies.
Changes to This Privacy Notice
Momentum Health reserves the right to make changes to this privacy notice at any time by giving notice to users on this page and possibly within this application or-as far as technically and legally feasible-sending a notice to users via any contact information available to Momentum Health. Users are strongly recommended to check this page often, referring to the date of the last modification listed at the top. Should the changes affect processing activities performed based on the users’ consent, Momentum Health shall collect new consent from the user where required and in the form required under applicable law.
Definitions and Legal References
Personal Data (or Data)
Any information that directly, indirectly, or in connection with other information—including a personal identification number—allows for the identification or identifiability of a natural person.
The individual using this application who, unless otherwise specified, coincides with the data subject.
The natural person to whom the personal data refers, also referred herein as the “Patient”.
The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, as described in this privacy notice.
This refers to any additional third party who processes personal data on behalf of the data processor in fulfilling contractual obligations and services.
The person, public authority, agency, or other body that determines the purposes and means of processing personal data, including the security measures concerning the operation and use of this application.
The service provided by the Momentum Health platform or Momentum Health team.
European Union (EU)
Unless otherwise specified, all references made within this document to the European Union (EU) include all current member states to the European Union and the European Economic Area.
This privacy notice has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).
This privacy notice relates to the Momentum Health website, application, and supporting services unless otherwise stated within this document.