Luscii healthtech BV is a Dutch company. Our business activities take place in the European Economic Area (EEA) and, unless otherwise stated, our data is stored on servers within the EEA.
3. What personal data do we collect, for what purposes and for how long?
Personal data can be collected in a number of ways when using the Service. The appendix contains an overview of the information that Luscii can collect. It indicates what personal data is processed or can be processed. A distinction is also made between the data that we process from customers and the data from healthcare professionals who make use of the Service. The overview shows what personal data is processed, for what purpose, on what legal basis the processing is based, and how long the personal data is stored.
If you do not provide your personal information to Luscii or otherwise object to the use of your personal data by Luscii, you may be impeded in the use of the Service. The consequences of failing to provide or objecting to the processing of personal data are indicated below, per processing basis. Which personal data falls under which processing basis, can be found, per Service, in the appendix.
Processing based on Luscii’s legal obligations:
- We may block or restrict your access to the Service and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data stated in this section is required to comply with our legal obligations.
Processing necessary for the execution of the agreement:
- You may be impeded in the use of the Service, and it is possible that the Service may not function effectively. We may block or restrict your access to the Service and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data stated in this section is required for the Service to function and perform effectively.
Processing necessary for Luscii’s legitimate interests:
- We may block or restrict your access to the Service and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data mentioned in this section are required to meet the legitimate interests of Luscii and to prevent misuse of the Service and avoid security incidents.
Processes for which your explicit consent is required:
- You may be impeded in the use of the Service, and it is possible that the App may not function properly. The personal details mentioned in this section are required for the App to function and perform effectively. Since this concerns sensitive personal data, however, your explicit permission is required for the processing of this personal data.
Processes for which your permission is required:
- You will not be impeded in the use of the Service. Refusing or withdrawing permission will not have any negative consequences for your use of the Service.
Appendix 1: Processing for Luscii Contact & Luscii Vitals.
Appendix 2: General processing (e.g. when not making use of the Service).
4. Sharing personal data
4.1 Sharing with Processors
We may engage third parties, such as hosting providers, to assist us in providing the Service. Those third parties may, in the context of their role in providing the Service, process your personal data. In this respect, such a third party is thereafter referred to as a ‘Processor’. We conclude processing agreements with these Processors.
We make use of the following types of Processors:
- analytical software (cookies) to improve our services (e.g. privacy-friendly Google Analytics);
- analytical software (cookies) for making offers (i.e. marketing);
- cloud services and hosting provider(s);
- email services providers;
- providers of services that collect health data;
- providers of services for managing customer and user information;
- video calling providers;
- push notification providers.
In some cases, the Processor may collect your personal data on our behalf. We inform the Processors that they may not use personal data that they obtain from us, except for the purpose of providing the Service. We are not responsible for any additional information that you provide directly to the Processors. It is your responsibility to inform yourself about the Processor and their company before disclosing personal data.
4.2 Sharing with your permission
From time to time, we may also share personal data with third parties if you give us permission to do so. For example, we may work with other parties to offer you specific services directly. If you register for these services from third parties, we may share the personal information you provide, such as your name or other contact information that we consider necessary, with the third parties so that our partner can provide services or contact you directly.
4.3 Our legal responsibility
We may share personal data if we can trust that it is permitted by law or if we are legally obliged to do so. We may also share personal data with third parties if it is necessary or appropriate to do so to comply with the law, if it is necessary to comply with legal requests from authorities, to respond to any claims to protect our rights, ownership or safety, and those of our users, employees and the public, and to protect ourselves and our users, without limitation, against fraudulent, abusive, inappropriate or unlawful use of the Service. We will inform you immediately of any requests received from an executive, administrative or other government agency that concern your personal data, unless this is prohibited by applicable law.
4.4 Anonymous information
Please note that nothing within the policy limits the sharing of anonymous information, which can be shared with third parties without your consent.
5 Protection of personal data
We employ appropriate technical and organisational security measures for the processing of personal data. We follow general accepted standards for the protection of personal data, both during transmission and after receiving such data. We have taken the following measures for your protection:
- Access to our servers and infrastructure is only possible from certain secure servers with specific IP addresses, and is only accessible through a specific combination of keys.
- Access to our database is only possible using three-step authentication and personal accounts that are protected with a username and password. Only those who require access to the database for their task will receive such an account.
- We use a password policy to guarantee strong passwords. Passwords must be reset periodically.
- We use a firewall that is configured automatically through security scripts.
- We use virtual private clouds for each separate environment (testing, acceptance and production) to reduce risks.
- Saved data is always protected by encryption. Passwords are also hashed. Locally stored data (e.g. on iOS and Android) is also stored with encryption, in cases of sensitive information (medical or authentication details). Locally stored data will be deleted after logging out.
- We use SSL (Secure Sockets Layer) technology to encrypt incoming transmission data.
- The maximum number of incorrect login attempts is limited.
- All information entered by users is checked to ensure that no malicious data is uploaded. • Software has been installed to detect malicious software in a timely manner.
- Security updates take place on a monthly basis.
- We monitor access to the back-end section to detect possible security breaches or other deviations.
- We make a daily backup of the database. Users who have access to the database do not have access to the backups to prevent unwanted database deletion.
- Cookies do not contain full authentication information, such as passwords. • Information in cookies is deleted after logging out.
- Important information in cookies is encrypted.
- The duration of login sessions is limited.
- We have a strict policy regarding the use of data carriers (such as laptops and USB sticks).
- Access to the property is limited and the property is fully secured.
Please be aware that our Processors are responsible for processing, managing or storing (some of) the personal data that we receive. Processors are not authorised to use this information to advertise to you. These Processors are under contract, by means of a Processor Agreement, to protect the personal data that they have received from us.
However, there is no way of transmitting over the internet or a method of electronic storage that is 100% secure. As a result, we cannot guarantee absolute safety.
6 Links to third party sites
7 What choices do you have regarding the use of your personal data?
8 Your rights
You may request, at reasonable intervals, the transfer of your processed personal information, as specified by you, as long as the requested information does not contain personal data of other persons and as long as the requested information has been processed on the basis of your permission or that processing is necessary for the execution of the Service. We will respond to such requests within 4 weeks, once they have been received.
You have the right to file a complaint with the appropriate privacy authority that authorises our processing of personal data. In the Netherlands, this authority is the Dutch Data Protection Authority, which can be reached at https://autoriteitpersoonsgegevens.nl/.
1 Processing for Contact & Vitals
Necessary for the representation of the legitimate interests of Luscii, processing time up to 2 years after the end of the agreement.
- IP address
- User actions (login, logout, etc.)
Improving service and detecting errors
- Settings history
- App version
- iOS/Android device version
- Browser version
2 Other processing (e.g. when not using a Service)
When using the website:
Necessary for the representation of the legitimate interests of Luscii, processing time up to 3 years and 2 months after the last use of the website, unless technically not possible.
Processing for the security of the Service
- IP address
Functional cookies to improve your ease of use
- Completed form fields
Analysing cookies to improve Luscii Services
- IP address
- Via which website you found us
- Which pages you visited
- How long your visit lasted
- How you navigated through the website
When submitting your data:
Necessary for representing the legitimate interests of Luscii, processing time up to 6 months after last contact with Luscii. To be able to answer your questions and provide you with information
- Email address
- Telephone number
- Other personal data entered in the contact field