At Annalise.ai we are committed to protecting your personal data. This Privacy Notice (Privacy Notice) explains how Annalise-AI Pty Ltd (ACN 635 645 260) and affiliates (see Group Entities below) (Annalise.ai, we, us or our) process, hold, use, manage and secure personal data that we collect about you and/ or your organisation and the rights and choices you have regarding your personal data.
All references to data, personal data and personal information in this Privacy Notice refers to any information (held in any form) which can be used to identify an individual person.
We aim to align our privacy compliance principles with the standards of the EU GDPR (General Data Protection Regulation), while adhering to applicable privacy laws (Data Protection Laws). We only use and process your personal data in a manner that is consistent with this Privacy Notice.
This Privacy Notice applies to anyone who interacts with us in any way or form (email, phone, website etc). We collect your personal data to maintain and operate our business and to communicate with you.
We may handle and manage your personal data differently depending on our relationship with you, as one or more of the following:
- a radiologist, medical imaging provider, hospital, clinical staff or other health professional (Clinician) of a clinic, hospital, radiology practice or company authorised to use our products (Clinic or Customer) using, or interested in using, our AI-enabled medical imaging software and products (Products) and/or referring personal data to us, including patient information/imaging;
- a patient of a Clinician using the Products (Patient) (please see link Patient Data;
- a visitor to our website accessible at the domain ‘Annalise.ai’ (Website) and/or a subscriber to our newsletter and other marketing materials (Visitor); or
- a contracted service provider providing goods or services to us, or business partner (Supplier).
If you are applying for a job at Annalise.ai, please see our Employee Privacy Notice for more information on how we handle your personal data.
WHAT TYPES OF DATA DO WE COLLECT?
We collect different types of personal data from you depending on our relationship with you and your interactions with us and our Website.
If you choose not to provide the personal data to us, or do not provide us with accurate personal data, you may not be able to use the product, feature or we may not be able to undertake certain activities for you.
The types of personal data we collect may include, but is not limited to, the following:
- contact details (name, address, mobile, email etc.)
- work contact details/ business contact information (work address, company name, work email, work phone number and job title);
- your customer account login information (e.g., login credentials);
- analytics data;
- free text feedback;
- customer payment information (e.g., credit card, bank account or other details to facilitate payments);
- supplier payment information (e.g., company bank account details or other details to facilitate payments); and
- information collected using cookies and other technologies on our Website (you can find further information in our cookie notice here Cookie Notice).
HOW DO WE COLLECT PERSONAL DATA?
We collect your personal data by various means, including but not limited to, the following:
- directly from you;
- directly from your organisation when you supply goods and services to us;
- via other third parties (e.g., our suppliers and merchants);
- direct mailing or online marketing;
- exhibitions and trade events;
- directly from you or your Clinic, if you or your Clinic:
- buys or registers for products or services to or from us;
- requests information about us or our products or services;
- provides feedback;
- responds to a survey;
- fills in a form or a request for services (including an application for an account with us);
- fills in a form on our Website (including a registration form to register as a Clinician);
- otherwise provides it to us via the Website, over the phone, via email or in-person; or
- if you are a Clinician or other person interested in our Products, from another Clinician or person who registers you with us on your behalf; and
- if you are a Patient, we only collect your personal data from your Clinician or Clinic.
HOW WE USE YOUR PERSONAL DATA?
We may also use the personal data that we collect about you for the following purposes:
- to ensure that content from our Website are presented in the most effective manner for you and your device(s);
- to understand how you use our website, apps or other technology, including IP address or other device information (please see our Cookies Policy for more details);
- if you subscribe to our mailing list, to provide you with news and updates about our company and our activities and you may opt out from this at any time by contacting us or by clicking ‘unsubscribe’ in any of our emails;
- if you send us a query via our Website, to reply to your query, or to provide information you have requested;
- to enter into, perform, manage and administer your (or your Clinic’s) contractual relationship with us, including any trial of the Prodcuts, pilot testing, integration testing, after-sales support, technical support, opening and managing your account with us, billing and collection activities, and providing you with other services that you (or your Clinic) may have requested;
- to analyse and improve the Products and other products and services we provide;
- to provide you with direct marketing materials including promotional material about us or the products or services we offer and inviting you to participate in surveys. You may opt out of receiving direct marketing material by contacting us or by clicking ‘unsubscribe’ in any of our messages;
- to conduct business and service dealings with you, including to contact you in relation to:
- products or services we are ordering or receiving from you; and
- to provide you with information, products or services you have requested;
- to maintain and protect the security of our premises and facilities, IT systems, databases, websites or other digital infrastructure, including identifying, preventing and detecting security incidents, improving data security and protecting against malicious, deceptive, fraudulent or illegal activity, providing support services, testing and maintenance of our systems;
- to prevent misuse of our products or services;
- to carry out evaluations of our service quality and timeliness (which may include providing de-identified/anonymised information) to other contracted third parties to assist us with these activities;
- to comply with our legal or regulatory obligations, such as record keeping, disclosures to tax or other regulatory authorities, and
- to establish, exercise and defend legal claims and to investigate and resolve disputes.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
We process your personal data for the purposes set out above and where applicable on the legal bases set out in the following table:
PURPOSE | LEGAL BASIS |
Clinicians / Customers | |
Perform our contract with you or your Clinic as our Customer |
|
Analytics, Product and service improvement |
|
Direct marketing |
|
Contact regarding products or services requested and providing related information |
|
Patients | |
Analysis |
|
Visitors | |
Website presentation |
|
Mailing list subscription |
|
Respond to questions and enquiries |
|
Suppliers | |
Contact regarding products or services ordered and providing related information |
|
Everyone | |
Identifying and preventing security threats to facilities, premises and systems |
|
Incident or accident notification |
|
Compliance activities |
|
Establishing, exercising and defending legal claims fraud detection, product misuse, credit checks and regulatory authority checks and requirements |
|
HOW WE DISCLOSE PERSONAL DATA?
We may share your personal data with the parties set out below for the purposes set out in the table above.
- our contracted service providers domestic or abroad (e.g., legal, financial and other professional advisers, auditors, website host) who will process personal data for the permitted purposes on our behalf and in accordance with our instructions only. We will use appropriate safeguards as required by Data Protection Laws regarding the integrity and security of your personal data when engaging such service providers;
- the members of the Group Entities;
- third parties (where required and permitted by law);
- any prospective purchaser if we sell or transfer any part of our business or assets; and
- public authorities or governmental bodies such as regulatory or enforcement authorities, attorneys or courts, where we are required to do so by applicable law or regulation or at their request if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
Other than listed above, we will only disclose your personal data when you direct or give us permission, when we are required by applicable law to do so, or when we suspect fraudulent or criminal activities.
We do not sell your personal data to third parties for marketing purposes.
PATIENT DATA
If you are a Patient, we encourage you to refer to the privacy notice of the Clinic that you attended for your medical examination for information about how your personal data is used, handled or managed by them, or authorised for us to process under the Clinic’s instructions.
We may collect from your Clinician some of your personal data for analysis, including:
- medical imaging pictures/ scans;
- patient studies; and
- associated metadata (e.g., name, age, date of birth and an identification number unique to you as a patient), (Information Package).
Where agreed with your Clinician or Clinic, we may also de-identify/ anonymise the Information Package. This process involves permanently removing any data in the Information Package to ensure that we cannot link the data in the Information Package to identify you.
Only as instructed by your Clinician or Clinic, we may share your personal data with your Clinician, your Clinic and any other health professional elsewhere your Clinician or Clinic has asked us to.
We may use the Information Package for the following purposes:
- analysis, and to assist in the interpretation of medical images, as requested by, and on behalf of, your Clinician or Clinic; and
- to perform AI-driven analysis on the Information Package we receive from your Clinician to produce findings and associated observations in relation to that Information Package and return those findings to your Clinician or Clinic.
We support ethically approved clinical research. If you are a Patient located in Australia or New Zealand or if agreed by your Clinician or Clinic, we will de-identify (or anonymise as required) your personal data to use it for research, statistical purposes and our product development purposes, including to improve our AI model. The de-identification/ anonymisation process involves permanently deleting any information/ data that could be used to identify you, to ensure that there is no reasonable likelihood of re-identification occurring. Occasionally, and only where permitted under applicable Data Protection Laws, we may share the de-identified/ anonymised information with other research institutions/ academic bodies for clinical research purposes. This is done only under strict confidentiality obligations, with a limited purpose to prevent the data being used for commercial gain by them.
INTERNATIONAL TRANSFERS
We may transfer your personal data to countries outside of the country where you reside, or where we provide services to you or your organisation to fulfil our business obligations or contracted services. We may disclose personal data to Clinics, Clinicians, members of our Group Entities, as well as certain third-party service providers (including Suppliers), including those located in Australia, Singapore, USA, Canada, the Netherlands, Vietnam, Europe, the United Kingdom and India.
A list of these third parties is available on request Email: privacy@annalise.ai
DATA SECURITY AND HOW WE STORE PERSONAL DATA?
Your personal data will generally be stored in secure cloud systems using Amazon Web Services.
We take reasonable steps to protect your personal data from misuse, interference and loss, and from unauthorised access, modification, destruction or disclosure in accordance with Data Protection Laws and our own data security policies and procedures. These security measures include the following:
- redundancy protection and monitoring;
- strict access controls;
- in-transit and at-rest encryption; and
- industry-standard authentication protocols.
In addition, all our employees are trained in privacy compliance and are required to protect your personal data and comply with this Privacy Notice.
DATA RETENTION
We will retain your personal data for as long as is required for the permitted purposes, or longer if otherwise required by law or regulation (e.g., for the duration of any record retention periods required under applicable law).
To determine the appropriate retention period for personal data, we consider:
- the amount (using data minimisation), nature and sensitivity of the personal data;
- the potential risk of harm from unauthorised use or disclosure of your personal data;
- the purposes for which we process your personal data and whether we can achieve those purposes through other means;
- the applicable legal, tax, accounting or other regulatory requirements; and
- how long it is reasonable to keep the personal data in our records to complete our contractual obligations and to comply with the law.
YOUR DATA PROTECTION RIGHTS
You have the following legal rights in relation to this Privacy Notice:
- Access – You may request access to the personal data we hold about you. In some instances, reasonable charges may apply to provide copies.
- Correction / rectification – You have the right to request that we correct / amend any personal data we hold about you which you believe is inaccurate.
- Erasure / (right to be forgotten) – You have the right to request that we erase/ delete your personal data.
- Restriction of processing – You have the right to request that our Company restrict the processing of your personal data.
- Object to processing – You have the right to object to the processing of your personal data. For example: you have the right to object to the use of your personal data for direct marketing purposes.
- Data Portability – You have the right to request that we send the data that we have collected to another organisation, or directly to you, under certain conditions and in a format that can be read by computer.
- Withdrawal of consent – If you have given us your consent for the processing of your personal data you may withdraw your consent at any time with future effect, i.e., the withdrawal of your consent does not affect the lawfulness of processing done based on the consent before its withdrawal. If you withdraw your consent, we will promptly delete the relevant data unless there is another legal ground permitting or requiring us to retain and continue processing such data.
For any of the above subject access requests, you will be required to verify your identity. Accordingly, please send a description of your personal data in writing stating your name and your relationship with us (if applicable) to the contact details below. In some cases, we may require proof of identity to verify your request and to protect your personal data against unauthorised access. We will carefully consider your request and may discuss with you how it can best be fulfilled.
Patients and Clinicians
If your personal data is processed under Data Protection Laws where your Clinic is the data controller (see “Controllers” below), your Clinic is the party responsible for managing the exercise of your subject access rights under the applicable Data Protection Laws. For any data subject rights requests, or if you have any queries in this regard, please contact your Clinic directly.
MARKETING
Where your consent is required for any direct marketing-related communication, we will only provide you with such information if you have opted in. You may opt out at any time by clicking the unsubscribe or opt-out links in any electronic marketing communication we send to you or by using the contact details in the “Contact Details” section below.
PRIVACY POLICIES OF THIRD PARTIES
Our website contains links to other websites. Our Privacy Notice applies only to our website, so if you click on a link to another website, you should read their Privacy Policy / Notice.
HOW TO CONTACT US & GROUP ENTITIES
If you have any questions about this Privacy Notice, the personal data we hold about you, or you would like to exercise one of your data protection rights, please contact us using the details below:
Australia:
|
United Kingdom:
|
North America:
|
Netherlands:
|
Vietnam:
|
India:
|
HOW TO CONTACT THE APPROPRIATE AUTHORITY
If you feel that your privacy has not been respected or that we have conducted ourselves inconsistently with this Privacy Notice, the applicable Data Protection Laws, or for any other queries, problems, complaints or communication in relation to this Privacy Notice, please send your complaint to the Annalise.ai Privacy Officer at the address above.
If you are a Patient or if you are a Clinician and we process your personal data as a processor, we will forward your complaint directly to your Clinic who is the responsible controller for your personal data and will be in the best position to assist you.
You may also submit a complaint to the competent data protection supervisory authority in your country as follows:
Australia:
|
United Kingdom:
|
India:
|
EU:
|
CONTROLLERS
Certain Data Protection Laws regulate legal entities, public authorities, agencies or individuals that determine the purposes and means of processing personal data (i.e., ‘Controllers’). Where Data Protection Laws regulate Controllers, the entities that may be Controllers in the context of this Privacy Notice may include:
- one or more of our Group Entities that is in business contact with you or identified in our communications with you;
- where you are Clinician or Patient, your Clinic for Patients or Clinicians; or
- your Clinic for Clinicians where we process your personal data to perform our contract with your Clinic.
CHANGES TO THIS PRIVACY NOTICE
2023 Privacy Notice – effective September 2023.
From time to time we make changes to our policy, processes and systems in relation to how we handle your personal data, including to take into account new laws, regulations and technology. Please visit our website www.annalise.ai/privacy to obtain a copy of the latest version of this Privacy Notice at any time.
COUNTRY ADDENDUMS
These addendums may apply to our processing, use or management of your personal data depending on where you reside or where you otherwise have rights under applicable Data Protection Laws within a certain region, country or state.
EUROPE AND UK
In certain circumstances we may transfer personal data to countries or regions outside of the United Kingdom or European Economic Area. These countries or regions may not offer the same level of data protection as your local privacy laws or GDPR and are not recognised by the European Commission as providing an adequate level of protection. Accordingly, we apply appropriate contractual safeguards to ensure the reasonable security, purpose limitation, access, recourse, enforcement of your privacy rights and integrity of your personal data (including entering the EU or UK standard contractual clauses (as applicable)) where we do transfer your personal data outside of the United Kingdom or the European Economic Area.
CALIFORNIA – ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS
In some circumstances, the California Consumer Privacy Act of 2018 (CCPA) permits you to request information regarding the disclosure of certain personal data to third parties for direct marketing purposes if you are a California resident. We do not sell or share personal data for the purposes of the CCPA and we have not sold the personal data of any Californian resident to third parties in the preceding 12 months.
DATA PROTECTION FOR CALIFORNIA CONSUMERS UNDER THE CCPA
If the CCPA applies to us and you are an individual residing in the State of California, you have the right to: (a) request that we disclose what personal data we collect, use, disclose and sell about you; (b) request deletion of the personal data you have provided to us; and (c) be free from discrimination by us as a result of you exercising your rights under the CCPA.
Under the CCPA, the above rights do not apply to, and “personal data” does not include, certain categories of information, such as: (i) publicly available information from government records; (ii) deidentified or aggregated consumer information; (iii) health or medical information covered by the Health Insurance Portability and Accountability Act (HIPPA) and the California Confidentiality of Medical Information Act or clinical trial data.
If these rights apply to you and you wish to exercise any of these rights, you must submit a verifiable Consumer Request by Email: privacy@annalise.ai In accordance with the CCPA, you can also designate a third-party agent to exercise your CCPA rights on your behalf.
If you are a Clinician or Patient and you would like to exercise the above rights, you must contact your Clinic.