When we refer to ‘we’, ‘us’ and ‘our’, we mean Proximie Ltd as the “Data Controllers”.

The General Data Protection Regulation (GDPR) requires organizations like us to provide a lawful basis to collect and use your information. Our lawful basis to collect and use information from our EEA users include when:

• We need it in order to provide you with the services and to carry out the core activities related to our provision of the services.
• We need to comply with a legal obligation.
• We have a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the services and to protect our legal rights and interests.
• You give us your consent to do so for a specific purpose.

Under GDPR you have the right to obtain:

• Confirmation that your data is being processed;
• Other supplementary information – that largely corresponds to the information provided in this privacy notice.

We will provide this information to you free of charge unless the request is ‘manifestly unfounded or excessive’, when we may choose to charge an administration fee or refuse to respond. We will endeavour to provide the information as soon as possible, and never more than one month after receipt of your request. To ensure data security we will request evidence of identification before we supply any personal data.

Where you tell us that the information, we hold on our records about you, is incorrect, we will update the data as quickly as possible, and no longer than one month after you have let us know.

The GDPR introduces the right to have your personal data erased. However, this is not absolute and only applies in certain and specific circumstances.

Proximie’s lawful basis for processing personal data is ‘for the performance of a task carried out in the public interest or in the exercise of official authority’. The right to erasure does not apply for this lawful basis.

You have the right to request that we restrict the processing of your personal data in certain circumstances. For example:

• You contest the accuracy of the data we hold. In this instance we will restrict your data until we have verified the accuracy of the data;
• The data has been unlawfully processed, but you oppose erasure and request restriction instead. This is unlikely, however if this is the case we will retain your data in this instance;
• We no longer need the data, and it will be removed under our data retention policy, but you require us to retain the information in order to establish, exercise or defend a legal claim. This is unlikely, however if this is the case we will retain your data in this instance;
• You have objected to us processing your personal data under the ‘right to object’ and we are considering whether our legitimate grounds override those of the individual.

You have the right to request organisations provide you with a copy of your personal data to allow you to move, copy or transfer it from one IT environment to another.

You have the right to object to the processing of your personal data in the performance of our tasks.

You have the right to object to us using automated processing techniques, such as profiling, in order to provide services – we can confirm that we do not, at present, carry out any automated processing of your data.

You have the right to request that we stop contacting you for marketing purposes or follow-up on any recruitment process.

Our service enables the effective transfer of clinical and surgical expertise in a simple, scalable and compliant fashion. Our award-winning, patented, augmented reality solution enables healthcare professionals to interact with each other across a wide variety of clinical and surgical applications, regardless of geographical location.

Proximie processes audio visual data of surgical operations performed in a clinical environment. This video is securely live streamed and securely stored on our cloud servers and is only accessible to health care professionals who are securely authenticated on the Proximie platform. The capture of any personal data in audio visual feeds is avoided, unless it is clinically unavoidable. We advise organisations who use the service to avoid capturing any identifiable personal data in audio visual recordings, secure messages and session names.

Even where Proximie has a legitimate interest in processing your personal data, it will not do so to the extent that processing would override your interests, rights and freedoms to protect your personal data.

We may also use your personal data to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use personal data for these purposes when it is necessary to protect, exercise or defend our legal rights, or when we are required to do so by applicable law.

Proximie Ltd uses AWS servers hosted in the US (which are covered by the EU-US Privacy shield), United Kingdom, United Arab Emirates and Kingdom of Saudi Arabia and in other jurisdictions. Proximie is expanding its territories and always seeks to geolocate and protect data where possible.

If you are an EEA resident, your personal data held by Proximie may be transferred to, and stored at, destinations outside the EEA that may not be subject to equivalent data protection laws, including the United States. When you sign up for service with Proximie or inquire about our services, we transfer your information to the United States and other countries as necessary to perform our agreement with you or to respond to an inquiry you make. It may also be processed by staff situated outside the EEA who work for us or for one of our suppliers.

Accordingly, by using our services, you authorize the transfer of your information to the United States, where we are also based, and to other locations where we and/or our service providers operate, and to its (and their) storage and use as specified in this Privacy Policy and any applicable terms of service or other agreement between you and Proximie. In some cases, Proximie may seek specific consent for the use or transfer of your information overseas at the time of collection. If you do not consent, we may be unable to provide you with the services you requested.

The United States, the United Kingdom, the United Arab Emirates and the Kingdom of Saudi Arabia and other countries where we operate may not have protections for personal information equivalent to those in your home country.

Where your information is transferred outside the EEA, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on a recognized legal adequacy mechanism, and that it is treated securely and in accordance with this Privacy Policy.

When you apply for a job with us, we will rely on your consent under article 6(1)(a) of the GDPR to process your data. If your application includes any special categories of data, for example relating to a monitoring of our application relating to minorities, disability or any additional needs you may have, we will rely on your explicit consent under Article 9(2)(a).

We need this information to process your application, and to keep a record of the applications made. We may keep your CV and personal contact details in order to offer you further opportunities in the future.

We hold your data for three years after the process is complete, if you are unsuccessful.

When you respond to our marketing campaigns, we will keep your personal contact details with your consent under article 6(1)(a) of GDPR. We may also collect names and contact details through other suppliers who provide marketing databases. In these cases we will always assure ourselves that we have your consent to contact you. In compliance with the Privacy and Electronic Communication Regulations, we will always offer an ‘opt-out’ as part of these campaigns.

We need your personal data in order to offer our services to you, and we keep a database of contact details in our systems.

We hold your personal data in this respect for three years, or until you tell us you no longer wish to receive marketing contact from us, at which point we delete it.

Cookies are files with a small amount of data that are commonly used as anonymous unique identifiers. These are sent to your browser from the websites that you visit and are stored on your device’s internal memory.

This Service does use these “cookies” for session management. The app may use third party code and libraries that use “cookies” to collect information and improve our and their services. Data sent to these third-party’s services will not involve electronic patient health or personal identifiable information. You do not have the option to refuse these cookies. You will not be able to use Proximie without accepting their use.

You can control and/or delete cookies as you wish – for details, see www.aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work. As mentioned above, you will not be able to opt-out of any cookies or other technologies that are “strictly necessary” for the services. Where you have not set your permissions, we may also separately prompt you regarding our use of cookies on the site or the Proximie’s platforms.

Our services and websites may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third-party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

Proximie utilises Tableau on premise solutions within encrypted AWS workspaces. This data is anonymised at source, never connects to services outside of Proximies virtual private clouds and is utilised to understand legitimate business interests such as:

• Anonymised user churn (logins per month)
• Number of video sessions views

Only high level metrics are derived and utilised for Proximie to understand commercial growth and macro usage of the platform.

Proximies commercial team may store user data within Dynamics 365 during the commercial lifecycle. Only data which is directly required for contractual agreements will exist in this platform. This data includes:

• User information for contract points of contact
• Number of contact attempts
• Lead times and metrics for client onboarding and support
• Sales targets

Data within Microsoft Dynamics is routinely removed and only used for interim performance metrics, and to make sure client contact remains within SLA agreements.

Proximie utilises Intercom for customer support. When the user logs into Proximie, or enquires as an anonymous user an account is set up within the Intercom platform for the lifecycle of either the Proximie Session or support/inquiry request duration. Within Proximie’s process this data is deleted inline with Intercoms GDPR process and guidelines.

Proximie utilises Atlassian products (JIRA, Jira service desk, confluence) to aid with support response and documentation. When a user files a support request via Intercom, Jira service desk form, or by email, a ticket is filed which includes the user’s details. This data is stored on Atlassian’s servers. Proximies legitimate business interests are to make sure support requests are tracked to the user who flagged themselves for help and lead time metrics until a solution is found. This data is routinely removed on success and metrics gathered. Data is removed following Proximie and Atlassian guidelines.

To support delivery of our Services, Proximie Ltd. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data or Authorized Users Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor.

Proximie currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and notifications (text, push, and email), as well as for marketing purposes. Prior to engaging any third party Subprocessor, Proximie performs diligence to evaluate their privacy, security and confidentiality practices, and requires of its applicable obligations.

NB: No Electronic Patient Information will exist outside of the Proximie cloud (country or region specific Servers hosting services). Only User information may exist outside of this for communication, support and anonymous analytics tracking only.

Entity subprocessing activities:

Servers hosting services

Entity Country

United States of America

Entity policies

https://azure.microsoft.com/en-gb/support/legal/

Entity subprocessing activities:

Servers hosting services (for use in KSA only)

Entity Country

Kingdom of Saudi Arabia

Entity policies

https://security.sahara.com/

Entity subprocessing activities:

Servers hosting services

Entity Country

United States of America

Entity policies

https://aws.amazon.com/privacy/
https://aws.amazon.com/compliance/
https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/

Entity subprocessing activities:

Analytics and CRM Services

Entity Country

United States of America

Entity policies

https://privacy.microsoft.com/en-gb/privacystatement
https://docs.microsoft.com/en-gb/dynamics365/get-started/gdpr/

Entity subprocessing activities:

Communications and Documentation Platform

Entity Country

United States of America

Entity policies

https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-information-protection-for-gdpr?view=o365-worldwide
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/privacy-security-and-transparency

Entity subprocessing activities:

Analytics and Communications services

Entity Country

United States of America

Entity policies

https://firebase.google.com/support/privacy
https://firebase.google.com/policies/analytics
https://policies.google.com/privacy

Entity subprocessing activities:

Communications, documentation and customer support services services

Entity Country

United States of America

Entity policies

https://www.atlassian.com/legal/privacy-policy

Entity subprocessing activities:

Analytics services

Entity Country

United States of America

Entity policies

https://www.tableau.com/en-gb/legal/regional-privacy-laws

Entity subprocessing activities:

Communications and customer support services services

Entity Country

United States of America

Entity policies

https://www.intercom.com/legal/terms-and-policies

Proximie has implemented administrative, physical, and technical safeguards to help protect the personal data that we transmit and maintain. Secure services and tools used by Proximie include:

• ISO 9001, HIPAA, Cyber Essentials and NHS DSPT Certification
• Encryption of video in transit and at rest using 128 and 256 AES encryption
• Mandatory internal security, GDPR, and HIPAA training for all staff
• Regular (CREST accredited) penetration testing.
• Adherence to the Secure Software Development Lifecycle which includes static analysis and manual security processes within Product and Engineering.
• Use of AWS and Azure ISO 27001 certified cloud services.

However, no system or service can provide a 100% guarantee of security, especially a service that relies upon the public internet. Therefore, you acknowledge the risk that third parties may gain unauthorized access to your information. Keep your account password secret and please let us know immediately if you think your password was compromised. Remember, you are responsible for any activity under your account using your account password or other credentials.

This section applies only to California consumers. It describes how we collect, use, and share California consumers’ personal information in our role as a business, and the rights applicable to such residents. For purposes of this section “personal information” has the meaning given in the California Consumer Privacy Act (“CCPA”). Proximie does not sell your personal information or your end users’ personal information.

We process your personal information only in order to provide the services and we do not retain, use, or disclose your personal information outside of the scope of the agreement we have with you.

We have collected the following statutory categories of personal information in the past twelve (12) months:

• Identifiers, such as name, e-mail address, mailing address, fax number and phone number. We collect this information directly from you or from third party sources.
• Information collected in connection with your use of our services, including communications usage information and the communications content processed through the services.
• Internet or network information, such as browsing and search history. We collect this information directly from your device.
• Geolocation data, such as IP address. We collect this information from your device.
• Financial information, such as payment details or financial account numbers in the process of providing you with our services. We collect this information from you.
• Inferences based on your use of the services and browsing history.
• Other personal information, in instances when you interact with us online, by phone or e-mail in the context of receiving support from our sales and customer service teams.

You have certain rights regarding the personal information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law.

• The right of access means that you have the right to request that we disclose what personal information we have collected, used and disclosed about you in the past 12 months.
• The right of deletion means that you have the right to request that we delete personal information collected or maintained by us, subject to certain exceptions.
• The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.
• Proximie does not sell personal information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199).
• “California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California consumers asking about the businesses’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. Alternately, such businesses may have in place a policy, as we do, only to disclose personal information of consumers to third parties for the third parties’ direct marketing purposes if the consumer has opted into such information-sharing.

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The specific pieces of Personal Information we collected about you
• The categories of Personal Information we collected about you.
• The categories of sources from which the Personal Information is collected about you.
• Our business or commercial purpose for collecting or selling that Personal Information.
• The categories of third parties with whom we share that Personal Information.
• If we sold or disclosed your Personal Information for a business purpose

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
• Debug products to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the rights of other consumers to exercise their free speech rights, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
• Comply with a legal obligation.
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent’s identity to protect your personal information.

Please email us at CCPA@Proximie.com if you would like to exercise your rights pursuant to CCPA or learn more about your rights or our privacy practices.

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our processing of your personal data and privacy practices. We may also engage with different SubProcessors. We will post a prominent notice on each of Proximie’s websites to notify you of any significant changes to our Privacy Policy and indicate at the top of the Privacy Policy when it was most recently updated..

This policy is effective as of 2020-04-29

If you have any questions or comments about this Privacy Policy, the use of cookies, if you would like us to update personal data we have about you or your preferences, or to exercise your rights, please email our Data Protection Officer at dpo@proximie.com or write to us at:

Data Protection Officer
Proximie Ltd
The Harley Building
77 New Cavendish Street
London
W1W 6XB

In the unlikely event that you wish to lodge a complaint about our collection, transfer or processing of your personal data, you can lodge a complaint with the Information Commissioner’s Office (ICO) via their website www.ico.org.uk or in writing to:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF