Privacy declaration

Version 3, 18-05-2018

1. FocusCura

FocusCura BV is a Dutch company. Our company activities are conducted in the European Economic Area (EEA) and, unless indicated otherwise, we store all our data on servers located in the EEA.

This privacy statement summarizes when and how your personal data are collected, used, secured, and disclosed in connection with your access to and use of our applications, websites, and all features, software, and services provided through the applications and website (the "Service").

2. General

We reserve the right to amend the provisions of this privacy declaration. We will inform you if we make changes to the privacy declaration. We recommend that you regularly read through the latest version of the privacy declaration.

3. Which personal data do we collect for which purpose and for how long?

When you make use of the Service, personal data can be collected in various ways. The Appendix contains a list of the information that all companies affiliated to the FocusCura group may collect. The personal data that is or may be processed is shown per service. A distinction is also made between the processing of data of clients and the processing of data of health-care professionals who use the Service. The overview shows which personal data are processed, for which purpose, on which legal grounds the processing is based, and how long the personal data are stored.

If you do not provide your personal data to FocusCura or object to FocusCura using your personal data in any other way, this may lead to you being restricted in the use of the Service. The consequences of not providing or objecting to the processing of personal data are set out below for each ground for processing data. You can view which personal data fall under which grounds for processing data per Service in the Appendix.

Processing based on a legal obligation of FocusCura:

• We may block or restrict your access to the Service, and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data mentioned in this section are required in order to comply with our legal obligations.

Processing necessary for the implementation of the agreement:

• You may be hindered in your use of the Service, and the Service may not function properly. We may block or restrict your access to the Service, and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data mentioned in this section are required in order for the Service to function or be provided properly.

Processing necessary for the legitimate interests of FocusCura:

• We may block or restrict your access to the Service, and we reserve the right to terminate the agreement in accordance with our terms and conditions. The personal data mentioned in this section are required in order to meet the legitimate interests of FocusCura and to prevent misuse of the Service and security incidents.

Processing for which your explicit consent is required:

• In principle, you will not be hindered in your use of the Service. Refusal or withdrawal of permission does not adversely affect your use of the Service. This is different when using the cVitals service. You may be hindered in your use of the cVitals service, and the cVitals service may not function properly. The personal data mentioned in this section are required in order for the cVitals service to function or be provided properly. However, as these personal data are sensitive, your explicit consent is required for the processing of these personal data.

Processing for which your consent is required:

• You will not be hindered in your use of the Service. Refusal or withdrawal of permission does not adversely affect your use of the Service.

Appendix 1: Data processing for cAlarm.
Appendix 2: Data processing for cKey.
Appendix 3: Data processing for cContact and cVitals.
Appendix 4: Other data processing (i.e. when not purchasing a Service).

4. Sharing of personal data

Unless stated otherwise in this privacy declaration, we do not describe, sell, or trade the personal data of our visitors and users to third parties.

4.1 Sharing with processors
We may involve third parties such as hosting providers to support us in providing the Service. These third parties may process your personal data in their role in providing the Service. Such third parties will hereinafter be referred to as "Processor". We sign processing agreements with these Processors.

We make use of the following types of Processors:

• analytical software (cookies) to improve our services, such as privacy-friendly Google Analytics and Hotjar;
• analytical software (cookies) to make you targeted offers by FocusCura for marketing purposes;
• cloud services;
• hosting providers;
• providers of e-mail services;
• providers of services for the collection of health data;
• providers for services for managing customer and user information;
• providers for video calls;
• push notification providers.

In certain cases the Processor may collect your personal data on our behalf. We inform the Processors that they may not use the personal data that they obtain from us unless they are required for the provision of the Service. We are not responsible for any additional information that you provide directly to the Processors.

You must inquire about the Processor and its company before disclosing any personal data to such Processors. Some of the Processors used by FocusCura for marketing purposes, FocusCura's e-mail services, managing customer and user information, and making video calls available store personal data outside the European Union. We only use Processors who comply with the requirements of the General Data Protection Regulation (GDPR) and who have the necessary certificates, operating instructions, or model clauses from the European Commission.

4.2 Sharing with your permission

We may occasionally share your personal data with third parties if you have given us permission to do so. We may work together with other parties to offer specific services or directly provide you with offers. If you register for these third party services or marketing offers, we may share the personal data you provide, such as your name or other contact information that we reasonably deem necessary, with these third parties so that our business partner can provide the services or offers or contact you.

4.3 Our legal responsibility

We may share personal data if we can be confident that this is permitted by law or if we are legally obliged to do so. We may also share personal data with third parties if reasonably necessary or appropriate to satisfy legal requirements, if necessary to satisfy legal requests from authorities, to respond to any claims or to protect the rights, property, or safety of FocusCura, our users, our employees, or the public and, without limitation, to protect FocusCura or our users from fraudulent, offensive, improper, or unlawful use of the Service. We will immediately notify you of any requests from any executive, administrative, or other government authority that we receive that relate to your personal data unless prohibited by applicable law.

4.4 Anonymized data

Please note that nothing herein restricts the sharing of anonymized information, which may be shared with third parties without your consent.

5. Protection of personal data

We will ensure that we take suitable technical and organizational security measures to process personal data. We follow generally accepted standards for the protection of personal data, both during the transfer and as soon as we have received the personal data. We have taken the following measures:

  • Access to our servers and infrastructure is only possible from certain secure servers from specific IP addresses and is only possible through a specific combination of keys.
  • Access to our database is only possible by means of three-step authentication and personal accounts that are protected with a username and password. Only persons who need access to the database for their task will be given such an account.
  • We have a password policy to ensure strong passwords. Passwords must be reset regularly.
  • The firewall is automatically configured by means of security scripts.
  • We use virtual private clouds for each separate environment (testing, acceptance, and production) to limit risks.
  • Stored data are always protected by encryption. Passwords are also hashed. Locally stored data (e.g. on iOS and Android) are also stored in encrypted form as far as sensitive information is concerned (medical information or authentication information). Locally stored data will be deleted when you log out.
  • We use SSL (Secure Socket Layer) technology to encrypt data transmission to us.
  • The maximum number of incorrect login attempts is limited.
  • All information entered by users is checked to ensure that no malicious data is uploaded.
  • Software has been installed to detect malicious software in a timely manner.
  • Security updates take place on a monthly basis.
  • We monitor access to the back-end section to detect possible security breaches or other anomalies.
  • We back up the database on a daily basis. Users who have access to the database do not have access to the backups to prevent the unwanted deletion of databases.
  • Cookies do not contain full authentication information such as passwords.
  • Information contained in cookies is deleted when you log out.
  • Important information in cookies is encrypted.
  • The duration of login sessions is limited.
  • There is a policy on the use of data carriers such as laptops and USB sticks.
  • Access to the property is restricted, and the property is secured.

You should be aware that our Processors are responsible for processing, managing, or storing some or all of the personal data we receive. Processors are not authorized to use this information to send advertisements to you. These Processors are contractually obliged by a processor's agreement to secure the personal data they have received from us.

However, there is no way to transmit over the Internet or method of electronic storage that is 100% secure. As a result we cannot guarantee absolute safety.

6. Links to third party websites

Our Service and/or the website may contain links to other websites or advertisements of third parties. Websites of third parties may collect your information. We do not have control over such sites or their activities. Any personal data that you provide on the websites of third parties are directly supplied to the third party and are subject to the privacy policy of the third party. We are not responsible for the content, privacy, and security practices and policies of websites to which we provide links or which are advertised on our Services and/or websites. Links from our website to third parties or other websites are only made available for your benefit. We recommend that you review their privacy and security practices and policies before you provide any personal data to them.

7. What choices do you have about the use of your personal data?

Before we share your personal information with third parties in ways that are not covered by this privacy statement, including use for direct marketing purposes, you will be notified and asked to provide consent when such information is collected.

We can send you marketing and promotional material about our products and services. If you do not or no longer wish the information to be used for direct marketing purposes, you may contact us at the e-mail address provided under "Contact".

You can also unsubscribe by following the unsubscribe instructions included with each promotional e-mail. This does not affect our right and ability to send you Service-related and account-related e-mails or use personal information as described in this privacy statement.

We will comply with your requests as soon as possible after receipt of the request.

8. Your rights

You may review, update, correct, or delete your personal data collected by the website and the Service by sending us an e-mail at the e-mail address provided under "Contact" or, if available, by using a specially designed feature in the Service.

Please note that the deletion of personal data may result in the termination of the right to use the Service.

We reserve the right to retain your personal data in our files if we believe that this is necessary or advisable to provide the Service to others, to resolve disputes, to maintain the applicable terms of use, for technical and/or legal requirements, and/or if the Service so requires.

In order to gain access to your own personal data by e-mail, you must provide sufficient proof of your identity as we request it. We reserve the right to deny access to a user if we believe there are questions about your identity. We respond to a requests for access within four weeks. In the case of complex requests, this term may be extended by a further four weeks. If we extend the term, we will notify you within four weeks of the request being submitted.

You can ask us to restrict or stop the processing of your personal data in the future. We will comply with your request, but you may be hindered in your use of the Service and you may no longer be able or permitted to use the Service as referred to in Article 4 of this privacy statement.

You may request us to transfer the personal data we process about you, as specified by you, at reasonable intervals, as long as the information requested does not contain personal data of other natural persons and as long as the information requested has been processed with your consent or as long as processing is necessary for the performance of the Service. We will comply with your request within four weeks of receiving it.

You have the right to lodge a complaint with the competent privacy authority about our processing of personal data. In the Netherlands, this is Dutch Data Protection Authority (Dutch DPA), which you can contact at https://autoriteitpersoonsgegevens.nl/en.

9. Contact

If you have any problems or comments about this privacy statement you can contact us via e-mail at [email protected] or call us on +31 (0)30 692 70 50.

Appendix 1: data processing for cAlarm.

Processing of you as a customer of FocusCura:

Necessary for the purposes of our statutory obligation to keep a tax administration, processing time up to ten years after termination of the agreement

• Name

Necessary for the execution of the agreement (the provision of the Service), processing time up to two years after the termination of the agreement

• Name
• Address
• IBAN number
• Customer number
• Date of birth
• E-mail address
• Telephone number
• Contact person (your health-care professional)
• Type of home
• Username
• Password
• Link code (code to bring you into contact with your contact person)
• Your language setting
• Your time zone

Necessary for the representation of the legitimate interests of FocusCura, processing time up to two years after termination of the agreement

• Processing for the security of the Service:
o IP address
o Device account number
o Service type

Processing with your explicit consent, processing time up to fifteen years after the end of the medical treatment agreement for which you have concluded an agreement with FocusCura or up to two years after the end of the agreement insofar as the medical data do not need to be included in the medical file.

• Medical details
o Contact details family physician
o Particulars regarding your health

Processing with your consent (implicit by filling in optional fields), processing time up to two years after the end of the contract

• Sex
• Installation notes

Processing of you as a health-care professional who makes use of the Service:
Necessary for the purposes of our statutory obligation to keep a tax administration, processing time up to ten years after termination of the agreement

• Name
• Invoice details

Necessary for the execution of the agreement (the provision of the Service), processing time up to two years after the termination of the agreement

• Name
• Address
• E-mail address
• Who your client is
• Relationship with the client
• Your language setting
• Your time zone

Necessary for the representation of the legitimate interests of FocusCura, processing time up to two years after termination of the agreement

• Processing for the security of the Service:
o IP address
o Device account number
o Service type

Processing with your consent (implicit by filling in optional fields), processing time up to two years after the end of the contract

• Telephone number

Appendix 2: data processing for cKey.

Processing of you as a customer of FocusCura:

Necessary for the purposes of our statutory obligation to keep a tax administration, processing time up to ten years after termination of the agreement

• Name

Necessary for the execution of the agreement (the provision of the Service), processing time up to two years after the termination of the agreement

• Name
• Address
• IBAN number
• Customer number
• Date of birth
• Telephone number
• Type of home
• Username
• Password

Necessary for the representation of the legitimate interests of FocusCura, processing time up to two years after termination of the agreement

• Processing for the security of the Service:
o IP address

Processing with your consent (implicit by filling in optional fields), processing time up to two years after the end of the contract

• Sex
• E-mail address
• Health-care organization to which you are affiliated
• Housing association
• Contact person information (your health-care professional)

Processing of you as a health-care professional who makes use of the Service:
Necessary for the purposes of our statutory obligation to keep a tax administration, processing time up to ten years after termination of the agreement

• Name
• Other invoice details

Necessary for the execution of the agreement (the provision of the Service), processing time up to two years after the termination of the agreement

• Name
• Address
• E-mail
• Relationship with the client
• Telephone number

Necessary for the representation of the legitimate interests of FocusCura, processing time up to two years after termination of the agreement

• Processing for the securing of the Service:
o IP address

Processing with your consent (implicit by filling in optional fields), processing time up to two years after the end of the contract

• The health-care organization for which your work

Appendix 3: data processing for cContact and cVitals.

Processing of you as a customer of FocusCura:
Necessary for the representation of the legitimate interests of FocusCura, processing time up to two years after termination of the agreement

• Security company
o IP address
o User actions (login, logout, etc.)
• Improvement of the service and detecting errors
o History of settings
o App version
o iOS/Android device version
o Browser version

We process other personal data for the cContact and cVitals services on behalf of a health-care institution or other responsible party on the basis of a processing agreement. At your request, we can inform you which company this is, so that you can contact them to find out what personal data they process about you or so that you can consult the privacy statement of that company. We are not permitted to provide information about the personal data we process on behalf of these companies.

Appendix 4: other data processing (i.e. when not purchasing a Service).

When using the website:
Necessary for the representation of the legitimate interests of FocusCura, processing time up to three years and two months after the last use of the website unless this is technically not possible.

• Processing for the security of the Service
o IP address
• Functional cookies to improve your ease of use
o Filled-in form fields
• Analyzing cookies to improve the Services provided by FocusCura
o IP address
o The website through which you found us `
o The pages you visited
o How long your visit lasted
o How you navigate the website

When filling in your information
Necessary for the representation of the legitimate interests of FocusCura, processing time up to six months after the last contact with FocusCura is made.

• For being able to answer your questions and to provide information
o Name
o E-mail address
o Telephone number
o Name of health-care organization
o Other personal data filled in in the contact field

Processing with your consent (implicit by filling in optional fields), the personal data for this purpose will be deleted as soon as you unsubscribe.

• To send you marketing material on your request
o Name
o E-mail address

Previous Privacy Policy (version 2.0 - 2015)