Privacy statement for use of ECG247
1 Protection of personal data
Personal data refers to information that can may linked to a physical person, i.e. detail such as name, postal address, telephone number and e-mail address. Processing refers to any handling of personal data, e.g. collecting, recording, collating, storing and sharing.
At Appsens we are keen to ensure that all personal details are handled in a way that makes you feel reassured your data are subject to the strictest confidentiality regime. We process the personal data we need for you to make use of our services, and to conduct analyses that will enable us to improve our range of services. Beyond this, all personal data are handled as in accordance with the express consent you have given us. You are free to withdraw this consent at any time.
We collect information in the ECG247 app, using the ECG247 sensor and from the ECG247 portal. All medical data is stored in line with the regulations for health information. Appsens is concerned with processing personal data in a way that allows you to feel confident that information about you is subject to strict confidentiality and high security. We use 2-factor authentication, which is the best method to ensure that you log in correctly in our systems, and that you can verify who you are in various ways. A combination of username, password, phone number and a code you receive via SMS is used. It is also possible to use Norwegian Health ID and Bank ID. All data communication and storage is encrypted and unauthorized persons cannot gain access.
This personal data protection statement and the associated terms and conditions will be updated from time to time, for instance because our services are extended or amended, and we will notify you if this requires further consent from yourself. The current version of the terms and conditions can be found on ecg247.com at all times. If major changes are introduced, we may also try to contact you direct through available channels such as email or by puting up a notice on our website and digital services.
2 Consent to the processing of personal data, including health data
By accepting the terms when creating a profile on Appsen’s digital platform (see section 5), you confirm that you have read, understood and consent to the content of this document and to our processing of your personal data, including health data. For persons under the age of 16 years, the consent of their guardian is required. If children under the age of 16 years have nevertheless given us personal data by mistake, we will delete the data as soon as we become aware of the situation. Guardians can contact us as stated in section 15.
You can at any time withdraw your consent to us storing and processing your personal data, including your health data (see section 3). The personal data will then be deleted as detailed in point 12 below. Note that the services we provide and the ECG247 heart sensor can no longer be used if you withdraw your consent to processing of personal data. Even if consent is withdrawn, we will still be able to use collected information that is not personal data. This is information that cannot be linked to you as a physical person – either because they have never had such a connection or because we have removed the connection.
3 Archive for recording heart rhythm (ECG)
For ECG247 tests initiated by healthcare professionals via SMS link or invitation code, the relevant doctor/healthcare professionals will have access to your ECG recordings automatically. If necessary, contact the person concerned to delete your data. Tests initiated by healthcare professionals can also be carried out without storing personal data using a so-called connection key/ID code.
4 Storage and processing of personal data and de-identified information
Appsens processes only personal data that is necessary for you to make use of our services. We also carry out analyzes in order to improve the service offer. Such analyzes will be carried out using aggregated and de-identified information. This information will not be linked to you as a person.
5 Appsen’s digital platform – more about the technical solutions
Appsen’s digital platform refers to our website, online store, ECG247 app and ECG247 web portal with associated storage solution, as well as data warehouse and integration platforms. The copyright, other rights and content in Appsen’s digital platform belong to Appsens AS or its subcontractors and partners.
5.1 ECG247 app
If you register in the ECG247 app on your mobile phone, a personal profile linked to your mobile number will be created. For this function, the software Google Firebase is used for 2-factor authentication and login. In order to monitor that the ECG247 app works properly on your mobile phone, the software Google Crashlytics will send us anonymous user data with a report on any errors so that we can correct them.
The ECG247 app will automatically receive heart rhythm signals from the ECG247 sensor, and upload this data to your personal heart rhythm archive (see section 3). Any heart rhythm disturbances will be notified in the ECG247 app. Furthermore, from the ECG247 app, you can share your heart rhythm recordings with other people, for example your GP. You can also order new electrodes or order a cardiology assessment of your heart rhythm test from the ECG247 app.
5.2 Personal archive for heart rhythm recording (ECG) (see also section 3)
Your heart rhythm data (ECG) is safely stored in our cloud service based on Microsoft Azure with secure encrypted data storage in line with current regulations. This archive contains:
- Identification data: name (optional), date of birth (optional), address (optional), risk score (optional) and phone number OR connection key
- Start and end date for heart rate recording
- Findings from ECG247 Arrhythmia Analysis
- Any prepared report on completed heart rhythm registration
- Any report from cardiology assessment
- Overview of who you have shared your heart rate recordings with
- Operating system used, version number for app and sensor software
5.3 ECG 247 web portal
Via the ECG247 web portal you can access your ECG recordings. These are designed for assessment by doctors/healthcare professionals and require medical knowledge to interpret.
5.4 Acceptance of sharing de-identified heart rhythm recordings
When you as a consumer in the ECG247 app accept the terms and conditions, this includes that you agree that Appsens AS can use your heart rhythm recordings for research purposes and quality assurance. Your data is de-identified in such a way that it is not possible to trace the information back to you as a physical person. We use such data to improve the product and the algorithms used for the detection of abnormal heart rhythms/arrhythmias.
Appsens AS does not have access to heart rhythm recordings belonging to health institutions (invited tests) and consequently cannot use such data for research or quality assurance.
5.5 Which personal data is processed and why?
We collect personal data for the following purposes:
- To analyze heart rhythm recordings
- To be able to manage your customer relationship. Personal profile settings are saved so that we can send you automatic receipts and/or newsletters in line with your wishes.
- Changes to the profile are stored as information by customer service upon inquiry from the customer.
- Card data is stored with orders if you wish to have access to receipts and purchase history, as well as any discounts.
- Electronic and technical information, including information about your mobile device and app. App version, operating system and phone model are stored to help you as best as possible if necessary.
If you contact our customer service, the contact will be logged in order to provide the best possible assistance.
To avoid misuse of our services, we will use registered data for control purposes. Personal information is de-identified before data is used for analysis of customer behaviour. This is done to improve the user experience at our digital platforms.
5.6 Purchase of cardiology assessment
The ECG247 app gives you access to purchase cardiologist reviews of test results. You will also be able to access receipts for your purchases. When purchasing a cardiologist assessment, you must state:
- Telephone number
- E-mail address
- Payment information
All purchases and payments are handled by the payment intermediary who acts as data processor on behalf of Appsens.
6 ECG247.com, online store and computer warehouse
The ECG247 app gives you options to order a new sensor and/or electrode patch. You can also buy the ECG247 sensor and electrode patch directly without being logged into the ECG247 app. You must register the following information:
- Mobile number
- E-mail address
- Postal address
- Payment information
Registration of mobile numbers is done in order to provide you with good and efficient customer service. If the mobile phone number is already in our customer register, the purchase will be linked to the existing customer profile.
When paying, you enter card data for debiting to complete the purchase. All purchases and payments are handled by the payment intermediary who acts as data processor on behalf of Appsens.
Appsens will process the personal data to offer you relevant services, as well as necessary communication and administration of your customer profile. If you have consented to electronic marketing, you will also receive information with offers and news from Appsens.
6.1 Card payments
Card numbers are not stored beyond what is necessary to ensure efficient handling of any problems with charging, cancellation of reservation and crediting. It is not possible for Appsens to see your entire card number in any of our systems. Should problems arise with a card payment, our payment officers can find the first 6 and the last 4 digits of your card number (IIN/BIN number) to identify which bank issued the card to assist you in solving the problem. If you choose card as payment method, payment information and card details will be shared with our payment provider for card payment. Payment and card details are only used to make a payment. The information you provide when paying online will only be linked to your customer account. The information is stored in accordance with applicable laws.
6.2 Information cookies (cookies and pixels)
6.3 Consent to electronic marketing
You must actively consent to personal data being used in direct marketing. You can withdraw your consent at any time.
7 Location data
The ECG247 app needs access to your location. Location is only used for transferring data from the ECG247 sensor to the ECG247 app. Your location data will under no circumstances be used for tracking or advertising. No location data will be stored for later use.
8 Is providing information optional?
Providing personal data is voluntary, but in order to use the ECG247 heart sensor, basic personal data must be registered, cf. section 2.
9 Who is responsible for data processing in Appsens AS?
Appsens AS, represented by the managing director, is responsible for processing according to the Personal Data Act for the company’s processing of personal data. We have appointed a data protection officer who will ensure that our processing of personal data is in line with current regulations. Our data protection officer is the chief technical officer (CTO).
10 What is the legal foundation?
Appsens AS complies with the Personal Data Act and the Health Register Act. The legal basis for our processing is laid down in the Personal Data Act § 8, the Health Register Act § 5 and the Personal Protection Ordinance Article 6 No. 1. Your acceptance to the terms in this declaration constitutes our legal basis for processing of your personal data, including your health data. For any other purpose we will obtain your express consent.
11 Are my personal details safe?
You can be assured that no information relating you will be abused by Appsens AS as the data controller for the personal data we process. All personal information is securely stored and confidentially processed in Norway or within the EU/EEA area according to:
- The Personal Data Act of 14 April 2000 no. 31 with associated regulations
- The industry standard for information security and privacy in health and care services
- Payment Card Industry Data Security Standard (PCI DSS).
We have implemented rules and routines for the protection of personal data and privacy. To ensure that our processing of information takes place in a secure manner, only specially authorised personnel have access to the information you give us. Only a limited number of employees can hold such authorisation. All systems that we use to process customer data are subject to strict access control. Appsens AS takes privacy seriously and the company carries out and updates privacy risk assessments.
We are required to store order information in connection with accounting, tax handling and any warranty/return handling. This history is deleted after ten years.
Beyond what follows from section 12 below, your personal data will not be disclosed to third parties, unless you have given us consent for such disclosure to take place.
Appsens has appointed a privacy ombudsman who works with the information safety officer to ensure that the company maintains a clear overview of the personal details handled by Appsens. An overall information safety policy provides the framework and terms of reference for the current information safety plan at all times. All systems that make use of critical data, including personal details, are recorded and listed.
12 Will the data be shared with others?
Appsens makes use of subcontractors for the purpose of conducting its business. If a subcontractor needs to process personal data on Appsens’ behalf, privacy is secured through data processing agreements.
Data processors are subject to strict rules imposed by Appsens and cannot make use of personal details for any purpose other than to provide the services they have agreed with us. We take precautions to ensure that subcontractors conduct their affairs in accordance with this personal data protection statement, the company’s internal data processing agreements and Norwegian privacy legislation.
If required by law, or if there is suspicion that a criminal offence may have been committed in connection with the use of our services, any information we hold about you may be submitted to public authorities.
13 How are the data stored and deleted?
We will not store your personal data for longer and to a greater extent than necessary to fulfil the objectives specified in this personal data protection statement, unless a longer storage period is imposed by law at any point. Storage of anonymised data is not subject to similar restrictions or requirements.
Appsens has procedures in place for data deletion and anonymisation. You can also delete your own profile, or enlist the assistanse of Customer Service in doing so. If you choose to delete your profile, your personal data will also be deleted. You can then no longer be able to use the ECG247 for recording of the heart rhythm. As a result of the deletion, your receipts will become anonymous.
15 What are your rights and options?
You have the right to:
- Know what information we hold about you (within the restrictions set out in current legislation).
- Demand that erroneous, unnecessary, incomplete or outdated personal data be corrected, supplemented or removed.
- Withdraw any consent you may have given us to process the personal details you have provided us with. However, please note that this may render us unable to continue delivering some of our services or benefits to you..
You can exercise your rights by contacting customer service. See ECG247.com for contact information.
Appsens is committed to responsible and sustainable business practices. If you feel that we fail to comply with this personal data protection statement or the current legislation, please address your concerns to us, or the Norwegian Data Protection Authority.
16 Our rights
Any right to all of Appsens AS’ products and solutions etc. is protected by copyright rules. This includes, but is not limited to, the build-up and design of the ECG247 Smart Sensor System, algorithms, source codes, app design, etc. Any commercial exploitation of these is prohibited without prior written agreement with Appsens AS, or our subcontractors and partners. This applies to both copying, forwarding and selling of information, images, graphic elements, program codes and technical solutions. You do not have the right to attempt to circumvent the security system of Appsen’s digital platform. Violation of this point may result in liability for damages and criminal liability.
How to contact us?
Contact information can be found at ECG247.com