Wellola Website Privacy Policy

At Wellola we are committed to protecting and respecting your privacy.

This Privacy Policy will let you know how we look after your Personal Data with regard to your use of this website and in the context of receiving marketing communications from us. It also informs you as to our obligations and your rights under data protection law. This Privacy Policy applies to both Patients and Healthcare Providers (both terms being defined hereinafter) using this website.

If you are aged 18 or under you should not use this website nor should you provide any personal information to us via the website

DEFINITIONS

In this Privacy Policy the following words have the following meanings:

“Biometric Data“ means any Personal Data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification;

“Data Controller” means the person who or organisation which determines the purposes for which, and the manner in which, any Personal Data is processed, who/which makes independent decisions in relation to the Personal Data and/or who/which otherwise controls that Personal Data;

“Data Processor” means the person who processes Personal Data on behalf of the Data Controller;

“Data Subject” means a natural person whose Personal Data is processed by a Data Controller or Data Processor;

“GDPR” means the EU General Data Protection Regulation (EU Regulation 679/2016);

“Genetic Data” means data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual;

“Healthcare Provider” means a qualified healthcare professional with a third party certification, diploma or degree in their chosen field, who is deemed fit to practice in their chosen field as a registered member of the relevant professional body;

“Patient” means any Healthcare Providers’ patient;

“Patients’ Data” means Personal Data of Patients, including clinical notes and assessments;

“Patients’ Data” means Personal Data of Patients, including clinical notes and assessments;

“Service” means all or any of the services provided through the website Wellola (www.wellola.com) (and “Services” shall be construed accordingly);

"Sub-Processor" means any person or entity appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller;

“We”, “Our” or “Wellola” means the company PhysioLinked Limited T/A Wellola.

Click on the headings below to find out more about how we collect and process your Personal Data in connection with your use of the Wellola website and for marketing purposes:

1. Who is responsible for your Personal Data?

a. Where Wellola acts as the Data Controller

For the purposes of the GDPR, in circumstances where you, as a Healthcare Provider, supply Personal Data to us which relates to you and your staff and which we will collect from you, Wellola will be the Data Controller with regard to such Personal Data.

Wellola will also be the Data Controller in relation to Patients who make a booking through the Patient portal on our website.

In particular, we have appointed a Data Protection Officer (“DPO”) within Wellola to monitor compliance with our data protection obligations and with this Privacy Policy and related policies. If you have any questions about this policy or about our data protection compliance please contact us.

b. Where the Healthcare Provider acts as the Data Controller and Wellola as the Data Processor

In circumstances where, as a Healthcare Provider, you supply Personal Data to us which relates to a Patient and which may be collected, stored and processed as a result of your use of the Wellola website, you will be the Data Controller. Wellola will be a Data Processor only.

In cases where the Healthcare Provider is collecting, storing and processing Patient Data, the Healthcare Provider will determine the purposes for which and the manner in which that Personal Data is, or is to be processed.

The Healthcare Provider will also be responsible for:

  • informing its staff and Patients of its privacy policy and practices, including, the lawful grounds upon which the Healthcare Provider is processing any Personal Data;
  • compliance with data protection laws;
  • drawing the Patient’s attention to this Privacy Policy; and
  • informing us if any Patient objects to either the Healthcare Provider’s or our processing.

As a Data Controller, the Healthcare Provider will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Patient Data to us for the duration and purposes of the use of the Wellola website.

As a Data Processor, we will:

  • Process that Patient Data only on the written instructions of the Healthcare Provider unless we are required by the laws of any member of the European Union or by the laws of the European Union applicable to us to process Personal Data (“Applicable Laws”);
  • Ensure that we have in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Patient Data and against accidental loss or destruction of, or damage to, Patient Data, as are appropriate;
  • Ensure that our staff who have access to and/or process Patient Data are obliged to keep the Patient Data confidential;
  • Ensure that where a Sub-Processor is used, we shall:
    • Only engage a Sub-Processor with the prior consent of the Healthcare Provider;
    • Inform the Healthcare Provider of any intended changes concerning the addition or replacement of Sub-Processors;
    • Implement a written contract containing the same data protection obligations as set out in the agreement we entered into with the Healthcare Provider, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Applicable Laws;
    • Understand that where any Sub-Processor is used on their behalf, that any failure on the part of the Sub-Processor to comply with the Applicable Laws or the relevant data processing agreement, we, as the initial Data Processor, remain fully liable to the Healthcare Provider for the performance of the Sub-Processor’s obligations;
  • Not transfer any Patient Data outside of the European Economic Area unless one of the safeguards described in section 6 below is in place;
  • Assist the Healthcare Provider, at the Healthcare Provider’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the data protection laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  • Notify the Healthcare Provider without undue delay on becoming aware of a Personal Data breach;
  • Within 45 days of the date of termination or cancellation of your contract delete Patient Data and copies thereof unless required by Applicable Laws to store the Personal Data; and
  • Maintain complete and accurate records and information to demonstrate our compliance with these obligations.

We are not liable in respect of any Patient Data which is controlled by the Healthcare Provider in breach of data protection laws or outside the scope of the permissions granted to the Healthcare Provider by the Patient.

2. What Personal Data do we collect?

Patient

If you are a Patient using our website we may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier, title, date of birth.
  • Contact Data includes billing address, delivery address, email address and telephone numbers, next of kin address, phone, email, medical care giver.
  • Financial Data includes payment card details processed through Stripe.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Usage Data includes information about how you use our website, products and services.

We may process some special categories of Personal Data about you via third parties (for example, where a healthcare provider gathers details about health and Biometric Data in order to comply with medicolegal documentation obligations) where the third parties act as Data Controllers. Where this happens it is the duty of the Data Controller to inform you and a higher standard of protective measures will apply.

Healthcare Provider

If you are a Healthcare Provider using our website we may collect, use, store and transfer different kinds of Personal Data about you and your Patients which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier, title, qualifications, accreditations, insurance details, date of birth.
  • Contact Data includes website, social media pages, billing address, delivery address, email address and telephone numbers.
  • Business Data includes company bio, website, social media pages, address, pricing, opening hours, images that you upload.
  • Financial Data includes bank account and payment card details processed through Stripe.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Usage Data includes information about how you use our website, products and services.

3. How do we collect your Personal Data?

We collect your Personal Data as follows:

  • Direct interactions. You may give us your Identity and Contact Data by filling in forms on our website or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:
    • make an enquiry with regard to our services;
    • request marketing to be sent to you; or
    • give us some feedback.
  • Personal information we collect indirectly. We indirectly collect Personal Data when Healthcare Providers use the Wellola website to record data about a Patient. This may include for instance Identity, Contact or Transaction Data as well as special categories of Personal Data (as listed above)/information about your health and Genetic and Biometric Data.
  • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies and other similar technologies. Please see our cookie policy here for further details.
  • Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources as set out below:
    • Technical Data from advertising networks such as Mailchimp based outside the EU or Sparkpost based inside the EU; and
    • Contact, Financial and Transaction Data from providers of technical and payment services such as Stripe based outside the EU.
    • Identity, Usage and Contact Data from peer to peer video consultation infrastructure providers such as Gruveo based inside the EU.
    • Identity and Contact Data from SMS infrastructure providers such as Nexmo based outside the EU.
    • Identity and Contact Data from publicly availably sources such as Companies Registration Office and the Electoral Register based inside the EU.

4. For what purposes do we process your Personal Data and what is our legal basis?

We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so.

Purpose/Activity Category of Data Subject Type of data
(Includes but is not limited to
Lawful basis for processing
To arrange consultations between Patients and Healthcare Providers, which includes the management of consultation bookings, electronic health records, billing/invoicing and payments Patient (a) Identity
(b) Contact
(c) Financial
(c) Profile

Patient Consent to our Terms & Conditions

Necessary for the performance of a contract (to secure consultation between Patient and Healthcare Provider)

To register you as a new customer Patient & Healthcare Provider (a) Identity/ Business Details
(b) Contact
(c) Financial
(d) Profile
(e) Marketing & Communications Data
Performance of a contract with you
To keep you informed of maintenance and updates to your service Patient & Healthcare Provider (a) Identity
(b) Contact
(c) Profile

Performance of a contract with you

Necessary for our legitimate interests (to ensure data accuracy and adequacy)

To process and deliver your services including:
  • Provide ongoing access to the services
  • Manage payments, fees and charges
Healthcare Provider (a) Identity
(b) Contact
(c) Financial
(d) Profile

Performance of a contract with you

Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include:
  • Notifying you about changes to our terms or privacy policy;
  • Asking you to provide feedback or take a survey;
  • To enable you to partake in a prize draw, competition or complete a survey.
Patient & Healthcare Provider (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing & Communications Data

Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated, to ensure data accuracy and adequacy, to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Patient & Healthcare Provider (a) Identity
(b) Contact
(c) Technical
Necessary for our legitimate interests (to ensure data integrity and confidentiality, for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you Patient & Healthcare Provider (a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(e) Usage
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences Patient & Healthcare Provider (a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you Patient & Healthcare Provider (a) Identity
(b) Contact
(c) Technical
(d) Marketing and Communications
(e) Usage
(f) Profile
Necessary for our legitimate interests (to develop our products/services and grow our business)

When we process your personal information for our and third parties’ legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you.

We have considered whether there are other less intrusive means to reach the purposes identified above while still serving the legitimate interests identified.

Our use of this personal data is subject to an extensive framework of safeguards that help make sure that people’s rights are protected. These include the information given to you on how your personal data will be used how you can exercise your rights to obtain a copy of your personal data, it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not override your interests, fundamental rights and freedoms.

We use cookies to facilitate the use of our website. For detailed information on the cookies we use and the purposes for which we use them, see our cookie policy here.

1. Do we share your Personal Data with anyone else?

We may share your Personal Data with the following parties in connection with our processing of your Personal Data:

Third Party Reason for sharing data
Sparkpost The service provider allows us to service Healthcare Providers with email communications
Mailchimp The service provider allows us to send you email communications and alerts us if you request to be removed from our mailing lists.
Amazon Hosts our cloud storage system.
We store our document management system and backups on the cloud and so your personal details will be stored on our secure cloud storage system.
Healthcare Provider/Patient Personal Data of the Patients and Healthcare Providers will be shared between the Patients and Healthcare Providers as necessary to facilitate the setting up of consultations.
Stripe Provides our payments services.
Gruveo Provides us with peer to peer video consultation infrastructure.
Nexmo Provides us with SMS infrastructure.

We require all third parties to enter into a data processing agreements with us which complies with our obligations under the GDPR. This agreement requires third parties to have appropriate security systems in place and only to use your Personal Data on our instructions and in accordance with data protection law.

In rare circumstances, we may be obliged to disclose Personal Data if disclosure is required to comply with the law.

6. Keeping your Personal Data secure

We take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. We limit access to your Personal Data to those employees, agents and other third parties who are required to have access to your Personal Data and where they have agreed that they are subject to a duty of confidentiality.

We have put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. We have procedures in place to deal with actual and suspected data breaches which include an obligation on us to notify the supervisory authority and/or you, the Data Subject, where legally required to do so.

We do not transfer your Personal Data out of the European Economic Area.

7. For how long do we keep your Personal Data?

Your Personal Data will be deleted when it is no longer reasonably required for the purposes described above or you withdraw your consent (where applicable) and we are not legally required or otherwise permitted to continue storing such data.

8. Your data protection rights

Under certain circumstances, by law you have the right to:

  • Request information about whether we hold personal information about you, and, if so, what that information is and why we are holding/using it.
  • Request access to your personal information (commonly known as a "Data Subject Access Request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Where you as a Patient require information about your health and/or Genetic/Biometric Data from your Healthcare Provider (acting as “Data Controller”, whereby Wellola is acting as “Data Processor”) it is the responsibility of the Healthcare Provider to address that Data Subject Access Request, not Wellola.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by us using your personal information or profiling of you.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.
  • Withdraw consent: where we rely on consent as a legal basis, you may withdraw consent at any time by contacting us. Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

In the event that you wish to make a complaint about how your Personal Data is being processed by Wellola, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority who can be contacted as follows:

Contact Data Protection Commissioner
Telephone +353 57 8684800/+353 761 104 800
Email info@dataprotection.ie
Post Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
R32 AP23 Co. Laois

9. Contact Us

You can contact us with any queries, complaints or requests to exercise your data protection rights using the details below:

Contact Sonia Neary
Telephone 012988132
Email sonia@wellola.com
Post Wellola, Dogpatch Labs,
CHQ Building,
Custom House Quay,
Dublin 1

10. Updates to this Privacy Policy

Our Privacy Policy may change from time to time, and any changes to this Privacy Policy will be posted on the website and will be effective when posted. As your use of the Wellola website is subject to your acceptance of this Privacy Policy, and any amendments thereto, please check back regularly.