Privacy Policy

Effective Data: 28th January 2021 This privacy policy applies to all information collected through the mobile application, ‘Acute COVID’ (the ‘App’). The policy explains how your data may be processed through the App and what rights you have in relation to that data. Please read the following carefully to understand how your data will be processed. If you do not want your data to be used as set out in this privacy policy, you should not use the App.

TABLE OF CONTENTS:

PART I: INTRODUCTION

PART II: GDPR

1: Terms 2: The Data Protection Principles 3: The Rights of Data Subjects

PART III: ACUTE COVID DATA PROCESSING

4: Personal Data 5: Automatically Collected Information 6: Legal Basis for Data Processing 7: Third Parties 8: GDPR Rights and Acute COVID 9: Transferring Personal Data to a Country Outside the EEA 10: Data Breaches

PART IV: MISCELLANEOUS

11: Policy Changes 12: Policy Implementation 13: Contact

PART I: INTRODUCTION

‘Acute COVID’ is provided by Imagineear Ltd (‘the Company’) (“we”, “our”, “us”) and was commissioned by the Chelsea and Westminster Hospital NHS Foundation Trust. Imagineear Ltd are registered in the United Kingdom under company No. 06887633 and have our registered office at The Compton Rooms, Fulham Palace, London SW6 6EA. We are registered with the Information Commissioner under the reference ZA13 0648. Imagineear Ltd recognises that it has a regulatory responsibility to protect the personal and sensitive data of data subjects, including staff, suppliers, clients and partners. We are committed to the protection of this data as an integral part of our business and operating methods, only ever using it in accordance with the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (GDPR). We are committed not only to the letter of the law, but also to the spirit of the law and place high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom we deal. We endeavour to:

• Comply with and/or exceed all relevant regulatory requirements;
• Continually monitor and improve the secure protection of data;
• Incorporate data security factors into business decisions; and
• Increase employee awareness and training.

This Policy sets out the obligations of Imagineear Ltd and its subsidiaries, regarding data protection and the rights of clients, suppliers and business contacts (“data subjects”) in respect of their personal data under the GDPR. This includes but is not limited to the collection, processing, transfer, storage and disposal of personal data. The procedures and principles set out herein will be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

PART II: GDPR

1. Terms

The GDPR relates to the processing of personal data. Personal Data: ‘any information relating to an identified or identifiable natural person’ – Article 4(1) Identifiable Natural Person: ‘one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ – Article 4(1) Processing: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’ – Article 4(2)

2. The Data Protection Principles

The GDPR sets out the following principles with which we will comply. Should any personal data be processed by us, it will be:

• Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

3. The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure (also known as the ‘right to be forgotten’)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights with respect to automated decision-making and profiling

PART III: ACUTE COVID DATA PROCESSING

4. Personal Data

No personal data is requested, required or otherwise processed by the Acute COVID app.

5. Automatically Collected Information

For the purposes of analytics, we automatically collect data when you use the App through certain in-app trackers. We do not use data to make automated decisions or use profiling. The types of data collected may include the number of users, new users, specific pages visited and the length of page visit. The purpose of this is to monitor and evaluate usage of the App in order to measure its effectiveness and improve its functionality. This type of data is fully anonymised and does not constitute personal data.

6. Legal Basis for Data Processing

All data processed by us is done so either with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfil business obligations.

7. Third Parties

We share data with the following third parties:

• Google Analytics: in order to process anonymous usage data.

For more information on the use of Google Analytics and how it collects and processes data, please see the page ‘How Google uses data when you use our partners’ sites or apps’ at www.google.com/policies/privacy/partners/. We have agreed to not assist or permit any third party to pass information to Google that Google could use or recognise as personally identifiable information. We confirm that the above third parties share our commitment to protecting your privacy and rights relating to your personal information.

8. GDPR Rights and the Acute COVID App

We process no personal data through the App and do not use automated decision-making or profiling. Consequently, the rights contained in the GDPR do not apply in relation to your use of the Acute COVID app.

9. Transferring Personal Data to a Country Outside the EEA

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. However, please remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Apps is at your own risk. You should only access the services within a secure environment. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will notify you as soon as possible if we have reason to believe that there are any security breaches affecting your personal data. We do not accept liability for any unintentional disclosure that occurs due to a security breach of our systems or facilities. The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. The transfer of personal data to a country outside of the EEA will take place only if one or more of the following applies:

• The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
• The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
• The transfer is made with the informed consent of the relevant data subject(s);
• The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
• The transfer is necessary for important public interest reasons;
• The transfer is necessary for the conduct of legal claims;
• The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
• The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

10. Data Breaches

All personal data breaches must be reported immediately to the Company’s Data Protection Officer. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described above) to the rights and freedoms of data subjects, the Data Protection Officer will ensure that all affected data subjects are informed of the breach directly and without undue delay. Data breach notifications will include the following information:

• The categories and approximate number of data subjects concerned;
• The categories and approximate number of personal data records concerned;
• The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
• The likely consequences of the breach;
• Details of the measures taken, or proposed to be taken, by the Company to address the breach including where appropriate, measures to mitigate its possible adverse effects.

PART IV: MISCELLANEOUS

11. Policy Changes

This Privacy Policy may change from time to time when necessary to reflect customer feedback, changes in our programme, projects and services or legal changes. When we post changes to this policy, we will revise the “Effective Date” at the start of the privacy policy. We will assume you accept such changes if you continue to use the App. Except when we tell you otherwise, all amended terms shall automatically be effective immediately when posted. We reserve the right to add, change, suspend or discontinue the App, or any aspect or feature of the App, without notice or liability. If, at any point, you do not agree to any portion of the then-current version of the Privacy Policy, you must immediately stop using the App.

12. Policy Implementation

This Policy will be deemed effective as of the Effective Data stated at the beginning of this Policy. No part of this Policy will have retroactive effect and will thus apply only to matters occurring on or after this date.

13. Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to our Data Protection Officer, Andrew Nugée, by email at:andrewnugee@imagineear.com, by phone at 020 3954 351, or by post to: Imagineear Ltd Andrew Nugée The Compton Rooms Fulham Palace London SW6 6EA United Kingdom

Acute COVID Terms of Use

Effective Date: 10th February, 2021 These Terms of Use explain in detail how you are able to use the ‘Acute COVID’ application (the ‘App’) and describe the rights relating to the provision of our service, as defined below (“this Agreement”). Before using the App, please read the following carefully. Your access to the App is subject to agreement with these Terms of Use. By using the App, you agree to be bound by these Terms of Use in full. If you disagree with any part of these Terms of Use, you should not use our App. Please also see our Privacy Policy which is not a part of this agreement. You are also responsible for ensuring that those who access the App on your device are aware of and abide by these Terms of Use.

1.0 Parties to this Agreement

1.1 The App is provided by Imagineear Ltd (“we”, “our”, “us”), having been commissioned by the Chelsea and Westminster Hospital NHS Foundation Trust. Imagineear Ltd are registered in the United Kingdom under company No. 0688 7633 and have our registered office at The Compton Rooms, Fulham Palace, London SW6 6EA. 1.2 Users who have downloaded the App are individually each a Party to this Agreement (“You”, “Your”). 1.3 The parties described above in 1.1 and 1.2 are both separately Parties to this agreement, and together the Parties.

2. Our Service

The App contains information on a range of topics related to the coronavirus disease (COVID-19). Specifically, it is intended as a training resource for clinical staff on how to set up and use pre-ventilation equipment. Care has been taken to include information that is in line with scientific guidance, advice and/or quality standards that have been approved and collated by Dr. Ryan Dhunnookchand, a Respiratory Registrar ST7 & Medical Education Fellow at the Chelsea and Westminster Hospital NHS Foundation Trust or a similarly qualified medical professional that may be assigned this role from time to time. It is intended that the content of this app be used as a supportive resource only. The content should not be regarded or relied upon as a substitute for professional medical advice, diagnosis or treatment. Where you have any concern as regards your safety and wellbeing, you must seek medical advice from your doctor or another healthcare professional. It is intended that the content of this app be used as a supportive resource only. The content should not be regarded or relied upon as a substitute for professional medical advice, diagnosis or treatment. Where you have any concern as regards your safety and wellbeing, you must seek medical advice from your doctor or another healthcare professional. The contents of the App is reviewed quarterly and updated accordingly by Dr. Dhunnookchand, an approved panel of clinicians and service users to ensure that information given remains accurate, up-to-date and relevant for users. Despite these efforts to ensure the information provided is kept current and complete, we do not accept responsibility for possible errors or omissions. As such, any reliance on information in the App is at your own risk. Equally, there exists no relationship between Imagineear Ltd, Chelsea and Westminster Hospital NHS Foundation Trust, Dr. Dhunnookchand and users of the App that would give rise to any duties on our part.

3. Ownership Of Content

Imagineear Ltd and the Chelsea and Westminster Hospital NHS Foundation Trust are the joint owners or licensees of all right, title and interest in and to the App and content that may be accessed through the App, including without limitation all intellectual property rights therein and thereto. They are protected by international copyright law and treaties. All such rights are reserved.

4. Use Of Content

You may not use the App, and will not allow any third party to use the App: 4.1 For the purpose of harming or attempting to harm minors in any way; 4.2 To knowingly transmit any data or material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware; 4.3 To transmit, or procure the sending of, any inappropriate or offensive materials or any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam); 4.4 In any way that could damage, disable, overburden, or impair the App; 4.5 Or any part of the content in the App for commercial purposes without obtaining a licence to do so from us or our licensors; 4.6 To access, copy, transfer, transcode or retransmit content in violation of any law or third party rights; or 4.7 In any way that breaches any applicable local, national or international law or regulation or is fraudulent or has any unlawful or fraudulent purpose or effect. 4.8 To copy, emulate, clone, rent, lease, sell, modify, license, distribute, transfer, modify, adapt, translate, prepare derivative works from, decompile, reverse engineer, disassemble or otherwise attempt to derive source code from the App or content that may be presented or accessed through the App in contravention of the provisions of these Terms of Use for any purpose, unless otherwise permitted; 4.9 In any way that intentionally circumvents or defeats the security or content usage rules provided, deployed or enforced by any functionality contained in the App; or 4.10 In any way that removes, obscures, or alters Imagineear Ltd’s or any third party’s copyright notices, trademarks, or other proprietary rights notices affixed to or contained within or accessed in conjunction with or through the App.

5. Suspension And Termination

Should we decide that you have breached the Terms of Use contained in this agreement, we exclude liability for such a breach, and reserve the right to: 5.1 Restrict your right to use the App through an immediate suspension; 5.2 Issue a formal warning; 5.3 Begin legal proceedings and supply all information deemed necessary to the relevant law enforcement authorities; or 5.4 Take any other reasonably appropriate course of action.

6. Indemnity

To the maximum extent permitted by law, you agree to indemnify Imagineear Ltd, its affiliates and their respective directors, officers, employees and agents from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable legal fees) arising out of or accruing from your use of the App, including your downloading, installation, or use of the App, or your violation of these Terms of Use.

7. Limitation Of Liability

To the maximum extent permitted by law, Imagineear Ltd and its affiliates are not liable to you under any theory of liability for any direct, indirect, incidental, special consequential or exemplary damages, whether in contract, tort (negligence), breach of statutory duty, or otherwise, that may be incurred by you through your use of the App, even if foreseeable, arising under or in connection with use of, or inability to use, the App; or use of, or reliance on any content displayed on the App. Thus, by using the App, you assume full responsibility for using the materials and information contained therein and you understand that neither Imagineear Ltd nor its affiliates are responsible or liable for any claim, loss, damage (for example caused by a virus or other technologically harmful material that may infect your computer equipment), costs or expenses resulting from its use. We accept no responsibility for the content of third party websites, named agencies, companies, products, services or publications linked within the App. These links are not to be construed as a recommendation or endorsement by Imagineear Ltd or the Chelsea and Westminster Hospital NHS Foundation Trust and we are not liable for any loss or damage caused through your use of them.

8. Changes

These Terms of Use are effective as of the date stated at the beginning of this document. Imagineear Ltd reserves the right to add, change, suspend or remove aspects of these Terms of Use or the App itself without notice or liability. If you continue to use our App, it will be assumed that you have understood and accepted these changes. It is therefore important that you regularly review these Terms of Use and note the changes made. If, at any point, you do not agree to any portion of the current version of the Terms of Use, you must immediately stop using the App.

9. Termination

These Terms of Use will continue to apply until terminated by either you or us. You may terminate these Terms of Use at any time by permanently deleting the App from your device using the standard uninstall procedure. Your rights automatically and immediately terminate without notice if you fail to comply with any provision of these Terms of Use. In such event, you must delete the App immediately.

10. Miscellaneous

10.1 These Terms of Use constitute the entire Agreement between you and us relating to the App and govern your use of the App, and completely replace any prior or contemporaneous agreements between you and us regarding the App. 10.2 The failure of Imagineear Ltd to exercise or enforce any right or provision of these Terms of Use does not constitute a waiver of such right or provision, which will still be available to us. 10.3 If any court of law, having the jurisdiction to decide on this matter, rules that any provision of these Terms of Use is invalid, then that provision will be removed from the Terms of Use without affecting the rest of the Terms of Use. The remaining provisions of these Terms of Use will continue to be valid and enforceable. 10.4 The rights granted in these Terms of Use may not be assigned or transferred by either you or us without the prior written approval of the other Party. Neither you nor we are permitted to delegate your nor our responsibilities or obligations under these Terms of Use without the prior written approval of the other Party. 10.5 These Terms of Use and any disputes arising out of them shall be governed by English law with the courts of England and Wales having exclusive jurisdiction to resolve any legal matter arising from them.

11. Contact

Questions and comments on these Terms of Use are welcomed and should be addressed to the Legal Department, by email at legaldepartment@imagineear.com, by phone at: 020 3954 351, or by post to: Legal Department Imagineear Ltd The Compton Rooms Fulham Palace London SW6 6EA United Kingdom