Browser Extension Privacy Notice
Last updated: 06 September 2024
OUR PRIVACY PROMISE
Your privacy is important to Limbic Limited ("Limbic", "we","us" and "our"). We're committed to protecting your personal data and being transparent about the personal data we hold and use.
This privacy notice is intended to be concise, transparent, and easy to understand, but we appreciate that you may have queries or want to seek clarification as to its terms. If you have any queries, please see section 13 for details on how to contact us.
We may make changes to this privacy notice from time to time, including where necessary to reflect any changes in the ways in which we process personal data or any changes to data protection laws. Any updates to this privacy notice will be posted on the Limbic Website (www.limbic.ai). Please check this privacy notice regularly for updates.
1 INTRODUCTION
1.1 This privacy notice applies to you, a user of the Limbic Browser Extension (the "Extension") and our users or prospective users who are intended to be clinicians ("you" and "your").
1.2 Please read this privacy notice carefully. Among other things, it explains:
1.2.1 what personal data we may collect about you;
1.2.2 why we collect and use your personal data and the legal bases we rely on for processing it;
1.2.3 who we disclose your personal data to;
1.2.4 where we store your personal data;
1.2.5 how long we keep your personal data; and
1.2.6 your rights regarding the personal data we hold about you and/or which you provide to us.
2 WHO WE ARE
2.1 We are Limbic. We are a business that provides software for mental healthcare. Limbic is a company registered in England and Wales (company number: 11093861) with its registered office at Kemp House 160 City Road, London, England, EC1V 2NX.
2.2 Data protection laws apply to our collection and use of personal data and Limbic is the controller of that personal data (ICO registration number: ZA779212).
2.3 If you have any queries regarding this privacy notice or the way in which we process your personal data, please contact us at:
Email: data.enquiries@limbic.ai
Address: FAO Data Protection Enquiries, CTO/Director, Kemp House, 160 City Road, London, England, EC1V 2NX.
3 CHANGES TO YOUR PERSONAL INFORMATION
It's important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes or if you become aware that any personal data that we hold about you is not accurate.
4 WHAT PERSONAL DATA WE COLLECT
4.1 The type of personal data we process may include (as applicable) the following:
| Categories of Data | Description of Data |
|---|---|
| Identity Data | Clinician Name. Patient name, NHS number, date of birth, postcode, gender |
| Contact Data | Clinician email address, Clinician phone number Patient email address, patient phone number |
| Correspondence Data | Information which you provide in, or we learn about you from, any correspondence or communications with us, including details of any enquiries or requests for technical support or customer care support and any other information you provide to us. |
| Usage Data | Usage information such as how you navigate around the extension |
4.2. Information about why we process the above personal data and the lawful basis we rely on is set out in sections 6 and 7 below.
4.3. The Extension will require read access to the Patient Management System web pages that you visit in order to retrieve the relevant patient record from the Limbic database, this will allow you to view Limbic patient data within the Extension.
Limbic patient data consists of data collected from patient users in accordance with their use of Limbic tools, Limbic Access and Limbic Care, Limbic patient data is collected in line with the following policies https://policies.limbic.ai/access-p & https://www.limbic.ai/care-privacy.
We process this data based on the legal basis of Performance of a contract, the processing is necessary for fulfilling our contractual obligations with the healthcare service. The Limbic Extension collects the authentication token and record matching data (Patient name, NHS number, date of birth, postcode, gender, email address, phone number) directly from the web pages you visit. Read access to other data is incidental and not collected, used, stored, or processed beyond what is necessary for retrieving the correct Limbic records.
4.4 The Extension will read which URL you are on so it knows whether it should attempt to read for a token. This data is processed on device by the Extension and never leaves the browser. We only process data which is adequate, relevant and limited to what is necessary to fulfill the purposes set out in this notice (also known as the 'data minimisation' principle). Where you are invited to input data into the Extension, you should only provide data which is relevant and necessary.
4.5 The Extension is designed to search for specific tokens within patient record systems. In the course of this process, it may inadvertently access information related to children under the age of 13 or information regarding criminal convictions and offenses if such information is stored in the patient record system. If the Extension does not find a valid Limbic token, any information accessed during this process is handled locally and is not stored or processed outside of the local machine. If you or any other person becomes aware that a child under the age of 13 has accessed or may have accessed the Extension and provided their personal data without parent consent, they must contact us by email at data.enquiries@limbic.ai.
5 HOW WE COLLECT DATA
5.1 We may collect the above information when:
5.1.1 you access, use or interact with the Limbic Browser Extension
5.1.2 you correspond/interact with us via email, phone, social media or other channels;
5.1.3 you make any enquiry or complaint;
5.1.4 you purchase, request or subscribe for a product or service from us;
5.1.5 you request technical support or other customer care support;
5.1.6 you participate in competitions, surveys and questionnaires or provide us with a review or feedback; or
5.1.7 you provide data for other legal and regulatory purposes.
5.2 Where lawful, we may also obtain personal data from other third parties (including third party platforms) and we may process that information where such processing is necessary or permitted in order to provide our products and services to you, or where such processing is necessary or permitted for our internal administrative purposes or for marketing and business development purposes.
5.3 Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the agreement or arrangement we have or are trying to enter into with you or such failure may limit or prevent you obtaining access to, or making full use of, the Extension.
5.4 You are free to 'opt out' of giving us any particular information by simply not providing it, and you can withdraw your consent at any time, but again that may restrict our ability to provide you with our services.
6 HOW WE USE DATA
6.1 Purpose of Processing: To retrieve the authentication token and record matching data, as displayed within the Patient Management System. This will allow the extension to retrieve the corresponding Limbic patient data from the Limbic database and display this information within the extension. We process clinician name and email in order to facilitate account creation and authentication.
6.2 Incidental Access: While the extension has read access to webpage content, only the hashed authentication token, and record matching data is actively used for processing.
6.3 We use your personal data for a number of purposes but only where we're allowed to by law.
6.4 We may process your personal data where such processing is necessary or permitted:
6.4.1 in order to perform any agreement we have entered into with you or in anticipation of any agreement we may enter into with you (including our Terms of Use);
6.4.2 to comply with any applicable law or regulation; and/or
6.4.3 for the purposes of the legitimate interests pursued by us or a third party. These legitimate interests include the purposes identified in the table below in section 7 but may also include other commercial interests and our internal administrative purposes. Where we rely on legitimate interests as the lawful basis for processing your personal data, we'll put in place appropriate safeguards to protect your data and to ensure that your fundamental rights and freedoms are not overridden by those legitimate interests.
6.5 We may also process your personal data where we have your consent. Where we rely on consent as the lawful basis for processing your personal data, we won't ever use that data for anything else except for the purpose for which we obtained consent at the time. You have the right to withdraw your consent at any time and if you wish to do so, you should contact us using the contact details set out in section 13 below. The withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds.
6.6 We may process your personal data for more than one lawful ground depending on the specific purpose for which we're using your data.
6.7 We may process your personal data ourselves or in conjunction with our third party service providers in accordance with section 8.
6.8 We'll only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
6.9 If we need to use your personal data for an unrelated purpose, we'll notify you (which may be by way of an update to this privacy notice) and we'll explain the legal basis which allows us to do so. In the event that the purpose of data collection changes where consent is the lawful basis for processing, we will notify you of such change and re-secure your consent for such processing.
6.10 Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
7 OUR LEGAL BASES FOR PROCESSING YOUR DATA
7.1 We've set out below the legal bases on which we process data. We've identified what our legitimate interests are, where appropriate.
8 HOW WE SHARE YOUR PERSONAL DATA WITH OTHERS
8.1 We won't share any of your personal data with third parties except as set out in this section or otherwise notified to you or agreed between you and us from time to time.
8.2 We may also share personal data with our group companies (including our subsidiaries, ultimate holding company and its subsidiaries) and partnered companies for the purposes outlined in this privacy notice. We may also share personal data with third party service providers who we engage to provide services which facilitate our business and we may also need to share personal data with other third parties in order to comply with our legal and regulatory obligations. Below is a list of specific third parties and other categories of third parties with whom we may share your personal data:
8.2.1 Heroku Services, our data hosting provider;
8.2.2 Amazon Web Services, the servers used by Heroku Services;
8.2.3 Sentry, our application monitoring and error tracking software;
8.2.4 Mix Panel, our application for monitoring performance and usage;
8.2.5 FusionAuth, our authentication supplier;
8.2.6 any third party buyer of our business or assets;
8.2.7 law enforcement or a regulator;
8.2.8 legal counsel and other professional advisers including accountants and auditors;
8.2.9 any of our personnel who many need access to certain of your personal data in order to provide their services, which may include personnel who are engaged as consultants or workers, as well as our employees; and
8.2.10 any similar or replacement third parties from time to time.
8.3 We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with data protection laws.
8.4 For any third parties that are based, or process data, outside of the EEA or the United Kingdom, we engage such third parties in accordance with section 9 below.
8.5 We may share your personal data with third parties where we're required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws or any agreement with us, including our Terms of Use).
8.6 In the event that our business or any part of it is sold or integrated with another business, your details may be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.
9 INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
9.1 From time to time it may be necessary for us to transfer your information internationally. In particular, your information maybe transferred to and/or stored on the servers of third parties identified in section 8 which are based outside of the UK or the EEA.
9.2 However, we won't transfer your personal data outside of the UK or the EEA unless:
9.2.1 such transfer is to a country or jurisdiction which the EU Commission or the UK (as applicable) has approved as having an adequate level of protection;
9.2.2 appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses or binding corporate rules; or
9.2.3 the transfer is otherwise allowed under data protection laws (including where we have consent or the transfer is necessary for important reasons of public interest, is necessary for the establishment, exercise or defence of legal claims or is necessary for the performance of a contract with the data subject).
9.3 We'll ensure that where your personal data is transferred outside of the UK or the EEA, it is afforded an essentially equivalent level of protection as would be afforded to it within the location from which it is transferred.
10 HOW WE STORE AND RETAIN YOUR PERSONAL DATA
10.1 As a minimum, we need to store your personal data for as long as is necessary to enable us to fulfil the purpose for which it is processed, including to provide and operate our Extension, fulfil our legal and regulatory obligations (e.g. relating to record keeping) and to exercise or defend any legal claims.
10.2 For as long as we do store your data, we follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. All information you provide to us is stored on our secure servers. We adhere to the NHS Data Protection Toolkit, have implemented DCB0129 standards for safety/risk mitigation, are ISO 27001 certified and are Cyber Essentials accredited.
10.3 We'll notify you without undue delay in accordance with the requirements of data protection laws, if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms and we're required by law to notify you.
10.4 We maintain and implement a data retention policy and will delete personal data in accordance with this other than in rare circumstances (for example, where we are required to retain data by law).
11 YOUR LEGAL RIGHTS
11.1 Subject to any conditions and requirements set out in data protection laws, you may have some, or all, of the following rights in relation to the personal data we hold about you:
11.1.1 the right to request a copy of your personal data held by us;
11.1.2 the right to correct any inaccurate or incomplete personal data held by us;
11.1.3 the right to request that we erase personal data we hold about you;
11.1.4 the right to request that we restrict the processing of your data;
11.1.5 the right to have your personal data transferred to another organisation;
11.1.6 the right to object to certain types of processing of your personal data by us;
11.1.7 the right to request that you are not subject to any decision which is based solely on automated processing, including profiling, where this produces legal effects or otherwise significantly affects you; and
11.1.8 the right to complain (please see section 13 of this privacy notice).
11.2 PLEASE NOTE that these rights are not absolute in all situations and may be subject to conditions and provisions set out in data protection laws. We cannot, therefore, guarantee that we'll be able to honour any request from you in connection with the rights set out above. (For example, even if you request that we delete your personal data, we may be required by law to retain some personal data for accounting and record keeping purposes orin order that we comply with our legal and regulatory obligations).
11.3 We will respond to a request to exercise your rights as set out in this section as we can, and in any event within two months.
11.4 For further information, or to exercise any particular right, please see section 13 for details of how to contact us.
12 LINKS TO THIRD PARTIES
12.1. The Extension may link or redirect to other websites, social media accounts or other content which is not under our control. Unless otherwise stated, such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this privacy notice.
12.2. If you access such third party websites or platforms, please ensure that you're satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website or platform operated by any third party.
13 QUESTIONS AND COMPLAINTS
13.1 Please contact us at:
Email: data.enquiries@limbic.ai
Address: FAO Data Protection Enquiries, CTO/Director, Kemp House, 160 City Road, London, England, EC1V 2NX.
13.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner's Office (ICO) (www.ico.org.uk).
8.1 We won't share any of your personal data with third parties except as set out in this section or otherwise notified to you or agreed between you and us from time to time.
8.2 We may also share personal data with our group companies (including our subsidiaries, ultimate holding company and its subsidiaries) and partnered companies for the purposes outlined in this privacy notice. We may also share personal data with third party service providers who we engage to provide services which facilitate our business and we may also need to share personal data with other third parties in order to comply with our legal and regulatory obligations. Below is a list of specific third parties and other categories of third parties with whom we may share your personal data:
8.2.1 Heroku Services, our data hosting provider;
8.2.2 Amazon Web Services, the servers used by Heroku Services;
8.2.3 Sentry, our application monitoring and error tracking software;
8.2.4 Mix Panel, our application for monitoring performance and usage;
8.2.5 FusionAuth, our authentication supplier;
8.2.6 any third party buyer of our business or assets;
8.2.7 law enforcement or a regulator;
8.2.8 legal counsel and other professional advisers including accountants and auditors;
8.2.9 any of our personnel who many need access to certain of your personal data in order to provide their services, which may include personnel who are engaged as consultants or workers, as well as our employees; and
8.2.10 any similar or replacement third parties from time to time.
8.3 We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with data protection laws.
8.4 For any third parties that are based, or process data, outside of the EEA or the United Kingdom, we engage such third parties in accordance with section 9 below.
8.5 We may share your personal data with third parties where we're required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws or any agreement with us, including our Terms of Use).
8.6 In the event that our business or any part of it is sold or integrated with another business, your details may be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.
9 INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
9.1 From time to time it may be necessary for us to transfer your information internationally. In particular, your information maybe transferred to and/or stored on the servers of third parties identified in section 8 which are based outside of the UK or the EEA.
9.2 However, we won't transfer your personal data outside of the UK or the EEA unless:
9.2.1 such transfer is to a country or jurisdiction which the EU Commission or the UK (as applicable) has approved as having an adequate level of protection;
9.2.2 appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses or binding corporate rules; or
9.2.3 the transfer is otherwise allowed under data protection laws (including where we have consent or the transfer is necessary for important reasons of public interest, is necessary for the establishment, exercise or defence of legal claims or is necessary for the performance of a contract with the data subject).
9.3 We'll ensure that where your personal data is transferred outside of the UK or the EEA, it is afforded an essentially equivalent level of protection as would be afforded to it within the location from which it is transferred.
10 HOW WE STORE AND RETAIN YOUR PERSONAL DATA
10.1 As a minimum, we need to store your personal data for as long as is necessary to enable us to fulfil the purpose for which it is processed, including to provide and operate our Extension, fulfil our legal and regulatory obligations (e.g. relating to record keeping) and to exercise or defend any legal claims.
10.2 For as long as we do store your data, we follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. All information you provide to us is stored on our secure servers. We adhere to the NHS Data Protection Toolkit, have implemented DCB0129 standards for safety/risk mitigation, are ISO 27001 certified and are Cyber Essentials accredited.
10.3 We'll notify you without undue delay in accordance with the requirements of data protection laws, if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms and we're required by law to notify you.
10.4 We maintain and implement a data retention policy and will delete personal data in accordance with this other than in rare circumstances (for example, where we are required to retain data by law).
11 YOUR LEGAL RIGHTS
11.1 Subject to any conditions and requirements set out in data protection laws, you may have some, or all, of the following rights in relation to the personal data we hold about you:
11.1.1 the right to request a copy of your personal data held by us;
11.1.2 the right to correct any inaccurate or incomplete personal data held by us;
11.1.3 the right to request that we erase personal data we hold about you;
11.1.4 the right to request that we restrict the processing of your data;
11.1.5 the right to have your personal data transferred to another organisation;
11.1.6 the right to object to certain types of processing of your personal data by us;
11.1.7 the right to request that you are not subject to any decision which is based solely on automated processing, including profiling, where this produces legal effects or otherwise significantly affects you; and
11.1.8 the right to complain (please see section 13 of this privacy notice).
11.2 PLEASE NOTE that these rights are not absolute in all situations and may be subject to conditions and provisions set out in data protection laws. We cannot, therefore, guarantee that we'll be able to honour any request from you in connection with the rights set out above. (For example, even if you request that we delete your personal data, we may be required by law to retain some personal data for accounting and record keeping purposes orin order that we comply with our legal and regulatory obligations).
11.3 We will respond to a request to exercise your rights as set out in this section as we can, and in any event within two months.
11.4 For further information, or to exercise any particular right, please see section 13 for details of how to contact us.
12 LINKS TO THIRD PARTIES
12.1. The Extension may link or redirect to other websites, social media accounts or other content which is not under our control. Unless otherwise stated, such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this privacy notice.
12.2. If you access such third party websites or platforms, please ensure that you're satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website or platform operated by any third party.
13 QUESTIONS AND COMPLAINTS
13.1 Please contact us at:
Email: data.enquiries@limbic.ai
Address: FAO Data Protection Enquiries, CTO/Director, Kemp House, 160 City Road, London, England, EC1V 2NX.
13.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner's Office (ICO) (www.ico.org.uk).
| Version | Date | Details |
|---|---|---|
| 1.0 | 06/09/2024 | First published |
