At Xploro we take protecting you and your child's privacy seriously. This notice explains what to expect when we collect information through Xploro
Xploro is a unique technology ecosystem that uses augmented reality, gameplay and artificial intelligence to deliver health information to children and young people. Using Xploro helps reduce the worry and anxiety some children can feel when going to hospital, it also helps them get more involved in their care and have better experiences. The system consists of a mobile application for children and young people, a mobile web application for parents and guardians, and a management portal for clinicians and organisation admins.
Xploro is also used as a communication tool between patients, their parents and clinicians to schedule appointments using the calendar and to share the patient’s mood through a mood diary.
These functions are optional and can be disabled by changing your preferences in the Parent Application.
Xploro is a Limited company registered in England & Wales - our company number is 11761110. Our registered address is 21-23 Shudehill, Manchester, U.K. M4 2AF
Our phone number is +44 (0)161 838 0808 and our email address is info@xploro.health
Xploro is a registered trademark.
We collect data from different places and different people:
2a. Data that comes from the admin users. These are the people who set up the accounts for each person on Xploro (likely to be a parent). As well as taking some data about users from admins, we also store some basic data on each of the admins in order to run Xploro. We call them 'Contract Holders'.
2b. Data that comes from caregivers such as doctors, nurses or therapists. These are people who are involved in caring for the patient. They may give information to the contract holder to pass on or they may help the patient interact with Xploro. As Xploro has a number of functions, such as the mood diary and calendar function it is possible that the patients may include some information about their caregiver. We call them 'Clinical Staff'.
2c. Data that comes from users who act in a parental capacity. The parent application feature allows those acting in a parental capacity to manage permissions and calendar events, we may therefore collect information from them and about them. We call them 'Guardians' and this is only applicable where the patient is under the age of 16.
2d. Data that comes from users going to hospital. As well as the information we need to set up an account, there are a number of features, including mood diaries, a calendar function and space to ask questions where a child or young person can write whatever they choose and possibly, in doing so, give us information about themselves or someone else (e.g. someone’s name.) – We call them 'Patients'.
2e. We may receive information about other people such as friends or family members through some of the features such as the mood diary or calendar function. We call these 'others'
We collect and use a number of different types of data, some of which is personal data and some of which isn't. All personal data is subject to policies and procedures to keep the data secure.
We need an active email address to set up the initial account, after which any data received will come from either contract holders, clinical staff, guardians or patients.
The application has a communication platform that will communicate the patient's mood in response to their hospital experience. If the mood diary function is enabled the moods indicated by the user will be shared with contract holders and clinical staff.
Additionally the application has a calendar function that allows admins, care givers, guardians and patients to schedule and/or log appointments. If this function is enabled the data will be shared with all 4 groups.
The application allows patients to ask questions. Some of those questions will be logged by Xploro in order for the application to better understand how to respond in the future. This data is not linked to any individuals, accounts or organisations and is subject to a retention period.
The software platform which Xploro is built on is called Unity. Unity collects some personal data from patients which includes device IDs and IP addresses. Patients can choose whether or not they want Unity to collect this data with a simple toggle button in the app. Xploro is not able to access this data however Unity supplies us with general information about how patients use the app, called analytics. Analytics are anonymised, used in aggregate with other users’ data, and do not identify individuals.
We recommend you read Unity’s privacy policy in order to inform yourself of what they collect, why and what your options and rights are with regard to that. https://unity3d.com/legal/privacy-policy
Logging in
The patient's legal guardian will receive an email invitation and login code from the health organisation (e.g. hospital) the child is visiting. When accepting this invitation the legal guardian will enter their email address. No other personal data will be processed at login.
As set out in article 6 of the General Data Protection Regulation by accepting this invitation they are consenting, on behalf of the user, to the processing of personal data summarised below.
Using the app
The Xploro application can collect personal data in the following places
These functions can be disabled at any time in the parent portal.
The application will only be able to operate on one device at a time. It is the responsibility of the guardian to remove the application from any devices no longer in use
When the Contract Holder chooses to deactivate a Guardian in the portal, or when the contract for the application expires, the Guardian will be notified by email. At this point the data will also be deleted
Xploro acts as a Data Processor for the contract holder which invites patients to use the app.
The contract holder in question is the data controller. We have contracts in place with the Contract Holder to ensure that all personal data we share is done so securely.
Xploro does not view any data in the application without the permission of the controller
All questions stored by Xploro are encrypted and subject to a retention period.
Xploro is based in the United Kingdom. When we work with health authorities in countries outside the UK our contracts include standard contractual clauses to protect the rights of individuals whose personal data is transferred. They contain contractual obligations on companies and their partners and are in line with the GDPR
Xploro does not rent, sell or otherwise share information about anyone using our services with any other business, organisation or individual. The only exception to this is where we are legally obliged to do so to comply with a current judicial proceeding, a court order or legal process served on our website or company.
Under Article 6 of the General Data Protection Regulation the lawful basis for the contract holder acting as controller is: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Under Article 6 of the General Data Protection Regulation the lawful basis for Xploro acting as processor is: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
As set out in article 6 of the General Data Protection Regulation where a patient is under the age of 16 a guardian must consent to the processing of their data on their behalf.
Under Article 9 of the General Data Protection Regulation, for both the contract holder and Xploro, special category data is only processed where the data subject has given explicit consent to the processing of personal data or a guardian has consented for patients under the age of 16.
Any personal data processed and stored by Xploro will be retained for no longer than one month after the patient's account has been closed by the contract holder.
The patient will still be able to access the application up until a time when it is deleted from their device. Any data entered into the application once the account has been closed by the contract holder will only be stored locally on the device, and will not be processed, transmitted or stored by either Xploro or the contract holder. If the application is then removed from the device that data will also be removed.
At this time it is not possible to download locally stored data from the app.
When contacting us through the Xploro website your email address, which is classed as personal data, is retained. We consider retaining it as a legitimate interest to our business and this is the lawful basis for processing that data.
In accordance with UK and European data protection laws, we take measures to secure all personal data.
We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal and special category data.
We assign retention periods to all personal data which are different for different types of data and which are reviewed regularly. Ask us if you want to see our retention policy.
Xploro has a Data Protection Officer (DPO) who makes sure that your rights when it comes to your personal data are upheld. Our DPO is Saskia Coplans and you can contact her at saskia@xploro.health if you have any questions or would like any information
Your rights
Your right of access
You have the right to ask us for copies of any personal information we process or store about you. As we only process your data with your, or your guardians'; consent, this right always applies to Xploro and is called a subject access request.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies and is called a rectification request.
Your right to erasure
You have the right to ask us to erase your personal information if you no longer want us to hold it. As we only process your data with your, or your guardians' consent, this right always applies to Xploro, however we need a certain amount of data to be able to provide the service so full erasure may mean you can no longer use it. This is called an erasure request.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information. This is where we don’t delete your data but we also don't allow it to be accessed by anyone. This is called a restriction request.
Your right to data portability
You have the right to ask that some organisations transfer the information you give them to other organisations or directly to you. Whilst we are happy to provide your information to you directly to you, we do not hold it in a format that can be transferred to other organisations.
If you would like to make any of these requests please email us at info@xploro.health with the name of the request in the subject. We will send you a confirmation receipt and then follow up with some questions to verify your identity.
You can find out more about your data subject rights here.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
Your right to object to processing
If you think we are not upholding your rights, or we are not processing your information lawfully you have the right to object.
If you think we are handling your personal data incorrectly you should approach us in the first instance and we will do everything possible to rectify the situation. If you are not happy with our response you have a right to contact the supervisory authority, in this case the Information Commissioner’s Office (ICO). You can lodge a complaint through their website hereand they, in turn, will deal with it.
You can read more about this right here.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Please contact us at info@xploro.health if you wish to make a request, or call us on +44 (0)161 838 0808
Please note:
This policy may be updated from time to time, so please check back occasionally to make sure you're happy with any changes.
If you have any questions about this policy or our privacy practices you can email us at info@xploro.health call us on +44 (0)161 838 0808 or write to us at Xploro Limited, 21-23 Shudehill, Manchester, M4 2AF