Effective Date: 6th July 2021
Sources of Personal Data
We collect Personal Data about you from:
when you provide such information directly to us, and
when Personal Data about you is automatically collected in connection with your use of our Services.
Personal Data We Collect
We collect and process of the following types of Personal Data about you:
1. Personal Identifiers:
We collect personal identifiers from you and your device such as your name, email address, a username and password, IP address, Identification data, device ID, and other identifiers including your date of birth. We also collect your IP address (All of the foregoing, “Personal Identifiers.”)
We process Personal Identifiers for the purposes of providing you the Services and developing, improving and running the Services. For example, we need to know your date of birth and vaccination history in order to provide relevant information about your future vaccine recommendations. We may also send you information about new versions of the app or similar apps we may have in the future. Every marketing email sent by us will include a link you can click to opt-out from receiving such emails.
2.Health data and other protected classification characteristics:
Through our Service, you may choose to submit health related information about yourself, such as your gender, your age and pre-existing conditions, and your vaccination & immune health status (“Health Data and Other Protected Classifications”).
We process Health Data and Other Protected Classifications for the following purposes:
To allow you to digitally share data with your consent in a more efficient, digital format (for example, to share your digital Covid-19 vaccination status with a health provider who did not provide that vaccination and may therefore not have access to that information in their own record base) with legitimate 3rd parties.
To make your & your family’s vaccination and immune health records available to you on your phone should you wish to access them.
To provide reminders and information about future vaccine doses that may be recommended for you.
Personal Data of Children
We do not knowingly collect or solicit Personal Data directly from children under 18; if you are a child under 18, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn we have collected Personal Data directly from a child under 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided Personal Data to us, please contact us at firstname.lastname@example.org.
Sharing of Personal Data
1. Third party processors: We use third parties to process some of your Personal Data on our behalf, for example security and fraud prevention providers, hosting and other technology and communications providers, analytics providers, and staff augmentation and contract personnel. When we allow them access to your data, we do not permit them to use it for their own purposes. We have in place with each processor a contract that requires them only to process the data on our instructions and to take proper care in using it.
These processors include:
Google Cloud Platform
Google G Suite
2. Other Third Parties:Imunis allows consent-based digital sharing of data between yourself and designated third parties. These are organisations with laws or policies in place which allow them to legitimately ask you questions about your health status. Data will only be shared with those organisations with your explicit consent. These include:
Central Health Medical Practise, Hong Kong
Other licensed medical providers in Hong Kong as listed here
Third parties such as registered schools and educational establishments as listed here
3. Transfer: We may restructure how we provide the Services, and as part of that, your Personal Data may be transferred to one of our affiliates or to a not-for-profit organisation.
Data Security and Retention
We seek to protect your Personal Data from unauthorised access, use and disclosure using appropriate physical, technical, organisational and administrative security measures based on the type of Personal Data and how we are processing that data. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the Internet or storing data is completely secure. We cannot guarantee the complete security of any data you share with us, and except as expressly required by law, we are not responsible for the theft, destruction, loss or inadvertent disclosure of your information or content.
We retain your Personal Data in order to provide you with our Services. The third party health care providers from whom your data is sourced with your consent are subject to separate applicable data retention laws.
In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or is otherwise required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. We will provide you with the following information:
The categories of Personal Data that we have collected about you.
The categories of sources from which that Personal Data was collected.
The business or commercial purpose for collecting or selling your Personal Data.
The categories of third parties with whom we have shared your Personal Data.
The specific pieces of Personal Data that we have collected about you.
If we have disclosed your Personal Data for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient.
You have the right to request that we delete the Personal Data that we have collected from you.
Exercising Your Rights
To exercise the rights described above, you must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify you and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive, or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request using the following methods:
Email us at: email@example.com
Personal Data Sales
We do not sell your Personal Data.
Personal Data Use and Processing Grounds
We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent and our “legitimate interests” or the legitimate interest of others, as further described below.
Legitimate Interests: Our legal basis for processing your Personal Identifiers is our legitimate interest in providing you the Services and developing, improving and running the Services.
Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection. Specifically, we process the category of Health Data and Other Protected Classifications based on your consent. Because of the tight regulatory requirements placed on us, we need your consent to process data about your health, which means that if you do not consent (or withdraw your consent), we cannot allow you to use the app. This is not meant unkindly, we are simply not able to provide you with the service without your consent.
If you wish us to stop processing Health Data and Other Protected Classifications, you may withdraw your consent at any time by emailing us at firstname.lastname@example.org.
When you withdraw your consent, we will delete all Health Data and Other Protected Classifications we hold about you.
Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.
In some cases, we may need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.
Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging on to your account.
Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data.
Erasure: You can request that we erase some or all of your Personal Data from our systems.
Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.
Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
Transfers of Personal Data
Our address is: Suite 4, 14F CMA Building, 64 Connaught Road, Central, Hong Kong. Data Protection Officer: email@example.com