PRIVACY POLICY
We may update our Privacy Policy at any time. Please refer to this page for the latest version(s).
1. INTRODUCTION
This Privacy Policy outlines how QuantCare collects, uses, stores, and shares personal and health information of patients and practitioners who use our patient analytics services. Its purpose is to ensure transparency in our data processing activities and to comply with data protection regulations, including the General Data Protection Regulation (GDPR) and other relevant laws. We are committed to safeguarding the privacy and security of your personal information while providing high-quality healthcare analytics services.
This Privacy Policy applies to all personal and health data collected and processed by QuantCare in connection with our patient analytics services. It covers data collected through our website, practice management software, third-party applications, social networking sites, and direct communications with patients and healthcare providers. The policy is relevant to all data subjects, including patients, allied health practitioners, and medical practitioners interacting with our services.
2. TYPES OF DATA COLLECTED
2.1 Personal Information
QuantCare collects various types of personal information to provide effective patient analytics services and ensure the smooth operation of our platform. The types of personal information we collect include:
Full Name: This refers to the patient’s or healthcare provider’s legal name. We used this information to identify and personalise services and communication.
Email Address: We used your email address to communicate with you and send updates, appointment reminders, and marketing materials (with your consent).
Street Address: This is used for billing, sending physical correspondence, and, in some cases, determining the geographical location for service delivery.
Gender: Used for personalising healthcare services and analytics and for demographic analysis.
Age: Used for age-specific healthcare analytics, treatment personalisation, and demographic analysis.
Telephone Number: Used for direct communication, appointment reminders, and support services.
Contact Next of Kin: Used for emergency contact purposes and to keep next of kin informed about the patient’s health status if necessary.
Payment and Billing Information: This information is used to process payments, bill, and manage financial transactions related to the services provided.
Occupation: Used for demographic analysis and sometimes to tailor healthcare services based on occupational health risks.
Device and Device Type: This optimises the user experience, troubleshoots, and ensures compatibility with our platform.
Geo-Location Information: Used for location-based services, ensuring service availability in specific regions, and demographic analysis.
IP Address and Web Log Information are used to monitor security, analyse website usage, improve service delivery, and troubleshoot technical issues.
2.2 Health Information
QuantCare collects various types of health information to provide comprehensive patient analytics services, support healthcare providers, and enhance patient care. The types of health information we collect include:
Symptoms, Injury, or Diagnosis: Details about the patient’s symptoms, injuries, or medical diagnoses are used to generate accurate analytics, support diagnosis, and develop personalised treatment plans. This helps healthcare providers monitor patient progress and adjust treatment as necessary.
Comorbidities: Information about additional medical conditions or diseases that the patient has alongside their primary condition provides a holistic view of the patient’s health, enabling better management of multiple conditions and reducing the risk of adverse drug interactions or treatment conflicts.
Data from Connected Devices: Health data collected from fitness trackers, smartwatches, and other connected health monitoring devices is used to continuously monitor patient health metrics such as heart rate, activity levels, and sleep patterns, supporting remote patient monitoring and timely interventions.
Government Identifiers (e.g., Medicare Number): Government-issued identifiers like Medicare numbers verify patient identity, ensure eligibility for health services, and facilitate billing and claims with health insurers and government health programs.
Lifestyle Information: Information about the patient’s lifestyle, including exercise habits, diet, smoking, and alcohol consumption, is used to understand factors that may impact the patient’s health, support personalised lifestyle recommendations, and improve overall health outcomes.
Medical History: Detailed records of the patient’s past and current medical conditions, treatments, surgeries, and hospitalisations inform current treatment plans, identify patterns or recurring issues, and ensure continuity of care.
Specialist Reports and Test Results: Specialist reports and results from laboratory tests, imaging studies, and other diagnostic procedures provide accurate and timely information to healthcare providers for diagnosis, treatment planning, and monitoring of patient progress.
Prescriptions and Pharmaceutical Purchases: Information about medications prescribed to the patient and their pharmaceutical purchase history is used to track medication adherence, manage prescriptions, prevent drug interactions, and ensure effective medication management.
Health Insurer Details: Information about the patient’s health insurance provider, policy number, and coverage details is used to process insurance claims, verify coverage, and facilitate communication with health insurers regarding patient care and billing.
Genetic Information: Genetic data and information obtained from genetic testing identify genetic predispositions to certain health conditions, support personalised medicine, and tailor treatment plans based on genetic profiles.
Appointment and Billing Details: Information about the patient’s healthcare appointments, including appointment type, date, status (e.g., attended, cancelled, did not attend), and billing information related to those appointments is used to manage appointments, improve scheduling, ensure accurate billing, and provide reminders to patients for upcoming appointments.
2.3 Practitioner and Clinic Information
QuantCare collects detailed information about healthcare practitioners and their clinics to facilitate effective communication, service provision, and care coordination. The types of practitioners and clinic information we collect include:
Full Name: This information is used for identification, communication, and ensuring that patient interactions and data are accurately attributed to the correct healthcare provider. It is essential for maintaining accurate records and facilitating professional interactions within the healthcare ecosystem.
Clinic Name, Location, and Type
Clinic Name: This is used to identify the clinic in all communications, records, and reports. It helps patients and stakeholders recognise and associate the clinic with its services.
Clinic Location facilitates patient visits, manages logistics, and ensures accurate location-based services. This information is also critical for demographic analysis and optimising service delivery within specific regions.
Clinic Type: Clinics are classified based on the types of healthcare services provided, such as general practice, specialised medical services, allied health services, etc. This classification categorises clinics within the healthcare system, enabling patients to find appropriate care providers. It also helps customise the analytics services to meet the specific needs of different types of clinics.
Areas of Focus: The specialised areas or fields of medicine and healthcare in which the practitioner and clinic focus, such as cardiology, orthopedics, physiotherapy, mental health, etc. This information provides relevant and specialised analytics services, supports patient referrals, and ensures patients receive care from practitioners with the appropriate expertise. It helps match patients with the right healthcare providers based on their specific health needs and conditions.
This information ensures that the services are tailored to the specific needs and specialties of healthcare practitioners and their clinics while maintaining compliance with data protection regulations and upholding the highest data privacy and security standards.
3. DATA COLLECTION METHODS
QuantCare employs various methods to collect data from patients and healthcare providers to ensure comprehensive and effective healthcare analytics. These methods include direct collection techniques that involve active participation from data subjects. The primary direct collection methods are detailed below:
3.1 Direct Collection
3.1.1 Registration and Use of Services
Registration: During the registration process, individuals provide personal and health information such as their full name, email address, phone number, address, and other relevant details. This initial data collection is essential for setting up user accounts and granting access to QuantCare’s platform.
Use of Services: Additional data is collected as patients and healthcare providers interact with the platform. This includes information entered into the system using various features like appointment scheduling, health assessments, and treatment tracking.
Registration data creates user profiles, authenticates users, and personalises their experience. Data collected during service use is essential for providing tailored healthcare analytics, monitoring patient progress, and supporting clinical decision-making.
3.1.2 Communication via Phone, Email, and Video
Phone: When patients or healthcare providers contact QuantCare for support, inquiries, or to report issues, relevant personal and health information is collected during these interactions.
Email: Email communications collect data when users contact QuantCare for support, provide feedback, or consult. This includes the content of the emails, attachments, and any subsequent correspondence.
Video: Video consultations between patients and healthcare providers or between users and QuantCare support staff may involve collecting visual and audio data and any information shared during the consultation.
Data collected via these communication methods is used to provide customer support, resolve issues, enhance service delivery, and maintain accurate records of interactions. Video consultations support remote patient monitoring and telehealth services.
3.1.3 Website Interaction
Browsing: As users navigate the website, data such as IP addresses, pages visited, time and date of visits, and interaction patterns are automatically collected through cookies and web logs.
Forms and Surveys: Users may fill out forms or participate in surveys on the website, providing information such as feedback, health data, or preferences.
Login: When users log in to their accounts via the website, additional data related to their login activity, such as login times and authentication details, is collected.
Website interaction data improves user experience, analyses website usage patterns, enhances security and provides personalised content. Data from forms and surveys is used to gather feedback, conduct research, and further tailor services to user needs.
3.2 Indirect Collection
In addition to direct data collection methods, QuantCare also gathers data indirectly to ensure a comprehensive understanding of patient health and enhance our services’ functionality. These indirect collection methods involve data sourced from third parties and integrated systems, which help streamline healthcare operations and provide richer insights. The primary indirect collection methods are detailed below:
3.2.1 From Allied Health Practitioners and Medical Practitioners
Patient Information: Practitioners input patient health information, treatment plans, diagnostic results, and other relevant medical data into the QuantCare system.
Professional Assessments: Detailed assessments, clinical notes, and practitioner observations are collected.
This data enhances patient care by providing practitioners with comprehensive analytics and insights. It helps create detailed health profiles, monitor patient progress, and support clinical decision-making.
3.2.2 Through Third-Party Sites and Applications
Data Sharing: With patient consent, QuantCare receives data from third-party health and wellness applications, such as fitness trackers, diet apps, and other health monitoring tools.
External Services: Data from third-party services used by practitioners, such as external diagnostic tools or referral systems, is also collected.
This data provides additional context and detailed insights into patient health, supporting more personalised and effective treatment plans. It allows for integrating various health metrics into the QuantCare system, offering a holistic view of patient well-being.
3.3.3 From Practice Management Software
Integration: QuantCare integrates with various practice management systems to automatically collect data such as appointment schedules, patient demographics, billing information, and clinical notes.
Data Syncing: Information from these systems is regularly synced with QuantCare’s platform to ensure that all data is up-to-date and accurate.
This integration allows seamless data flow between systems, reducing administrative burdens and ensuring healthcare providers access comprehensive and accurate patient information. It supports efficient practice management and enhances the overall patient experience.
3.3.4 Social Networking Sites
Login and Registration: When users log in to QuantCare’s services using social networking credentials (e.g., Facebook, Google), relevant data from their social profiles is collected.
Engagement: Data is also collected from interactions on social media platforms, such as comments, likes, shares, and messages related to QuantCare’s services.
Data from social networking sites is used to facilitate easy login and registration processes, enhance user engagement, and gather feedback. It helps understand user preferences and behaviour, allowing QuantCare to effectively tailor its services and communication strategies.
These methods complement direct data collection techniques, providing a richer and more comprehensive dataset that enhances patient care, improves service delivery, and ensures efficient healthcare management. All data collected indirectly is handled in compliance with data protection regulations, maintaining the highest privacy and security standards.
4 PURPOSES OF DATA PROCESSING
QuantCare processes personal and health information to achieve several key objectives that enhance service delivery, ensure regulatory compliance, and improve patient outcomes. The primary purposes of data processing are detailed below:
4.1 Enabling Access to Website and Services: We process data to allow users to access and utilise QuantCare’s website and services. This includes user authentication, account setup, and providing access to various features and functionalities of the platform. It ensures that patients and healthcare providers can securely log in, manage their profiles, and use the tools and services available on the platform.
4.2 Improving and Optimizing Services: We use data to enhance the performance and effectiveness of QuantCare’s services. Data is analysed to identify areas for improvement, optimise service delivery, and ensure that the platform meets users’ evolving needs. This includes refining algorithms, improving user interface design, and enhancing overall system performance to provide a better user experience.
4.3 Analyzing Website Usage: We collect and analyse data on how users interact with the website. Understanding user behaviour, preferences, and usage patterns helps QuantCare improve website functionality and user experience. This includes tracking page visits, navigation paths, and interaction with various site elements to make informed decisions about website enhancements and feature development.
4.4 Sending Updates and Information: We communicate important information and updates to users, informing them about new features, service updates, policy changes, and other relevant information. This ensures that users are aware of any developments affecting their platform use and can benefit from new tools and features as they become available.
4.5 Marketing and Promotional Communications: We use data to send marketing and promotional materials to users. With user consent, QuantCare sends targeted marketing messages, promotional offers, and information about new services or events. This helps engage users, build brand awareness, and drive the adoption of new features and services. Users have the option to opt out of marketing communications at any time.
4.6 Compliance with Legal Obligations: We process data to comply with applicable laws and regulations. We ensure all data processing activities adhere to legal requirements, including data protection laws such as the GDPR. This includes maintaining accurate records, managing data retention periods, and fulfilling legal obligations related to data access, correction, and deletion requests from data subjects.
4.7 Dispute Resolution: We use data to resolve disputes and handle complaints. When users have complaints or disputes related to the services, QuantCare uses relevant data to investigate and resolve these issues. This includes reviewing communication records, service usage logs, and other pertinent information to ensure fair and efficient dispute resolution.
4.8 Administration of Rewards, Surveys, Contests, and Promotions: We manage user participation in various promotional activities. We collect and process data to administer rewards programs, conduct surveys, and manage contests and promotions. This helps engage users, gather valuable feedback, and reward loyal customers. Data collected for these purposes is used to ensure the smooth operation of these activities and to analyse their effectiveness.
5. LEGAL BASIS FOR PROCESSING
QuantCare processes personal and health information based on several legal grounds defined by the General Data Protection Regulation (GDPR). The primary legal bases for processing data are detailed below:
5.1 Consent: Explicit permission from data subjects to process their personal and health information.
User Registration: When patients and healthcare providers register for QuantCare’s services, they provide explicit consent to process their data.
Marketing Communications: Consent is obtained from users to send marketing and promotional materials. Users can withdraw their consent at any time.
Health Data: Specific consent is required to process sensitive health data, ensuring that patients are fully aware of and agree to how their data will be used.
Consent ensures that data subjects have control over their personal information and that their data is processed transparently and with explicit approval.
5.2 Legitimate Interests: Processing data is necessary for the legitimate interests pursued by QuantCare or a third party, provided these interests are not overridden by the data subjects’ rights and freedoms.
Service Improvement: Analyzing user data to improve and optimise services, enhance user experience, and develop new features.
Security Measures: Implementing security measures to protect user data and prevent fraud or unauthorised access.
Business Operations: Using data for operational purposes, such as internal record-keeping and service analytics.
Legitimate interests allow QuantCare to enhance service delivery, maintain security, and operate efficiently while balancing the interests of the data subjects.
5.3 Legal Obligations: Processing data is necessary for compliance with a legal obligation to which QuantCare is subject.
Regulatory Compliance: Maintaining records and reporting data as healthcare regulations and data protection laws require.
Data Subject Rights: Processing requests from data subjects to access, correct, or delete their data in compliance with GDPR requirements.
Legal Disputes: Retaining and providing data as necessary to resolve legal disputes or comply with judicial proceedings.
Legal obligations ensure that QuantCare adheres to all applicable laws and regulations, safeguarding the rights of data subjects and ensuring lawful data processing practices.
5.4 Performance of a Contract: Processing data is necessary to perform a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering into a contract.
Service Delivery: Using data to provide services as agreed upon in the terms of service with patients and healthcare providers.
User Requests: Processing data to respond to user requests, such as appointment scheduling, treatment planning, and accessing health analytics.
Billing and Payments: Handling payment information and processing transactions to fulfil contractual obligations related to service delivery.
Ensuring that QuantCare can fulfil its contractual commitments to users, providing the agreed-upon services and managing associated administrative tasks.
6. DATA SHARING AND RECIPIENTS
QuantCare ensures that data is shared in a secure and controlled manner, both within the organisation and with external sub-processors, to provide comprehensive and effective healthcare analytics services. The details of data sharing and the recipients involved are outlined below:
6.1 Internal Sharing within QuantCare: Data is shared internally among QuantCare’s departments and authorised personnel.
Service Delivery: To ensure seamless service provision and support across different functions such as customer support, technical development, and clinical operations.
Data Analysis: To analyse and improve service performance, develop new features, and optimise user experience.
Security and Compliance: To maintain data security, ensure compliance with legal obligations, and manage data subject requests.
Controls: Access to personal and health data is restricted to authorised personnel only, based on their roles and responsibilities. Internal sharing is governed by strict data protection policies and procedures to ensure confidentiality and integrity.
6.2 External Sharing with Sub-Processors
QuantCare collaborates with various external sub-processors to enhance service delivery, manage infrastructure, and provide additional functionalities. These sub-processors are carefully vetted to meet QuantCare’s data protection standards. The primary sub-processors include:
Integrated Practice Management Software (Cliniko, Nookal etc…): Practice management software used by healthcare providers shares treatment notes, appointment details, and patient demographics to facilitate the integration of clinical data into QuantCare’s analytics platform, enabling comprehensive patient care and seamless data flow between systems.
Twilio (SendGrid): Twilio (SendGrid) is a cloud communications platform for sending emails and SMS. It shares first name, last name, email address, and mobile number to manage and deliver communications such as appointment reminders, notifications, and marketing messages.
Microsoft Azure: Microsoft Azure is a cloud computing service for data storage and processing. It shares all data stored on QuantCare’s platform, including personal and health information, to securely store data with robust encryption and provide scalable computing resources for data processing.
Atlassian: Atlassian, a software company providing tools for project management and support, shares the clinic owner’s first name, email address, screenshots, and URLs of emails sent to patients for troubleshooting purposes to manage customer support requests, troubleshoot issues, and enhance service delivery.
6.3 Data Protection Measures
Contracts and Agreements: All external sub-processors are bound by Data Processing Agreements (DPAs) that outline their responsibilities and obligations regarding data protection.
Security Standards: Sub-processors are required to implement robust security measures, including encryption, access controls, and regular security audits, to protect the data shared with them.
Compliance Monitoring: QuantCare regularly monitors sub-processors for compliance with GDPR and other relevant data protection regulations, ensuring they adhere to the highest data privacy and security standards.
7. DATA STORAGE AND SECURITY
QuantCare is committed to ensuring the security and confidentiality of the data it processes. This involves implementing robust data storage and security measures to protect personal and health information from unauthorised access, loss, or damage. The details of data storage and security practices are outlined below:
7.1 Storage Locations and Methods: Data is stored securely to ensure its integrity and availability.
Primary Storage: QuantCare’s data is stored in a SQL Database hosted on Microsoft Azure’s cloud platform.
Redundancy and Backup: Data is regularly backed up to prevent loss in case of hardware failure or other incidents. Redundant storage solutions are employed to ensure data availability and integrity.
7.2 Encryption and Security Measures
QuantCare employs multiple layers of encryption and security measures to protect data at rest and in transit.
7.2.1 AES 256 Encryption: Advanced Encryption Standard (AES) with a 256-bit key length.
Data at Rest: All data stored in the SQL Database is encrypted using AES 256 encryption to ensure it is unreadable without the appropriate decryption keys.
Data in Transit: Data transmitted between QuantCare’s platform and users is encrypted using Transport Layer Security (TLS) protocols, ensuring secure communication channels.
Azure Defender: Azure Defender is used to provide general cloud protection to resources as described in the link
7.2.2 IP Address Restriction: Restricting access to the server based on approved IP addresses.
Access Control: Only devices with pre-approved IP addresses can access the server, limiting entry points and adding an extra layer of security.
7.2.3 SQL Server Password Protection: Strong password policies for accessing the SQL server.
Complex Passwords: Enforcing complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.
Regular Updates: Requiring periodic password changes to enhance security and reduce the risk of unauthorised access.
7.2.4 IP Address Whitelisting with Multi-Factor Authentication: Combining IP address whitelisting with multi-factor authentication (MFA) for enhanced security.
Whitelisting: Only allowing access from specific IP addresses that have been whitelisted.
MFA: Implementing multi-factor authentication requires additional verification steps, such as a code sent to a mobile device, before granting access.
7.2.5 Access Controls: Implementing strict access controls ensures that only authorised personnel can access sensitive data.
Role-Based Access: This involves assigning access permissions based on user roles and responsibilities, ensuring that users can only access data necessary for their job functions.
Authentication: Strong authentication methods, including usernames, passwords, and MFA, verify the identity of users accessing the system.
Audit Logs: We maintain detailed audit logs to track access and data changes, helping us identify and respond to unauthorised activities.
7.2.6 Regular Security Audits: Conducting regular security audits to identify and address vulnerabilities.
Internal Audits: Review internal security policies, procedures, and systems to ensure compliance with security standards and best practices.
External Audits: Engaging third-party security experts to perform external audits and penetration testing to identify and mitigate potential security risks.
Compliance Checks: Ensuring that all security measures comply with GDPR and other relevant data protection regulations, maintaining the highest data privacy and security standards.
8. DATA RETENTION
QuantCare is committed to retaining personal and health information only for as long as necessary to fulfil its collected purposes, comply with legal obligations, and ensure optimal service delivery. The details of data retention practices are outlined below:
8.1 Patient Data
Active Use: Patient data is retained for the patient’s use of QuantCare’s services.
Post-Service: After a patient ceases to use the services, their data is retained for a period necessary to comply with legal obligations and for potential service reactivation.
Legal Compliance: Depending on the jurisdiction, specific retention periods are determined based on applicable laws and regulations, typically 7 to 10 years.
8.2 Practitioner and Clinic Data
Active Use: Practitioner and clinic data is retained for their contractual relationship with QuantCare.
Post-Service: After the termination of the contractual relationship, the data is retained for a period necessary to comply with legal and regulatory obligations, typically up to 7 years.
8.3 Temporary Data
Active Use: Temporary data is retained for the user session or until it has served its immediate purpose.
Post-Use: Temporary data is deleted immediately after its intended purpose is fulfilled, typically within a few hours to a few days.
8.4 Secure Deletion Processes: QuantCare employs secure deletion processes to ensure that data is irreversibly removed when it is no longer needed.
Standard Deletion: Data is deleted from active databases using secure deletion commands that ensure the data cannot be easily recovered.
Data Wiping: Data wiping techniques overwrite data multiple times, permanently erasing it for physical storage devices.
Physical Destruction: When physical storage media (e.g., hard drives) are no longer needed, they are physically destroyed to prevent data recovery.
Automated Deletion: Automated processes are in place to regularly review and delete data that has reached the end of its retention period, minimising the risk of retaining unnecessary data.
All secure deletion processes comply with industry standards and regulatory requirements, ensuring data is handled responsibly and securely throughout its lifecycle.
9. DATA SUBJECT RIGHTS
QuantCare is committed to upholding the rights of data subjects as stipulated by the General Data Protection Regulation (GDPR) and other relevant data protection laws. These rights ensure that individuals have control over their personal and health information. The key data subject rights are detailed below:
9.1 Right to be Informed
Data subjects have the right to be informed about the collection and use of their data, ensuring they are fully aware of how their information is processed, why it is collected, and how long it will be retained. QuantCare implements this right by providing clear and comprehensive privacy notices at the point of data collection, detailing the types of data collected, the purposes of processing, data retention periods, and data sharing practices, which fosters trust and confidence among users.
Additionally, QuantCare keeps data subjects informed about any significant changes to the privacy policy or data processing activities, reinforcing its commitment to transparency and accountability. This ongoing communication complies with legal obligations and strengthens the relationship with users, ensuring they feel secure and respected in their interactions with the platform.
9.2 Right of Access
Data subjects have the right to access the data held by QuantCare, allowing them to review and verify the accuracy of their information and understand how it is being used. This right is implemented by enabling data subjects to submit access requests via email at info@quantcare.io, where QuantCare will verify the requestor’s identity and provide the requested data in a commonly used electronic format (e.g., CSV) within one month.
The data subjects receive a copy of their data, including details about the purposes of the processing, data categories, and any third parties with whom the data has been shared. This process ensures transparency and lets data subjects stay informed about their personal information.
9.3 Right to Rectification
Data subjects can request corrections to their data if it is inaccurate or incomplete, ensuring their information is accurate and up-to-date. To implement this, data subjects can submit correction requests via email at info@quantcare.io. Corrections are made within 14 working days, and an email confirmation is sent to the requestor after QuantCare verifies the accuracy of the requested changes. This process supports effective service delivery and decision-making.
9.4 Right to Erasure
Data subjects also have the right to request the deletion of their data under certain circumstances. To facilitate this, data subjects can submit erasure requests via email at info@quantcare.io, and QuantCare will evaluate the request and, if valid, securely delete the data within one month. In cases where erasure is impossible, such as for audit trail information, the data may be anonymised. This right allows data subjects to remove their data from QuantCare’s systems when it is no longer needed or if they withdraw their consent.
9.5 Right to Restrict Processing
Data subjects have the right to request the restriction of processing of their data under specific conditions. They can submit restriction requests via email at info@quantcare.io, and QuantCare will limit processing activities as requested, notifying the data subject once the restriction is in place. Technical measures ensure that data is not processed outside of these restrictions, allowing data subjects to control the extent to which their data is processed, particularly in situations where data accuracy or processing legality is disputed.
9.6 Right to Data Portability
Data subjects have the right to obtain and reuse their data across different services, enhancing their control over their information. They can request their data via email at info@quantcare.io, and the data will be provided in a commonly used, machine-readable format such as CSV. This allows data subjects to transfer their data to another service provider as needed, facilitating easy movement, copying, or transfer of their data across different IT environments.
9.7 Right to Object
Data subjects have the right to object to processing their data, particularly when processing is based on legitimate interests or for direct marketing. To exercise this right, data subjects can submit objections via email at info@quantcare.io. QuantCare will review the objection and cease the processing activities if compelling legitimate grounds do not justify the processing. Additionally, data subjects can opt out of marketing communications at any time, allowing them to stop their data from being processed for specific purposes they do not agree with.
9.8 Rights Related to Automated Decision-Making
Data subjects have the right to contest decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects on them. They can request a review of automated decisions via email at info@quantcare.io, and QuantCare ensures that a human reviews the decision and explains the outcome. Data subjects can also request human intervention, express their point of view, and contest the decision, protecting them from potentially harmful or biased automated decisions and ensuring significant decisions involving human oversight.
By upholding these data subject rights, QuantCare ensures that individuals have control over their personal and health information, fostering transparency, trust, and compliance with data protection regulations.
10. INTERNATIONAL DATA TRANSFERS
QuantCare may transfer personal and health data to countries outside the European Economic Area (EEA) to facilitate the provision of its services. To ensure that these international data transfers comply with GDPR and maintain the highest data protection standards, QuantCare implements various legal mechanisms and assesses data protection adequacy in recipient countries. The details of these practices are outlined below:
10.1 List of Non-EEA Countries
United States: Data may be transferred to the United States for processing by several subprocessors, including, but not limited to, Microsoft Azure, Twilio (SendGrid) Atlassian. These transfers support data storage, communication services, website analytics, and customer support functions.
Australia: Data may be transferred to Australia for processing by integrated practice management software providers such as Cliniko. These transfers facilitate clinical data integration, enhancing the functionality and comprehensiveness of QuantCare’s analytics services.
Other Countries as Detailed in DPAs: Based on specific services provided by subprocessors, data may also be transferred to other countries where they operate. These transfers support various operational needs and service enhancements. The countries involved are detailed in each subprocessor’s Data Processing Addendums (DPAs).
10.2 Legal Mechanisms for Transfers
Standard Contractual Clauses (SCCs): SCCs are standard contractual terms and conditions ensure data protection compliance when personal data is transferred outside the EEA. QuantCare includes SCCs in contracts with sub-processors in non-EEA countries to provide a legal framework for data protection.
Data Processing Addendums (DPAs): DPAs are agreements between QuantCare and its sub-processors that outline data processing terms, including data protection obligations. Each DPA specifies the countries where data processing occurs and includes commitments from sub-processors to comply with GDPR-equivalent data protection standards.
The DPA establishes clear and binding data protection requirements for subprocessors, ensuring secure data handling across international borders.
10.3 Adequacy of Data Protection in Recipient Countries: Assessing the level of data protection in countries where data is transferred to ensure compliance with GDPR standards.
United States: Although the European Commission has not made an adequacy decision in the US, QuantCare relies on SCCs and compliance with the EU-US Data Privacy Framework where applicable. Sub-processors in the US implement robust data protection measures, including encryption, access controls, and regular security audits.
Australia: The European Commission has not made an adequate decision for Australia. QuantCare ensures that Australian sub-processors comply with SCCs and implement strict data protection measures, such as encryption and secure data storage practices.
Other Countries: For countries without an adequacy decision, QuantCare uses SCCs or Binding Corporate Rules (BCRs) to protect data transfers. Sub-processors in these countries must adhere to GDPR-equivalent data protection standards, including data encryption, access controls, and regular compliance checks.
11. DATA SECURITY MEASURES
QuantCare is dedicated to ensuring the security and confidentiality of the personal and health information it processes. To achieve this, quantCare implements a comprehensive set of technical and organisational measures, staff training programs, and regular audit procedures. These measures are designed to protect data against unauthorised access, loss, or damage and to comply with data protection regulations such as GDPR. The details of these security measures are outlined below:
11.1 Technical Measures
11.1.1 Encryption
AES 256 Encryption: All data at rest is encrypted using AES 256 encryption to ensure it is unreadable without the appropriate decryption keys.
TLS Encryption: Data transmitted between QuantCare’s platform and users is encrypted using Transport Layer Security (TLS) protocols to protect against interception and tampering during transit.
11.1.2 Access Controls
Role-Based Access Control (RBAC): Access to data is restricted based on user roles and responsibilities, ensuring that only authorised personnel can access sensitive information.
Multi-Factor Authentication (MFA): Implementing MFA to access critical systems and data adds an extra layer of security by requiring multiple verification forms.
IP Address Whitelisting: This method restricts access to servers and systems based on approved IP addresses to limit points of entry.
11.1.3 Network Security
Firewalls: Using firewalls to monitor and control incoming and outgoing network traffic based on predetermined security rules.
Intrusion Detection Systems (IDS): Deploying IDS to monitor network traffic for suspicious activity and potential threats.
11.1.4 Data Integrity
Checksums and Hashing: Checksums and hashing algorithms verify data integrity and detect unauthorised changes to data.
Data Backups: Regularly backing up data to secure locations to ensure data can be restored in case of loss or corruption.
11.2 Organizational Measures
Data Protection Policies: Establishing and enforcing comprehensive data protection policies that govern how data is collected, processed, stored, and shared.
Data Protection Officer (DPO): Appointing a DPO responsible for overseeing data protection strategy, ensuring compliance with regulations, and addressing data protection queries and issues.
Incident Response Plan: Developing and maintaining an incident response plan to promptly address data breaches or security incidents, including steps for containment, investigation, notification, and remediation.
Vendor Management: Conduct thorough due diligence on third-party vendors and subprocessors to ensure they meet QuantCare’s data protection standards and include data protection requirements in contracts.
11.3 Staff Training
Regular Training Programs: Training sessions for all employees on data protection principles, security best practices, and their roles and responsibilities in protecting personal data.
Awareness Campaigns: We are conducting ongoing awareness campaigns to keep data protection in mind for all staff, including updates on the latest security threats and data protection regulations.
Specialised Training: Offering specialised training for employees with access to sensitive data or those in roles that require a deeper understanding of data protection, such as IT and customer support staff.
Phishing Simulations: Running phishing simulation exercises to educate employees on recognising and responding to phishing attempts and other social engineering attacks.
11.4 Audit Procedures
Internal Audits: Conduct regular internal audits to review compliance with data protection policies, identify potential vulnerabilities, and ensure that security measures are effectively implemented.
External Audits: Engaging third-party security experts to perform external audits and penetration testing to identify and address security gaps and validate the effectiveness of existing measures.
Compliance Audits: Periodically auditing compliance with GDPR and other relevant data protection regulations to ensure QuantCare meets its legal and regulatory obligations.
Continuous Monitoring: Implementing constant monitoring tools and processes to detect and respond to security incidents in real time, ensuring that potential threats are addressed promptly.
12. PRIVACY POLICY UPDATES
QuantCare is committed to maintaining transparency and informing users about changes to its privacy practices. This section outlines how updates to the privacy policy are managed and communicated to ensure that users are aware of the most current data protection practices.
12.1 Notification of Changes
QuantCare regularly reviews its privacy policy to ensure compliance with legal requirements, industry standards, and best practices. Changes may also be made in response to new services, features, or user feedback.
Whenever significant changes to the privacy policy are planned, QuantCare provides advance notice to users. This allows users to review the changes and understand their implications before they take effect.
Each updated privacy policy version includes a clear, effective date to indicate when the changes will occur. This date is prominently displayed at the beginning of the policy document.
12.2 How Updates Are Communicated
Email Notifications: QuantCare sends notifications to all registered users to inform them about significant changes to the privacy policy. These emails include a summary of the key changes and a link to the updated policy.
Website Announcements: Updates to the privacy policy are announced on QuantCare. A prominent banner or notification is displayed on the homepage and relevant sections of the site, directing users to the updated policy.
User Consent: In cases where changes to the privacy policy require user consent (e.g., new data processing activities), QuantCare may request users to review and accept the updated policy before continuing to use the services.
13. ANONYMITY OF PERSONAL AND SENSITIVE INFORMATION
You are unable to create anonymous profiles as it would be impractical due to the nature of the Services provided to you.
We automatically collect information that is de-identifiable through our Website and Services, for example, IP addresses and browser type. This information may be collated with any Personal and Sensitive Information we have collected about you.
In the event that we provide your Personal, Sensitive, or Health Information to a third-party entity, it will be de-identified unless you consent or it is otherwise required by law.
Aggregated and/or deidentified information that is no longer associated with an identified natural person or identifiable natural person, may be used or disclosed for any purpose.
In instances where AI is leveraged in the QuantCare analytics platform suite, we utilise Microsoft Azure’s machine learning studio (not Open AI suite). QuantCare builds predictive models in-house only, by using algorithms built in Python. All data resides in QuantCare’s Azure environment in-region. This ensures that no data is transferred or able to be accessed externally. Data used to train models are de-identified prior to use.
14. CONTACT INFORMATION
QuantCare is committed to addressing data protection queries and supporting users in exercising their data subject rights. This section provides details on how users can contact QuantCare for these purposes.
How to Contact QuantCare for Data Protection Queries
Email: Users can email QuantCare’s Data Protection Officer (DPO) with any data protection-related queries or concerns at info@quantcare.io.
Mail: For written correspondence, please mail us at QuantCare, PTY LTD – 10 FULHAM WAY WOLLERT VIC 3750,
15. COMPLAINTS
QuantCare is dedicated to promptly and efficiently resolving any complaints related to data protection. This section details how users can complain to the relevant supervisory authority.
If users believe QuantCare has not adequately addressed their data protection concerns or has violated data protection laws, they have the right to complain to a supervisory authority.
Users should identify the appropriate data protection authority in their jurisdiction. For users in the European Union, this typically means the national data protection authority in their country of residence.
Users can submit their complaint in writing, by phone, or through the authority’s online portal, providing as much detail as possible about the issue.
Supervisory authorities’ contact details are usually available on their official websites. QuantCare will also guide and support users who are seeking to complain.
info(at)quantcare.io