C19-YRS Privacy Policy
Last reviewed: 31st October 2024
1. Introduction
This policy explains how your data is used by the C19-YRS online system (‘the system’), and the C19-YRS.com and C19-YRS.me websites (‘the websites’).
‘The system’ refers to:
- Our ‘digital app’ which is used by or on behalf of individuals to record information about their health, which can be accessed on supported Android and iOS devices or through a web browser.
- An online ‘web portal’, which is used by staff to administrate the system and oversee users of the digital app where applicable.
The websites refer to the publicly available support resource website, and the product information website, which are separate from the system.
2. What this Privacy Policy Covers
This privacy policy covers how we treat personal data that we gather and subsequently process when you access or use our service. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
This privacy policy does not cover the practices of companies we don’t own or control or people we don’t manage.
3. Who is responsible for the system
The system and website are managed by ELAROS 24/7 LIMITED (“ELAROS”) a company registered in England and Wales under no. 07469411 and whose registered office is at electric works, Sheffield digital campus, Sheffield, S1 2BJ.
ELAROS respects personal privacy and is committed to protecting personal data and fully complying with its legal obligations under the GDPR and the data protection act 2018.
For end users of the digital app for personal use who are not supervised by an organisation, ELAROS is a data controller and is responsible for your Personal data.
For end users who register with us following an invitation from a healthcare provider, research organisation, or other organisation then ELAROS acts as a data processor to deliver our services to you on behalf of an organisation.
Our typical customers are either clinical organisations that provide care and treatment; trusted research organisations, such as universities, who are using the system to deliver a research study.
Individual end users can also pay for a licence to use a personal version of the digital app or have this paid for by an organisation, for example, their health provider or health insurer.
ELAROS is a data controller for any data gathered through the websites, which do not gather any personally identifying or sensitive data.
4. Contacting ELAROS
You can contact ELAROS by writing to us at the above address, or by emailing us at support@elaros.com or by calling us on 0114 286 6200.
We have appointed a data protection officer to support the management of data protection at ELAROS and for dealing with any questions you may have in relation to this privacy policy. You may contact ELAROS using the contact details given above, or directly at dpo@elaros.com.
5. What personal data do we collect?
Below is a list of the categories of Personal Data we may collect and for what purpose.
Account information
- Name – for personalisation of the app, and for authorised personnel to verify your identity
- Email address – for account registration and recovery
- Age (determined by date of birth which is hidden from us)
- Gender (as defined by the person registering the account)
- Country of residence
- State / region / province
- Primary language
This is information is used to register an account in order to:
- Manage your account and provide user support
- Determine whether particular laws apply to you when processing your data
- To review in our analysis of Service Users to help direct our effort to improve certain features
- To review where our service is used to consider where to direct our efforts to improve certain features, for example, addition of new languages
We require certain information to deliver our service to our customers, therefore some of these fields are mandatory in order to register an account.
Health and demographic information
- Age (determined by date of birth)
- Gender (as defined by the Service User)
- Information about your health status (including height and weight)
- Information about your medical history and any pre-existing conditions
- Smoker status
- Symptom profile and severity, and change over time
- Racial or ethnic origin data
- Any medications you take and what for
- Medical history
- COVID-19 infection history
- COVID-19 vaccination history
- Employment status
We process this data to help you or those supporting you to track and understand your illness and to generate reports summarising the data collected through the system.
We use this data to:
- Provide you or an organisation supporting you with a record of your data
- Personalise the user experience
- Produce aggregated anonymised statistics to monitor service usage
- Produce exportable reports for Service Users to export and share with others
- Produce anonymised reports for local health authorities where we are permitted to do so
The websites do not gather any personally identifying information, but they do record technical information about you and how you interact with our website, such as the pages you visit, the links you click, the region you are in, and the time and date of your visits. The websites do not rely on cookies to perform this processing.
Payment Information
Customers of the digital app for personal use need to provide their payment information to the (Android or iOS) app store providers in order to process your purchase and notify us as managers of the system.
The minimum information needed to make a purchase is the payment amount, card type, card number, and your billing address. We are only permitted by the App Store providers to see the last 4 digits of your card number.
We retain this data as long as necessary to comply with our legal obligations under tax and corporate law after which we will be permanently deleted.
The websites do not gather any personally identifying information from users, but they do record technical information about users and how they interact with the websites, such as the pages they visit, the links they click, the region they are in, and the time and date of visits.
6. Who is your data shared with?
Data processed through the system may be shared in various formats for certain purposes which can be summarised below:
With ELAROS, as managers and owners of the system:
- To manage and administrate accounts of our service users where permitted
- To provide user support to our service users where permitted
- To deliver services to our Customers
- For legitimate business interests to inform us on which new features our Service Users wish to see added to the system
With clinics providing you with care and treatment, where applicable:
In cases where we process your data on behalf of a clinical organisation that is providing you with care that has registered you onto the system, we will share your personal data with them to deliver care to you. We rely on the following legal basis in this regard:
- Healthcare provision: processing and sharing your health data with healthcare services supporting you is necessary to deliver our services and grant them access to features of the web portal to support you and with for reporting to other authorised third-parties in anonymised format (where applicable), for example with health commissioners for routine service evaluations.
With sub-contracted organisations to support us with:
- Hosting and maintenance of the system
- Secure storage of your data, routine updates and enable account recovery
- Software development of new features and improvement of the system
- Payment processing, for example the Apple and Google Play app stores
To process data through the system, we require the support of another company called PNP digital Ltd. PNP digital are a UK-based software development company composed of app developers, cloud software engineers, web designers and business experts, focused on delivering bespoke digital app and cloud software solutions. PNP digital manage the hosting of the system on behalf of ELAROS and are authorised to process the collected data only as instructed by us directly, or as required by our customers for legitimate purposes, such as account recovery, or for data rectification or erasure requests. For more information on PNP digital’s storage policies for data collected via the system, visit https://pnp.digital/policies/
7. Use of anonymised data
When instructed by our customers, or when acting as a data controller, we may modify personal data from our service users into anonymised or aggregated formats. Once modified, this data cannot be used to identify you in any way and is no longer categorised as personal data. This data cannot be linked to or used to trace the identity of the user who recorded the original data.
We may share this data with third parties or to the public for legitimate research or public interests and to promote our business and the system.
In any case where data is shared, we will never sell your personal data for commercial purposes, for example to marketing companies or pharmaceutical companies, or share with any third party that is not adequately vetted or authorised to manage such data.
Reasons why our research partners and health authorities may wish to analyse this anonymous data include:
- To evaluate the longitudinal impact of health condition / illnesses on society
- To evaluate the prevalence of a particular health condition in a particular geographical area or country
- To advance the scientific understanding of health conditions and potential demographic associated factors linked to ethnicity or medical history
- For anonymous reporting in countries where levels routine data reporting in clinical services is low
- To evaluate the economic impact of health conditions on employment outcomes and productivity
8. Data storage and retention
As an organisation based in the United Kingdom, we are bound by UK GDPR which requires data to be stored in a territory that offers an adequate level of data protection.
To comply with this requirement, we store data in the United Kingdom, except for customers who require their data to be stored elsewhere due to data privacy laws in their own territory, providing the required location of storage still meets UK GDPR data protection requirements.
For organisations operating in the European Union, data will be stored in the European Union region as a minimum and may need to be stored in a specific country depending on the customer’s national data privacy law.
As we expand our services to new territories, this Privacy Policy may be updated from time to time to account for other territorial data privacy laws we are contractually required to comply with by our customers.
In any case, we sub-contract an industry-leading cloud hosting provider to store user data in the cloud in the necessary territories so that customers can access the system on any supported mobile or web-based device at any time, and from any location we deliver services in. Data can only be accessed through authentication methods which will also enable you to recover your data if your device is lost.
When processing data on behalf of an organisation, we will only store personal data for as long as contractually required by the organisation.
When acting as a data controller we will provide our service for as long as we reasonably believe is necessary to support users or as long as feasibly possible for us as a business.
In the event that we undergo a merger, acquisition, bankruptcy, or other event that warrants us to terminate our service, we will make reasonable efforts to notify and advise you on your options to retain a personal and permanent copy of your data or if your data will be retained by another provider.
Service users may delete and close their account at any time, either directly through the app or by sending a request to the organisation overseeing your account. In these cases, we are required by law to delete any individual records and backups of data that relate to you that may be able to identify you.
Any third-party partners that we collaborate with that have access to your personal data may hold information for longer depending on their local data regulation and if there is a legitimate reason to do so. Any identifiable information in relation to your personal data would be removed before sharing this with third parties in any case.
9. Personal data of children
We do not knowingly collect data of people under the age of 18 years unless they have been registered onto the digital app by an organisation, such as a health provider or approved research organisation with the relevant and necessary legal basis to do so.
Any personal data found to be related to a known child under the age of 18 that has not been registered by an authorised user will be deleted permanently from the system.
10. What are your data protection rights?
You have several rights under data protection law, including the right to see what data is held about you, have it corrected if it is inaccurate and even to have data removed from the system in some circumstances. For more information about these rights, or to submit a request, please email us at c19-yrs@elaros.com.
Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is extremely impractical, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision.
In some cases, we may need you to provide us with additional information, which may include identifiable information, if necessary to verify your identity and fulfil your request.
- Right to be informed: individuals have the right to be informed about the collection and use of their personal data.
- Right of access: you can request more information about the personal data we hold about you and download a copy of such personal data directly from the app.
- Right to rectification: if you believe that any personal data we are holding about you is incorrect or incomplete, you can rectify this data via the app or contact us at c19-yrs@elaros.com.
- Right to erasure: you can delete some or all of your data from the system yourself, or request that we delete your account and all associated data permanently.
- Right to restrict processing: you can restrict any further processing of your data by no longer inputting any new data into the app, or by deleting your account and deleting the app.
- Right to data portability: the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Right to object: the UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- Withdrawal of consent: you have the right to withdraw your consent to our processing of your data at any time via the app or by emailing leave-c19-yrs@elaros.com. Please note that consent to processing your data is required in order to deliver our service, and withdrawal of consent will result in your account being deleted permanently.
11. Contacting the regulator to make a complaint
You have the right to make a complaint at any time to the information commissioner’s office (ICO), the UK supervisory authority in relation to data protection issues (www.ico.org.uk). If you feel that your data has not been handled correctly, or are unhappy with our response to any requests made to us regarding our use of your personal data, you have the right to lodge a complaint with the information commissioner’s office. We would, however, appreciate the chance to deal with any such concerns before you approach the ICO so please contact us in the first instance.
The ICO can be contacted by calling 0303 123 1113 or by going online at www.ico.org.uk/concerns.
If a data subject is based outside the UK, you have the right to lodge a complaint with the relevant data protection regulator in your country of residence.
12. Updates to this policy
ELAROS keeps its privacy policy under regular review and places any updates on its home web page. This privacy policy was last updated on 31st October 2024.
Further information
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to
c19-yrs@elaros.com.