Attomarker Website Privacy Notice

Introduction

Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal information when you make an appointment for our testing services which include a COVID-19 (“Coronavirus”) Triple Antibody CRP Test (the “Test”).

It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.

We collect, use and are responsible for certain personal information about you. When we do so we are subject to data protection laws which apply to the United Kingdom and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Key Terms

The following table sets out some key terms that are used throughout this privacy notice:

Personal information we collect about you

If you contact us through our Website or make an appointment for a Test through our Website, we will need to collect certain personal information about you in order to process your request and provide you with our testing services.

This privacy notice applies to personal information we collect about you when you make and attend an appointment for a Test or when you otherwise communicate with us or contact us through our Website. In particular, we collect:

  • Identity data: your first name and last name; your unique booking reference; and a copy of your ID document which must be shown to the reception prior to your appointment (please note that a copy of your ID will not be stored by us);
  • Contact data: contact information, including your email address and telephone number;
  • Health data; when you arrive at the clinic/facility for your appointment, you will be asked for complete a certification form relating to COVID-19. This includes information such as whether or not you have had a COVID-19 vaccination and whether you have had COVID-19 in the past. We will also process the results of your Test;
  • Financial data: this includes your payment card used to pay for the Test;
  • Technical data: technical and usage information about how you use the Website;
  • Marketing data: your preferences for receiving marketing communications from us.

Please be aware that if you choose to download and use the Attomarker Biomark Application (the “App”) in order to receive your Test results, we will collect additional personal information from you in accordance with the App Privacy Notice, which will be presented to you when your sign-up to the App.

The services available through our website are intended for persons 18 years of age and older. We will not knowingly collect, use or disclose personal information relating to children.

Processing your Health Data

Where we process information about your health relating to COVID-19, this constitutes “special category personal data”. We must ensure we are permitted to collect and process such special category data in accordance with data protection laws, which means:

  • we must have your explicit consent;
  • the processing must be necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
  • the processing is necessary to establish, exercise or defend legal claims.

We will ask you for your consent to process the special category data that is contained in our certification document, which you will be presented with when you arrive for your appointment. If you do not consent to provide this information, we will not collect it from you.

There may be circumstances where you disclose additional health information to the nurse who administers your Test. Any personal data which is shared with the nurse as part of your appointment will not be shared with Attomarker and will be treated in confidence by the nurse.

The results of your Test will only be stored by us for a period of 7 days following completion of the Test. We will not retain your Test results for longer than this period, other than in the form of aggregated data (as explained below).

 

Aggregated data

We also collect, use and share anonymised, aggregated data which may be derived from your personal information for statistical and analytical purposes. Aggregated data is anonymised and therefore not considered personal information under data protection law as it cannot identify you as an individual.

Aggregated data helps to provide important information and insight into the COVID-19 pandemic, including information about the number of individuals booking and undertaking antibody tests.

We may share aggregated data with public health England or another authority in public health.

 

How your personal information is collected

Most of the above personal information is collected directly from you – either when you book a Test, contact us, request that communications are sent to you or provide us with feedback. Certain information such as your identify data and contact data is required for us to book, confirm and administer your Test appointment.

However, in addition to collecting information from you directly, we also collect information from:

  • Cookies on our website – for more information on our use of cookies, please see our cookies policy.

 

How and why we use your personal information

Under data protection law, we can only use your personal information if we have a proper reason for doing so, including:

  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information for and our reasons for doing so. In some cases, we may use more than one legal basis for processing your personal information; this will depend on the specific purpose for which you are using your personal information.

Personal information we collect about you

If you contact us through our Website or make an appointment for a Test through our Website, we will need to collect certain personal information about you in order to process your request and provide you with our testing services.

This privacy notice applies to personal information we collect about you when you make and attend an appointment for a Test or when you otherwise communicate with us or contact us through our Website. In particular, we collect:

  • Identity data: your first name and last name; your unique booking reference; and a copy of your ID document which must be shown to the reception prior to your appointment (please note that a copy of your ID will not be stored by us);
  • Contact data: contact information, including your email address and telephone number;
  • Health data; when you arrive at the clinic/facility for your appointment, you will be asked for complete a certification form relating to COVID-19. This includes information such as whether or not you have had a COVID-19 vaccination and whether you have had COVID-19 in the past. We will also process the results of your Test;
  • Financial data: this includes your payment card used to pay for the Test;
  • Technical data: technical and usage information about how you use the Website;
  • Marketing data: your preferences for receiving marketing communications from us.

Please be aware that if you choose to download and use the Attomarker Biomark Application (the “App”) in order to receive your Test results, we will collect additional personal information from you in accordance with the App Privacy Notice, which will be presented to you when your sign-up to the App.

The services available through our website are intended for persons 18 years of age and older. We will not knowingly collect, use or disclose personal information relating to children.

Processing your Health Data

Where we process information about your health relating to COVID-19, this constitutes “special category personal data”. We must ensure we are permitted to collect and process such special category data in accordance with data protection laws, which means:

  • we must have your explicit consent;
  • the processing must be necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
  • the processing is necessary to establish, exercise or defend legal claims.

We will ask you for your consent to process the special category data that is contained in our certification document, which you will be presented with when you arrive for your appointment. If you do not consent to provide this information, we will not collect it from you.

There may be circumstances where you disclose additional health information to the nurse who administers your Test. Any personal data which is shared with the nurse as part of your appointment will not be shared with Attomarker and will be treated in confidence by the nurse.

The results of your Test will only be stored by us for a period of 7 days following completion of the Test. We will not retain your Test results for longer than this period, other than in the form of aggregated data (as explained below).

 

Aggregated data

We also collect, use and share anonymised, aggregated data which may be derived from your personal information for statistical and analytical purposes. Aggregated data is anonymised and therefore not considered personal information under data protection law as it cannot identify you as an individual.

Aggregated data helps to provide important information and insight into the COVID-19 pandemic, including information about the number of individuals booking and undertaking antibody tests.

We may share aggregated data with public health England or another authority in public health.

 

How your personal information is collected

Most of the above personal information is collected directly from you – either when you book a Test, contact us, request that communications are sent to you or provide us with feedback. Certain information such as your identify data and contact data is required for us to book, confirm and administer your Test appointment.

However, in addition to collecting information from you directly, we also collect information from:

  • Cookies on our website – for more information on our use of cookies, please see our cookies policy.

 

How and why we use your personal information

Under data protection law, we can only use your personal information if we have a proper reason for doing so, including:

  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information for and our reasons for doing so. In some cases, we may use more than one legal basis for processing your personal information; this will depend on the specific purpose for which you are using your personal information.

Marketing communications

We may use your personal information to send you updates (by email or text message) about our testing services, including the launch of new tests and promotions related to such services.

We have a legitimate interest in processing your personal information for promotional purposes (see above ‘How and why we use your personal information’). This means we do not usually need your consent to send you marketing communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal information with the utmost respect and never share it with other organisations outside the Attomarker’s group for marketing purposes.

You have the right to opt out of receiving marketing communications at any time by:

  • contacting us using the details below (see the ‘How to contact us’ section); or
  • using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts;

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

 

Who we share your personal information with

We share your personal information with:

  • companies within our group who need to know the information;
  • we will share your personal data with the nurses or medical practitioner who carries out your appointment and administers the Test. These individuals are medical professionals and are subject to obligations of confidentiality in respect of your personal data;
  • our service providers who help us run our business efficiently such as our website hosts (Squarespace), and our booking platform (Acuity, also operated through Squarespace);
  • our third party payment provider – Stripe, who will process your personal data in accordance with their privacy notice, which is available here;
  • the clinic(s), medical facility or testing centre where your Test will be undertaken;
  • third parties approved by you, such as social media sites which you choose to link to your profile – for example, you will be given the option to share your booking via your social media accounts but you are not obligated to do so. If you do not choose to do this, your personal information will not be shared with those sites and those site’s use of your personal data will be governed by their own separate privacy notices.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

We will not share your personal information with any other third party.

 

How long your personal information will be kept

We will keep your Test results for a period of 7 days after your appointment for the Test has taken place. We will keep your other personal information for as long as is necessary:

  • to respond to any requests, questions, complaints or claims made by you or on your behalf;
  • to show that we treated you fairly;
  • to keep records required by law.

We will not retain your personal information for longer than necessary for the purposes set out in this privacy notice.

When it is no longer necessary to retain your personal information, we will delete or anonymise it.

 

Transferring your personal information out of the UK

To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK, for example:

  • where your and our service providers located outside the UK (specifically our website hosts, Squarespace, transfer data to the US and our payment processor, Stripe, transfers data globally); or
  • if you are based outside the UK;

Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK where:

  • the UK government has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’); or
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
  • a specific exception applies under data protection law.

We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include: all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’); Gibraltar; and Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries or international organisations we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place, including using standard contractual clauses.

Where there is no adequacy decision, we may transfer your personal data to another country or international organisation if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects. The safeguards will usually include using legally-approved standard data protection contract clauses.

In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, including:

  • you have explicitly consented to the proposed transfer after having been informed of the possible risks;
  • the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;
  • the transfer is necessary for a contract in your interests, between us and another person; or
  • the transfer is necessary to establish, exercise or defend legal claims.

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • contact us using the details below (see the ‘How to contact us’ section); and
  • let us have enough information to identify you;
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  • let us know what right you want to exercise and the information to which your request relates.

 

Keeping your personal information secure

We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

 

How to complain

We hope that we can resolve any query or concern you may raise about our use of your information.

The UK General Data Protection Regulation also gives you right to lodge a complaint with the Information Commissioner (which is the supervisory authority in the UK). The Information Commissioner may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.

 

Changes to this privacy notice

This privacy notice was published on 7th May 2021 and last updated on 7th May 2021.

We may change this privacy notice from time to time—when we do we will inform you via email.

 

How to contact us

Please contact us by email or telephone if you have any questions about this privacy notice or the information we hold about you.

 

Our contact details are shown below:

Name: Rhiannon Marsh

Email: Rhiannon.marsh@attomarker.com

Address: FAO: Rhiannon Marsh, Attomarker Limited, Innovation Centre, University Of Exeter, Rennes Drive, Exeter, Devon, EX4 4RN