This privacy policy (Privacy Policy) explains how Annalise-AI Pty Ltd (ACN 635 645 260) and our Related Bodies Corporate (as defined in the Corporations Act 2001 (Cth)) (Annalise.ai, we, us or our) handle and manage your personal information that we collect about you and the rights and options you have in this respect under any applicable privacy and data security laws and regulations (Data Protection Laws) as any one or more of the following:
- a radiologist, medical imaging provider, hospital or clinical staff or other medical/health professional (Clinician) of a clinic, hospital or radiology practice (Clinic) using or interested in using our AI-enabled medical imaging software (Platform) and/or referring patient information/imaging to us;
- a patient of a Clinician or other medical and/or health practitioner using the Platform (Patient);
- a staff member including directors, officers, employees, temporary staff and consultants of Annalise.ai (Annalise.ai Staff);
- an applicant of a job at Annalise.ai (Job Applicant);
- a visitor to our website accessible at the domain ‘annalise.ai’ (Website) and/or a subscriber to our newsletter (Visitor); or
- a contracted service provider, business partner or health professional, medical specialist, hospital, customer or clinical staff (Partner).
Please refer to our Cookie Notice for further information on how we use information that is gathered by cookies or other web-tracking or analytics technologies.
Please also read the ‘Additional GDPR and Patient Information’ section below if we process your personal information under the EU General Data Protection Regulation (EU GDPR) or the EU GDPR as incorporated into UK law by the Data Protection Act 2018 (together, the GDPR). If you are a Patient, we also encourage you to refer to the privacy policy of the Clinic you attended for your medical examination for information about how your personal information is used.
This Privacy Notice covers the following topics:
- What Personal Information We Collect, When and How?
- How We Use Your Personal Information?
- Who We Share Your Personal Information With?
- Access To and Correction of Your Personal Information
- Where We Process Your Personal Information?
- How We Protect Your Personal Information?
- How Long We Store Your Personal Information?
- Additional GDPR and Patient Information
- Complaints
- Contact Details
- Changes to This Privacy Policy
WHAT PERSONAL INFORMATION WE COLLECT, WHEN AND HOW?
For Clinicians (including Referring Health Professionals)
As a Clinician, we collect your personal information either:
- directly from you or your Clinic, when you or your Clinic buy or register for products or services to or from us, request information about us or our products or services, provide feedback, respond to a survey, fill in a form or a request for services (including an application for an account with us), fill in a form on our Website (including a registration form to register as a Clinician) or otherwise provide it to us via the Website, over the phone, via email or in-person; or
- from your Clinic or another Clinician who registers you with us on your behalf.
We may collect personal information about you such as your private or work contact details (e.g. address, company name, email, phone number and job title), account login information (e.g. login credentials), analytics data, free text feedback and payment information (e.g. credit card, bank account or other details to facilitate payments).
If you, whether as a Referring Health Professional (defined below) or otherwise, provide us with the personal information (including sensitive information) of another individual (e.g. a Patient), you warrant that you have complied with your obligations under Data Protection Laws relating to the collection and disclosure to us of that personal information, sensitive information and health records and have obtained the relevant individual’s prior consent: (i) for you to disclose that information to us; and (ii) to our collection, holding, use and disclosure of that personal information in accordance with this Privacy Policy (a copy of which you have provided/ referred to the Patient as required by Applicable Privacy Laws).
For Patients
If you are a Patient or prospective Patient, your Clinician may refer (Referring Health Professional) medical imaging, Patient studies and associated metadata to us for analysis (Information Package). Information that may be collected by Annalise.ai on behalf of your Referring Health Professional may include your medical image and metadata on the medical image, including your name, age, date of birth and an identification number unique to you as a patient. If agreed between Annalise.ai and your Clinic or Referring Health Professional, we will anonymize the Information Package so that we cannot trace the Information Package to identify you.
For Annalise.ai Staff
As Annalise.ai Staff, we may collect your personal information in various ways, including:
- directly from you when you interact with us during the course of your employment, e.g. when you complete employee questionnaires, visit our intranet, our website or other communication or working platforms and when you communicate with us in relation to your employment;
- from third parties where required or permitted by law, e.g. reference contacts, public authorities, courts or background check agencies;
- from public sources, e.g. professional networks, company or event websites, directories;
- from official registers where required or permitted by law or where you have given us your consent; or
- from data generated about you during the course of your employment for the below permitted purposes, e.g. payslips, performance reviews, time recording, monitoring of premises, facilities and communication and IT systems.
We may collect personal information about you such as your:
- private or work contact details (e.g. address, company name, email, phone number and job title);
- personal details (e.g. date and place of birth, immigration status, social security and tax related details);
- professional details (e.g. position, employee ID, department, career data, CV);
- identification documentation (e.g. copies of your passport, driving licence, national or work ID card);
- employment-related information (e.g. payroll data, training, appraisals/performance assessments);
- data relating to access to and use of our systems, facilities and premises (e.g. data generated through monitoring by camera, GPS, monitoring and logging of your use of our communication and IT systems);
- data relating to secondment, relocation and business travel;
- data relating to or generated from compliance activities (e.g. data from reference checks, background checks, conflict checks);
- data relating to disputes and enforcement of claims (e.g. data relating to or generated from proceedings, disputes, negotiations); and
- where required for the below permitted purposes and only where required or permitted by applicable law or where you have specifically given us your consent, we may ask for information about your health and disabilities (e.g. to comply with related statutory workplace security or insurance biometric data (e.g. for access control or security purposes) or data revealing racial or ethnic origin (e.g. for diversity purposes) or religious beliefs (e.g. for potential tax purposes).
If you choose not to provide your personal information to us, this may impair our ability to administer your employment with us.
For Job Applicants
As a Job Applicant, we may collect your personal information in various ways, including:
- directly from you during the recruitment process (e.g. when you submit your CV and application form, from interviews, or when you communicate with us in relation to your application);
- third parties where required or permitted by law (e.g. from references, recruiters acting on your behalf, assessment centres, educational institutions);
- Public sources (e.g. websites such as LinkedIn, public registers);
- from data generated during your application process (e.g. expense reimbursement, assessment centres and other assessment methods or from recording and monitoring of your access and use of our premises, facilities and communication and IT systems);
We may collect personal information about you such as your:
- private or work contact details (e.g. address, company name, email, phone number and job title);
- personal details (e.g. date and place of birth, nationality, prior or expected salary);
- application data (e.g. career data, CV, details of your education, information from interviews and phone-screenings);
- identification documentation and entitlement to work information (e.g. copies of your passport, national ID card, work visa documents, reference checks, background checks);
- data relating to access to and use of our systems, facilities and premises, including CCTV footage when you attend our premises for an interview; and
- equal opportunities monitoring data, including information about your ethnic origin, sexual orientation, health and religion or belief only where required or permitted by applicable law or where you have specifically given us your consent.
If you choose not to provide your personal information to us, we may not be able to effectively process your application.
For Visitors
As a Visitor we collect your private or work contact details (e.g. address, company name, email, phone number and job title) if/ when you provide it to us on the Website. We also use cookies on our Website (you can find further information in our cookie notice here Cookie Notice).
For Partners
We collect and hold personal information about you directly from you or your organisation when you supply goods and services to Annalise.ai. We may also collect personal information about you via third parties including from our suppliers, merchants, direct mail, exhibition and trade events or online marketing.
We may collect personal information about you such as your private or work contact details (e.g. address, company name, email, phone number and job title) and payment information (e.g. bank account details or other details to facilitate payments).
If you choose not to provide your personal information to us, we may not be able to undertake certain activities for you such as providing you with requested information, products or services.
HOW WE USE YOUR PERSONAL INFORMATION?
For Clinicians (including Referring Health Professionals)
As a Clinician/ Referring Health Professional, we use the personal information that we collect about you for the following purposes:
- to enter into, perform, manage and administer your (or your Clinic’s) contractual business relationship with us, including any trial of the Platform, pilot testing, integration testing, after-sales support, technical support, opening and managing your account with us, billing and collection activities, and providing you with other services that you (or your Clinic) may have requested;
- to analyse and improve the Platform and other products and services we provide; and
- to provide you with direct marketing materials including promotional material about us or the products or services we offer and inviting you to participate in surveys. We do not sell your personal information to third parties for marketing purposes. You may opt out of receiving direct marketing material by contacting us or by clicking ‘unsubscribe’ in any of our messages.
For Patients
We use the Information Package for analysis and to assist in the interpretation of medical images as requested by, and on behalf of, your Referring Health Professional.
We perform AI-driven analysis on the Information Package we receive from the Referring Health Professional to produce findings and associated observations in relation to that Information Package. Our produced findings and associated observations may be used by your Referring Health Professional to assist their clinical decision-making. Our analysis may also highlight other relevant areas of interest for your Referring Health Professional to consider.
If you are a Patient in Australia or New Zealand we may use your data for research and product development purposes to improve our AI model. When we do so, we will de-identify your personal information and only use the resulting de-identified datasets (De-Identified Data). Our de-identification process involves permanently deleting information that could potentially be used to identify you so that there is no reasonable likelihood of re-identification occurring. Occasionally, we may share De-Identified Data with research institutions/bodies for academic and clinical research purposes but we will only do so under strict contractual obligations governing their confidential use of the De-Identified Data and prohibiting such institutions/bodies from re-identifying the De-Identified Data.
For Annalise.ai Staff
We use your personal information for the following purposes:
- to enter into, perform and terminate your employment or engagement contract with us (e.g. application process, background and reference checks, onboarding, termination or suspension of employment);
- for general HR administration (e.g. payroll, administration of remuneration and benefits, pension schemes, travel expense management, performance management, annual leave and other leave of absence, grievance and disciplinary procedures, equal opportunity monitoring);
personnel planning and development
(e.g. training and development, performance reviews, promotions and transfers); - secondment, relocation and business travel;
- strategic business planning and organizational purposes (e.g. planning, controlling, budgeting, benchmarking and restructuring); and
- ensure compliance with our policies, procedures and standards.
For Job Applicants
We use your personal information to process your application, including reviewing and analysing your qualifications and skills, confirming your references and educational background, conducting background checks and public register checks, considering your suitability for employment, communicating with you, conducting assessments and any other evaluation processes, and organising any travel required and reimbursing any expenses.
Where you have given us your consent, we may include you in our job applicant database, to inform you about new job opportunities at Annalise.ai that you might be interested in. You may opt out at any time by clicking the opt-out links in any electronic communication we send to you or by using the contact details below.
For Visitors
We use your personal information for the following purposes:
- to ensure that content from our website are presented in the most effective manner for you and your device;
- if you subscribe to our mailing list, we will use your contact details to provide you with news and updates about our company and our activities – you may opt out by contacting us or by clicking ‘unsubscribe’ in any of our emails; and
- if you send us a query via our Website, we will use your personal information to reply to your query.
For Partners
If you are a Partner we will use your personal information for our business and service dealings with you, including to contact you in relation to:
- products or services we are ordering or receiving from you; and
- to provide you with information, products or services you have requested.
For everyone except Patients
Depending on the nature of our relationship with you, we may also use the personal information we collect about you:
- to maintain and protect the security of our premises and facilities, IT systems, databases, websites or other digital infrastructure, including preventing and detecting security incidents, improving data security and protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity, service, testing and maintenance of our systems;
- to prevent and detect crime, including fraud or criminal activity and misuses of our products or services;
- to notify relevant organisations (such as medical insurers and/or legal advisors) of an incident/accident, including when a claim is made against Annalise.ai;
- only where it is de-identified, to carry out evaluations of our service quality and timeliness, including providing the de-identified information to other parties to assist us with these activities;
- to comply with our legal or regulatory obligations, such as record keeping, disclosures to tax or other regulatory authorities, enforcing and complying with legal judgements; and
- to establish, exercise and defend legal claims, investigating and resolving disputes.
WHO WE SHARE YOUR PERSONAL INFORMATION WITH?
For Patients
As a Patient, Annalise.ai will share your personal and health information only as agreed with, and instructed by, your Referring Health Professional including with:
- your Referring Health Professional(s), employees and other health professionals in your Referring Health Professional’s clinic or hospital where they are working and any other health professional that your Referring Health Professional has asked us to share your personal information with; and
- verified consultant medical specialists or other registered health professionals involved in your ongoing health care who have been requested by your Referring Health Professional to provide further advice on your medical condition.
For everyone except Patients
We may share your personal information with:
- our service providers (so called data processors) domestically or abroad (e.g. legal, financial and other professional advisers, auditors, website hosts) who will process personal information for the permitted purposes on our behalf and in accordance with our instructions only. We will retain control over and will remain fully responsible for your personal information and will use appropriate safeguards as required by Data Protection Laws to ensure the integrity and security of your personal information when engaging such service providers;
- Annalise.ai’s Related Bodies Corporate;
- third parties where that is required and permitted by law to execute a contract or otherwise in connection with our business relationship with you or your organisation;
- any prospective purchaser in the event we sell or transfer any part of our business or assets; and
- public authorities or governmental bodies such as regulatory or enforcement authorities, attorneys or courts where we are required to do so by applicable law or regulation or at their request if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
Other than listed above, we will only disclose your personal information when you direct or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or when we suspect fraudulent or criminal activities. You can contact the Annalise.ai Privacy Officer (contact details below) if you have any questions about the disclosure of your personal information.
ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION
You may request access to personal information we hold about you. We may request personal information (such as your mobile number or email address) from you to verify your identity before providing the requested information. In some instances, charges may apply to provide copies. We will tell you about any costs before they are incurred. In some limited circumstances we may refuse your request but will provide you with our reasons. You may complain about our refusal (see ‘Complaints’ section below).
Annalise.ai endeavours to ensure that the personal information we collect, use and disclose is accurate, up-to- date and complete. The accuracy and completeness of that personal information depends on the information you provide to us. Please let us know:
- if there are any errors in the personal information we hold; and
- of any changes to your personal information (such as your name, address, phone number).
If we process your personal information under the GDPR, please see additional rights you have as set out below in “Additional GDPR and Patient Information”.
WHERE WE PROCESS YOUR PERSONAL INFORMATION?
In the course of our business activities, we may transfer your personal information to countries outside of the country where you reside or where we provide services to you or your organisation. As such countries may not offer the same level of data protection, we will comply with Data Protection Laws and apply appropriate safeguards to ensure the security and integrity of your personal information. Where required, we will in particular enter into any official standard contract clauses, including as specifically set out below in “Additional GDPR Information and Patient Information”.
HOW WE PROTECT YOUR PERSONAL INFORMATION?
We take reasonable steps to protect your personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure in accordance with Data Protection Laws and our data security policies and procedures.
In particular, we have security controls in place with our cloud provider including redundancy protection and monitoring, strict access controls, in-transit and at-rest encryption and industry-standard authentication protocols.
HOW LONG WE STORE YOUR PERSONAL INFORMATION?
We will retain your personal information for as long as required for permitted purposes and as long as we are required or otherwise permitted under applicable laws to retain such data (e.g. for the duration of any record retention periods under applicable law).
ADDITIONAL GDPR AND PATIENT INFORMATION
The below information applies if we process your personal information under the GDPR.
Responsible Controller
A ‘controller’ is the entity responsible for deciding how, and for which purposes, your personal information is processed.
For Patients
Your Clinic is the responsible controller. Annalise-AI only processes your personal information as a processor on behalf of, and in accordance with, our agreement with the Clinic and your Clinic’s instructions. Please refer to your Clinic’s privacy notice for further information about how your personal information is used.
For Clinicians
Where we process your personal information to perform our contract with your Clinic, the responsible controller is your Clinic and Annalise-AI processes your personal information as a processor on behalf of and in accordance with your Clinic’s instructions. Please refer to your Clinic’s privacy notice for further information about how your personal information is used.
For all other purposes, the responsible controller is:
- Annalise-AI Pty Ltd (Level P, 24 Campbell Street, Sydney, NSW 2000); and/or
- any of our Related Bodies Corporate that is in business contact with you or identified in our communications with you.
For Visitors and Partners
The responsible controller is:
- Annalise-AI Pty Ltd (Level P, 24 Campbell Street, Sydney, NSW 2000); and/or
- any of our Related Bodies Corporate that is in business contact with you or identified in our communications with you.
Legal Basis
We process your personal information for the purposes set out above (see “How Do We Use Your Personal Information?”) on the following legal bases:
|
PURPOSE |
LEGAL BASIS |
| Clinicians | |
| Perform our contract with you or your Clinic |
|
| Analytics and Platform and service improvement |
|
| Direct marketing |
|
| Patients | |
| Analysis and diagnosis |
|
| Annalise.ai Staff | |
| Enter into, perform and terminate your employment or engagement contract |
|
| HR administration |
|
| Personnel planning and development |
|
| Secondment, relocation and business travel |
|
| Strategic business planning and organizational purposes |
|
| Compliance with policies, procedures and standards |
|
| Job Applicants | |
| Process application |
|
| Job applicant database |
|
| Visitors | |
| Website presentation |
|
| Mailing list subscription |
|
| Respond to queries |
|
| Partners | |
| Contact regarding products or services ordered and providing related information |
|
| Everyone (other than Patients) | |
| Identifying and preventing security threats to facilities, premises and systems |
|
| Crime detection and prevention |
|
| Incident or accident notification |
|
| Compliance activities |
|
| Establishing, exercising and defending legal claims |
|
International Data Transfers
We may transfer your personal information to countries outside of the European Economic Area or the United Kingdom, in which applicable laws may not offer the same level of data protection as the laws of your home country. Where we do so, we will apply appropriate safeguards to ensure the security and integrity of your personal information, in particular by entering into the EU Standard Contractual Clauses which are available here and the UK International Data Transfer Addendum which is available here. You may contact us anytime using the contact details in the “Contact Details” section below if you would like further information on such safeguards.
Your Rights
For Patients and Clinicians (where Annalise-AI is a processor)
Your Clinic is responsible for managing the exercise of your rights under the GDPR. Subject to certain legal conditions, you may request access to (including a copy of), correction, restriction, deletion or portability of your personal information from your Clinic. For any of these requests or if you have any queries in this regard, please contact your Clinic directly.
For Clinicians (where Annalise-AI is a controller), Annalise.ai Staff, Job Applicants, Visitors and Partners
Subject to certain legal conditions, you may request access to, correct, restrict, delete or transfer your personal information. In particular, you have the right to request a copy of the personal information that we hold about you. If your request is unfounded or excessive, we reserve the right to charge an administrative fee.
YOU MAY ALSO OBJECT TO THE PROCESSING OF YOUR PERSONAL INFORMATION. IN PARTICULAR, YOU HAVE THE RIGHT TO OBJECT, AT ANY TIME, TO THE USE OF YOUR PERSONAL INFORMATION FOR DIRECT MARKETING PURPOSES AND, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL INFORMATION WHICH IS BASED ON OUR LEGITIMATE INTERESTS OR CARRIED OUT IN THE PUBLIC INTEREST, INCLUDING ANY RELATED PROFILING.
We will not use your personal information for taking any automated decisions materially affecting you or creating profiles of you. If you have given us your consent for the processing of your personal information you may withdraw your consent at any time with effect for the future, i.e. the withdrawal of your consent does not affect the lawfulness of processing based on the consent before its withdrawal. If you withdraw your consent, we will promptly delete the relevant data unless there is another legal ground permitting or requiring us to retain and continue processing such data.
For any of the above requests, please send a description of your personal information concerned stating your name and your relationship with us (if applicable) to the contact details below. We may require proof of identity to verify your request and to protect your personal information against unauthorised access. We will carefully consider your request and may discuss with you how it can best be fulfilled.
Where your consent is required for any direct marketing-related communication, we will only provide you with such information if you have opted in. You may opt out at any time by clicking the unsubscribe or opt-out links in any electronic marketing communication we send to you or by using the contact details in the “Contact Details” section below.
COMPLAINTS
If you feel that your privacy has not been respected or that we have conducted ourselves inconsistently with this Privacy Policy, the Data Protection Laws, or for any other queries, problems, complaints or communication in relation to this Privacy Policy, please send your complaint to the Annalise.ai Privacy Officer at the address below.
If you are a Patient or if you are a Clinician and we process your personal information as a processor, we will forward your complaint directly to your Clinic who is the responsible controller for your personal information and will be in the best position to assist you.
You may also submit a complaint to the competent data protection supervisory authority in your country. For example, if you are in Australia, the Office of the Australian Information Commissioner and if you are in the United Kingdom, the Information Commissioner Office. A list of the national data protection supervisory authorities in the European Economic Area can be found here.
CONTACT DETAILS
Annalise-AI Pty Ltd Attention:
Privacy Officer
Level P, 24 Campbell Street,
Sydney NSW 2000, Australia
Email: privacy@annalise.ai
CHANGES TO THIS PRIVACY POLICY
2023 Privacy Policy – effective 9 February 2023. From time to time we make changes to our policy, processes and systems in relation to how we handle your personal information, including to take into account new laws, regulations and technology. Please visit our website www.annalise.ai/privacy to obtain a copy of the latest version of this Privacy Policy at any time. Your continued use of the Platform and/or the Site, requesting our services or the provision by you of further personal information to us after this Privacy Policy has been revised will be deemed to be your acceptance of and consent to the revised Privacy Policy.
