Hypervision Surgical respects your privacy and is committed to protecting your personal data. In accordance with the General Data Protection Regulation (GDPR), we have implemented this General Privacy Notice to inform you about how we collect, store, manage and look after your personal data, where we decide the purpose and means of the information processing (as a Controller), or we otherwise process it (as a Processor) under the authorisation of another organisation. It will tell you about your privacy rights and how the law protects you.
It is in your interests that you read this privacy notice together with any other privacy information we have provided, or which may have been given to you by a third party which is using our services and providing your data to us. It is important that you do this so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
This notice was last modified on: 8 October 2023.
1. Who We Are
Hypervision Surgical Ltd is a company registered in England and Wales under Company Registration No. 12614766. This privacy notice is issued on behalf of the Hypervision Surgical Ltd so when we mention Hypervision Surgical, “we”, “us” or “our” in this privacy notice, we are referring to Hypervision Surgical Ltd.
Hypervision Surgical is a global medical device manufacturer. We design, develop and manufacture medical devices for use during surgical procedures. Our products are classed as medical devices in most jurisdictions.
Please use the contact us form on our website. Alternatively, you can write to us. The registered office address for Hypervision Surgical Ltd is 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom.
We have appointed a Data Protection Officer (DPO) who can be contacted at the following address: [email protected]. Our DPO is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this notice, including any requests to exercise your information rights, please contact the DPO using the postal address, contact us form or email address details set out above.
2. Changes to Our Privacy Notice
We may change this privacy notice from time to time, so we encourage you to review this notice periodically. When we change this privacy notice in a material way, we will update the last modified date which can be found at the beginning of this notice. Historic versions of this notice are held by our DPO.
It is important that the personal data we hold about you is accurate and current, particularly your contact information. Please keep us informed, through our support channels and contact us forms, where your personal data needs updating during your relationship with us.
If we need to provide you with information about something, whether for legal, marketing or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or, for general public purposes, by placing a notice on our website.
3. Data Collection Principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
processing is fair, lawful, and transparent;
data is collected for specific, explicit, and legitimate purposes;
data collected is adequate, relevant, and limited to what is necessary for the purposes of processing;
data is kept accurate and up to date (data which is found to be inaccurate will be rectified or erased without delay);
data is not kept for longer than is necessary for its given purpose;
data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or organisation measures; and
we comply with the relevant GDPR procedures for international transferring of personal data.
4. Personal Data Held
As a medical device manufacturer, Hypervision Surgical collects your personal data for the purposes of software development and research, together with our general business administration. The information we collect depends on your interaction with our company and on the choices you might be asked to make at time of data collection. You are not obliged to provide any personal data to us. If you choose not to provide information, we may not be able to respond to your queries or provide our services to you or your organisation.
Our product and services are intended for use by our business customers. This means that for most of the personal data (patient personal information) we collect and process, we act as a data Processor and not a Controller. In this context, our business customers (hospitals for instance) control what personal information we collect and how we use it. If you are a patient of one of our business customers and have privacy related questions or concerns about our access to your personal information, you should contact them directly or review their organisations' privacy notice.
Hypervision Surgical acts as a Controller when we carry out and sponsor our own research and development work to test hypotheses and improve our products and services. Where we are a Controller, personal data is shared only between us and our research collaborators for the purpose of the research study with full ethical approval and compliant data sharing procedures in place.
Please note that Hypervision Surgical is not responsible for the privacy or security practices of its business customers, which may differ from those we have set out in this notice.
Specifically, hold the following types of data:
Identifying information. Roles and contact details (telephone, email, address), photographs and video or call recordings such as may be provided by you when filling out our forms, visiting our offices, or provided by you or your organisation for engagement with us for the purposes of supplying our services or collaborating with us on projects.
Device information. IP address, browser information, device type such as may be provided by you when you connect to our website, fill in our online forms, or in the context of use of your organisation’s use of our medical device.
Behavioural information. Browsing behaviour if you have agreed to our use of non-essential cookies when you interact with our website, or access tracking if you visit our offices in person and are provided with a temporary access fob for entry to our office building.
Social information. Professional qualifications, educational background and your public life when you communicate with us through our website or email, for careers purposes, or have otherwise made publicly available.
Health information. Medical images and videos, physical characteristics, health history, health record details when you agree to take part in our research studies, or your healthcare provider engages with our services and provides your data to us or shares it with us under agreement as a Controller or a Joint Controller.
5. Collecting Your Data
We collect personal data in the following circumstances:
When you use and engage with our brand website(s).
When you enquire about, take up use of, or need support on use of our products and services.
When you visit our offices or engage with us at conferences and events.
When you supply our business with products or services.
When you engage with us for career development and recruiting activities.
When you sign up to our marketing newsletters and promotions.
When you contact us through any means for example social media, website forms, website chat function, survey responses, other enquiry routes.
When you participate in research or clinical studies and trials led by us. You may provide such personal data to us directly but sometimes we may be given the data by a third party, for example a healthcare provider. This is particularly in the case of our research and development activities; also, when we are acting as a Processor providing our services to another organisation, our business customer, e.g., hospital, which is the Controller.
Our use of data for research purposes. When you agree to take part in a research study under our control or joint control, we will process your personal data, comprising surgical images and/or videos and limited health data, for the purposes of: (i) carrying out independent or joint academic research in the public interest; (ii) further developing and refining our technology to improve its capabilities and our related services, e.g. training our algorithms and data models to better interpret and consistently characterise the images or videos provided, towards improving and extending our product and service functionality; and (iii) assisting us in commercially delivering our product and service to market with the overall aim being to help improve patient care and surgical outcomes and bring resource savings (time and cost) to the healthcare sector – for example simplified operation of our devices with more consistent results. Where we are processing data for our internal commercial research and development purposes to develop and improve our product and services, we only use health data in a de-identified or pseudonymised format; in a way that it does not specifically identify any individual by reference to name or other identifying data. The personal information we use is provided to us under an agreement with healthcare providers, who supply the data.
Marketing and advertising. Where you have subscribed to our newsletter, we may contact you from time to time with information about our products and services. Most messages we send will be by email. You can change your preferences at a later date by unsubscribing using the link at the bottom of our marketing messages.
6. Lawful Basis for Processing
Under the UK data protection laws, where we are a Controller, independent or joint, our lawful basis for processing your data will be one of the following:
Legitimate Interest. Where we are managing our business or carrying out research in our own business interests to assess, further develop, or maintain, or support our products and/or related services.
Public Task. Where we are in receipt of public funding for research and/ or we are a joint or independent Controller partner for research with respect to the Department of Health, an NHS hospital, or a UK university.
Performance of a contract. Where we collect your details for recruitment with a view to your joining us as an employee, consultant or contractor.
Compliance with a legal obligation. Where you are a shareholder and we have a duty to keep a register and associated records, or where laws and authorities may require us to do so.
To protect your vital interests. Where you might visit our office and have an accident or need medical attention whilst on our site.
Processing for recruitment and employment. For more information about our processing personal data with respect to recruitment, please refer to our Applicant Privacy Notice on this website. Similarly, if you are employed by us please refer to our Employee Privacy Notice, which you can find in our Company Handbook or which is available as part of your agreement with us (the same applies to consultants or contractors).
Processing of health data. Personal information concerning health, such as medical images, videos and associated patient information, is referred to as special category data under UK and EU laws and protected health information (PHI) or identifiable/ de-identified health information under US law. It is also sometimes referred to as sensitive data. Processing of this data is subject to higher protection and compliance requirements. Where local personal data protection laws require patient explicit consent to process the data, this will be organised by and through our data source partners e.g., hospital or healthcare provider. Health data is provided to us under legal agreement with the Controller organisation. This may be for example, an NHS hospital in the UK or a Covered Entity (CE) in the US. Where we process health data in our own interests as a Controller, we will process this information under the additional lawful basis of one of the following:
Public interest in the area of public health or medical device safety.
Health and social care.
It is necessary for archiving, scientific research or statistical purposes.
7. Failure to Provide Data
Your failure to provide us with your data may mean that we are unable to provide our products or offer our services to you or interact with you as set out in Section 5.
8. Recipients or Categories of Recipients
As required, and in accordance with how we use your personal information, we may share your personal information with the following categories of recipients (sub-processors):
Service providers and advisors. We may share your personal information with third party vendors and other service providers that perform services for us or on our behalf. This may include providing storage and hosting services, de-identification services, network services, marketing, email or call handling, chat services, fraud prevention, web hosting, professional business services (such as legal, accounting, auditing and insurance), consulting services, or providing analytic services.
Purchasers and third parties in connection with a business transaction. Your personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business. This is under the provision that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.
Law enforcement, regulators and other parties for legal reasons. We may share your personal information with third parties as required by law or if we reasonably believe that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect and investigate illegal activities and breaches of agreements; and/or (iii) exercise or protect the rights, property, or personal safety of Hypervision Surgical, its users, or others.
A list of our current sub-processors is available on request by contacting [email protected].
There are social media links on our website, such as LinkedIn. From time to time, we may also publish links to other third-party sites such as links to academic publications, or medical associations and organisations. Clicking on these links or enabling those connections may enable the third-party to collect or share data about you. For example, when you click on the social media links you land on our social media page relevant to the link. If you are logged into your social media account and you click through to these from our website, the social media service provider may collect information indicating that you have visited our website and link the site visit to your social media profile. We do not control these third-party websites and are not responsible for their privacy notices or practices. When you leave our website, we recommend that you read the privacy notice of the sites you choose to visit.
9. Protecting Your Data
Despite these safeguards, no internet-based transmission or information storage technology can be guaranteed 100% secure so we cannot promise that our security measures won’t be overcome. We will follow our incident response procedures should this occur. Should you receive a communication which represents to be from Hypervision Surgical, and which asks you to provide sensitive data or account information via email, or which otherwise seems strange, please treat this as unauthorised and suspicious and report it to our support team, or contact us at [email protected]. If you wish to inquire further about the security safeguards we use, please contact us using the details set out at the start of this privacy notice.
10. Details of International Transfer of Data
We have set up and use infrastructure in the UK and US. Your data may be processed in any of these areas; the processing location is dependent on the nature of the relationship we have with you or the agreement between us and the Controller organisation providing the data and their geographic location.
These regions only dictate the geographic location where data is stored and where our computer server resources are run from. Note that whilst your data will be stored in the above regions, it may also be accessed by Hypervision Surgical group company personnel located in the UK, but only to the extent necessary to be able to support, secure and maintain our services in accordance with our customer contracts.
Our business administration activities take place in the UK. We use service providers and other third parties which can support our business administration by processing only in UK, US or the EEA.
We have put the following measures in place to ensure that your data is transferred securely and that the third parties who receive the data that we have transferred process it in a way required by EU and UK data protection laws:
organisational security measures;
any transfers taking place outside the EEA are only permitted with the provision of an Adequacy decision, standard contractual clauses (UK International Data Transfer Addendum or EU 2021 Standard Contractual Clauses) or any other lawful transfer mechanism, as such, we have appropriate legal agreements in place with those supporting organisations for the transfer of your data outside the UK or EEA where this is restricted.
11. Retention Periods
We will store the personal information we collect for our own purposes for no longer than necessary for the purposes set out and in accordance with our legal obligations and legitimate business interests.
11.1. Research and development
For research participants, long-term use (and, where applicable, re-use) and retention of your personal information in connection with the specific research study or project you are participating in is explained in the patient information sheet provided to you by our trial partners. This retention time period can vary; information will generally be kept for the duration of the specific research project and then additionally for an agreed time afterwards which could be up to 10 years from the end of the research project.
Should we decide to keep the research data indefinitely, we will then no longer use it for any other activities. Once we no longer have a use for the data we will either delete it or anonymise it in such a way that it can no longer be attributed to an identifiable individual.
11.2. Business administration
Unless stated otherwise, we keep your personal data for as long as we have a continued legitimate business need, legal obligation or agreement allows. This can be anything from 6 months (or less) to 15 years after the end date trigger, or indefinitely where this is required for legal reasons.
11.3. Product and service use
Data will be kept in line with each agreement we have with our business customers. Data will be destroyed or returned in accordance with the agreement unless we have negotiated with our business customer the permission to retain some of the information for our own research and development reasons as a Controller.
12. Rights in Respect of Your Personal Information
Where we are acting as a data Controller and depending on your location and subject to applicable law, you may have information rights. This is particularly the case if you are resident in the UK or European Union. If you wish to exercise one of these rights, please contact us using the contact details at the beginning of this privacy notice. If you are the patient of an organisation which is using products or services, please contact that Controller organisation in the first instance with your request. Research participants should get in touch with their primary organisation contact.
Right of access. You have the right to obtain:
confirmation of whether, and where, we are processing your personal information;
information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods;
information about the categories of recipients with whom we may share your personal information; and
a copy of the personal information we hold about you.
Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another organisation or person.
Right to get data corrected. You have the right to obtain correction, or deletion, of any inaccurate or incomplete personal information we hold about you without undue delay. This is known as the right to rectification.
Right to get data deleted. You have the right to erasure, in some circumstances. You can require us to delete your personal information without undue delay if the continued processing of that personal information is not justified. This is also known as the right to be forgotten.
Right to limit how we use your data. In some circumstances you can limit the way we use your personal data if you are concerned about the accuracy of the data or how we are using it. If necessary, you can also stop us deleting your data. Together, these opportunities are known as your right to restriction. This right is closely linked to your rights to challenge the accuracy of your data and to object to its use.
Right to object. In some circumstances, you have the right to object to our using your personal data. This effectively means that you can stop or prevent us from using your data. However we may not need to stop if where we can give strong and legitimate reasons to continue using it. You also have the right to withdraw consent, where our processing of your data is on the basis of consent previously given by you.
Right to lodge a complaint. If you have a complaint about our processing of your personal data, please contact our DPO in the first instance so that we can address your concerns. We will be happy to help.
13. Questions, Concerns or Complaints
You also have the right to lodge a complaint to the Information Commissioner’s Office (ICO), or your national data protection authority. The ICO has some helpful guidance on how to raise a concern to an organisation, and how to raise a concern directly to them. If you are outside of the UK, please check with your local data protection authority for advice. (The European Data Protection Board member authorities list is here.)
Please contact us at any time should you have any comments, questions, concerns or complaints regarding this privacy notice or our associated practices. We will be happy to look into it for you. Please contact us at [email protected].
14. California Consumer Privacy Act
This part of the notice integrates with and supplements the information contained in the rest of the privacy notice.
This part of the document uses the term personal information as it is defined in the CCPA.
14.1. Collection of personal information
We have collected personal information as per Section 4 of this notice. We will not collect additional categories of personal information without notifying you.
We collect the above-mentioned categories of personal information, either directly or indirectly, from you when you engage with is as per Section 5.
For example, you directly provide your personal information when you submit requests via any forms on this website. You also provide personal information indirectly when you navigate this website, as personal information about you is automatically observed and collected. Finally, we may collect your personal information from third parties that work with us in connection with the services or products offered or with the functioning of this website and features thereof.
14.2. Use of personal information
We may use your personal information to allow the operational functioning of this website and features thereof. In such cases, your personal information will be processed in a fashion necessary and proportionate to the business purpose for which it was collected, and strictly within the limits of compatible operational purposes.
We may also use your personal information for other reasons such as for commercial purposes, as well as for complying with the law and defending our rights before the competent authorities where our rights and interests are threatened or we suffer an actual damage.
We will not use your personal information for different, unrelated, or incompatible purposes without notifying you.
14.3. Personal information disclosure
We may disclose the personal information we collect about you to a third party for business purposes. In this case, we will enter a written agreement with such third party that requires the recipient to both keep the personal information confidential and not use it for any purposes other than those necessary for the performance of the agreement.
We may also disclose your personal information to third parties when you explicitly ask or authorize us to do so, in order to provide you with our products or services.
To find out more about the lawful basis of processing, please refer to Section 6.
14.4. Sale of personal information
For our purposes, the word sale means any selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration.
This means that, for example, a sale can happen whenever our website performs statistical analyses on the traffic or views, or simply because it uses specific tools such as social network plugins and the like.
You have the right to opt out of the sale of your personal information. This means that whenever you request us to stop selling your data, we will abide by your request. Such requests can be made freely, at any time. You can contact us for further information using the contact details provided in this document.
14.5. Your California privacy rights
As a resident of California, you have the following rights:
Right of Disclosure and Portability. You have the right to request that we disclose to you:
the categories and sources of the personal information that we collect about you, the purposes for which we use your information and with whom such information is shared;
in case of sale of personal information or disclosure for a business purpose, two separate lists where we disclose:
for sales, the personal information categories purchased by each category of recipient; and
for disclosures for a business purpose, the personal information categories obtained by each category of recipient.
The disclosure described above will be limited to the personal information collected or used over the past 12 months. If we deliver our response electronically, the information enclosed will be delivered in an easily usable format to enable you to transmit the information to another entity without hindrance – provided that this is technically feasible.
The right to request the deletion of your personal information. You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on this website, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.). If no legal exception applies, as a result of exercising your right, we will delete your personal information and direct any of our service providers to do so.
14.6. How to exercise your rights
To exercise the rights described above, you need to submit your verifiable request to us by contacting us via the details provided in this document.
For us to respond to your request, it’s necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:
provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will not respond to any request if we are unable to verify your identity and therefore confirm the personal information in our possession actually relates to you. If you cannot personally submit a verifiable request, you can authorize a person registered with the California Secretary of State to act on your behalf. If you are an adult, you can make a verifiable request on behalf of a minor under your parental authority.
You can submit a maximum number of 2 requests over a period of 12 months.
14.7. How and when we are expected to handle your request
We will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request. We will respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfil your request. Our disclosures will cover the preceding 12 month period.
Should we deny your request, we will explain you the reasons behind our denial. We do not charge a fee to process or respond to your verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.
15. Our Policy in Relation to Children
Our business, services and our website are not directed at, or intended for, persons under 13 years old, and we do not knowingly collect personal information from or relating to children. If you believe, or become aware, that a child under 13 years may have provided us with personal information, then please contact us so that we can take steps to remove such information.