Last updated: 2023-08-04
1. Who we are
1.2 The Services
The service (Dermaliser) is delivered as an application (referred to as the "App", "our services", or "the service"), Dermalyser is a diagnostic decision support system (DDSS) empowered with advanced artificial intelligence (AI). The primary function is to classify skin cancer such as malignant melanoma using image analysis combined with deep learning (AI). In addition to the App, AIM has a Website containing information about the company and its products.
2. The Personal Data we process about you
AI Medical Technology AB may process the following types of personal data:
Includes the registration date, contact data and whether you have an active subscription or not.
Includes address, billing address, delivery address, email address, contact person and telephone number.
Includes device identifier, your mobile operating system and OS version.
The IP address that you are accessing the service from.
User credentials and digital identity of the user.
Data related to the patient
Images of skin leisures with anonymised reference to the customer's patient journaling system.
includes details about purchases and payments, excluding bank and credit card details.
Includes details of your use of the Services, such as traffic data and data logs for application monitoring, security and statistics.
Includes data the customer provides when setting up an account with Dermalyser for using the App, such as Contact, organisation and Identity.
3. How we collect personal data
3.1 Information provided by customers
AIM store and process personal data provided by customers when registering and signing up to use the App. Information can also be gathered from customers answering surveys, contacting our customer support or otherwise corresponding or interacting with us and our Services.
When signing up for the App (by purchasing the app or signing a contract), you will be requested to consent to our use of personal data (please note that you will need to consent for the App to work). You can withdraw your consent at any time by cancelling the agreement (according to the terms) or by contacting us at firstname.lastname@example.org. If you provide sensitive data to us by other means than the app – for example, via support – this is described in greater detail in section 4.1.
3.2 Information we automatically collect about you and your device
3.3 Information we receive from suppliers
We receive Device and Usage Data about you from analytics providers such as Google Analytics and Transaction and Contact Data from our payment service providers.
4. How we use your Personal Data
4.1 To enable and provide the Services
For the service to work, AIM must process the personal data you add to the services. This includes administering our services and our relationship with customers, providing the decision support, securing the quality and developing the Services and communicating and providing customer support, as further explained below.
Consent for processing personal data must be obtained for the app to work.
4.1.2 To administer the Services and our relationship with you
AIM use user and IT data to administer the service and our relationship with customers. This includes setting up accounts for the App, troubleshooting, and system testing, as well as notifying you of changes to the services or technical issues and reaching out to you.
Lawful Basis: Contract, Consent, Legitimate interest in running the business, provide and ensure the proper function and use of the Services. Se also, the AIM GDPR Policy
4.1.3 To provide decision support for cancer diagnostics
AIM uses AI-based algorithms to provide decision support for the diagnosis of skin cancer; it does this by analysing the image data from images that are taken by the App. The image is taken by medical professionals on patient skin lesions.
Lawful Basis: Contract, Consent.
4.1.4 To secure the quality and develop the Services
We process your usage and account data to monitor and analyse how our customers engage and interact with the services so that we can secure the quality and develop the services to better align with usage patterns and preferences. While we have access to personal data for the purpose of analytics, the results are aggregated and stripped of any personal data.
Lawful Basis: Contract, Consent, Legitimate interest
4.1.5 To communicate with you and provide customer support
We will process personal data that you provide in inquiries to our customer support by telephone, email or through contact forms provided by us to communicate with you and act on complaints. What type of personal data we collect for this purpose depends on the nature of your inquiry. If you are a user, our support agents may request access to your user data if necessary to respond appropriately to your inquiry. Such access is subject to strict access controls and security measures to protect your integrity.
Lawful Basis: Contract, Consent, Legitimate interest to respond to your inquiries,
4.2 To conduct research
AIM conduct research to evaluate the effectiveness and suitability of the App in clinical practice. We use the results of our research to communicate the benefits and limitations of Dermaliser to healthcare professionals. All our published research is subjected to peer
review and follows normal scientific processes, including ethical approval from the relevant professional bodies where required.
If we have consent, we may use your user data and other personal data that you may
provide, in anonymised form, for scientific studies, scientific articles and other research purposes as may be disclosed when your personal data is collected. However, personal data is anonymised and aggregated before any such publications are shared outside AIM.
We may also contact you with requests to participate in specific research projects run by us or our business partners. AIM also contributes to research carried out by selected universities, institutions and other parties by sharing anonymised data with them. To avoid doubt, we do not share any Personal Data with such external parties.
Finally, we may analyse sensitive data to publicly share insights learned from aggregated data with the purpose of increasing knowledge and understanding of
Skin cancer. This kind of publication is always based on aggregated anonymised data and, as such, doesn't contain any personal information.
Lawful Basis: Consent
4.3.1 Marketing Communication
Lawful basis: Legitimate interest to market ourselves and our Services
4.3.2 Surveys and interviews
As a customer, you may be contacted and enabled to complete surveys or take part in interviews for marketing purposes. We will process the Profile Data that you provide in such surveys and interviews to analyse user preferences, improve and assess the effectiveness of marketing activities, and use it as marketing material or other promotional purposes as disclosed when your Personal Data is collected.
Lawful Basis: Consent
4.3.3 Marketing opt-out
You always have the right to opt out of receiving marketing communication by contacting us at email@example.com.
4.4 To comply with legal obligations
Dermalyser is classified as a medical device intended for use as a decision support tool for diagnosing skin cancer by an EU Notified Body. This means that we are subject to medical device regulations which may require the collection and processing of your Personal Data. There are also other legal provisions that require the processing of your Personal Data, such as accounting and fraud prevention laws. For more details, see section 6.1.
Lawful Basis: Legal Obligation
5. How long do AIM keep your personal data
Lawful basis: Consent, Legal Obligation
6. Disclosures of your Personal Data
AIM never sells personal- or user data. We conduct extensive assessments before engaging any processor to ensure that they have appropriate technical and organisational measures in place that adequately protect your personal data. Anyone who is processing personal data on our behalf is bound by contractual obligations to keep personal data confidential and secure and to use it only for the purposes as instructed by us.
AIM may share your Personal Data:
- with our service providers that we use to support and provide our business, such as technical service or operation providers, to the extent needed to enable and provide the Services to you,
- with our successors, if we are involved in, e.g. a merger, acquisition or asset sale, giving you notice of this,
- with others with whom you ask us to share your personal data,
- AIM will provide personally identifying data in response to a third-party inquiry only if required by a valid legal process but will take all possible steps to keep your data private. AIM will contest the disclosure of your personal data in response to a third-party inquiry to the extent that a reasonable ground for objection exists. AIM will provide you with prompt prior notice of such a request, to the extent legally permitted, so that an order for relief may be requested. Suppose AIM reasonably determines that such disclosure is still legally required. In that case, it will seek a confidentiality designation protecting the disclosure. It will only disclose the portion necessary and at the required time, and/or
- to protect and defend AIM, our business partners’ or users' rights and interests.
If you choose to share your Personal Data with any third person (e.g. a partner), you accept that you have done so at your own risk.
6. How we protect your Personal Data
All information you provide to us is transferred using encryption (HTTPS) and stored on secure servers. We use generally accepted industry standards, technologies, procedures and methods, such as firewalls, encrypted storage, regular software updates, security scans, access control, audit logging and review of admin actions as well as external penetration tests to protect the integrity of your personal data and to prevent unauthorised access. We also have policies and other organisational measures in place, including recurrent employee training on data protection and strict procedures to deal with any suspected personal data breach.
7. Third-party links
The AIM Website may contain links to other websites. Please note that we do not accept any responsibility or liability for personal data that may be collected through these websites or services. We recommend that you read their privacy policies before you submit any personal data to them or use their services.
8. Your rights in relation to your personal data
8.1 Your rights
You have the right to:
- request access to and information about your Personal Data that is being processed by us.
- request correction of your personal data if it is inaccurate or incomplete, including providing additional data if relevant information is missing,
- request the erasure of your personal data,
- object to our processing of your personal data (i) if the processing is based on our legitimate interest, or (ii) for direct marketing purposes,
- request that we restrict the processing of all or some of your Personal Data in certain situations and to ask us not to send you any direct marketing, and
- request a copy of your personal data in a structured, commonly used format and that we transfer your personal data to another controller.
If you have any concerns regarding our processing of your Personal Data, you have the right to file a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten), or your local supervisory authority.
8.2 How to exercise your rights
You may contact us in writing at any time to exercise your rights, preferably using the email address that is associated with your user account. We may need to request specific information from you to help us confirm your identity.
We do our best to respond to your request within a few days and at least one (1) month. If the request is complicated or if we have received a large number of requests, we may need to prolong our response time by one (1) additional month.
You can exercise your rights at no cost to you. However, we may charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.
Anonymised data means that the identifying information is irreversibly removed so that an individual is not identifiable.
Consent means that you have agreed to our processing of your personal data for a specific purpose by a statement or clear opt-in. You can withdraw your consent anytime by contacting us at firstname.lastname@example.org or by following the instructions provided when the consent was collected.
Legal obligation means that the processing of your Personal Data is necessary for compliance with a legal obligation that we are bound by, e.g., medical device regulations or national laws.
Legitimate interest means that we assess that we have a legitimate interest in conducting and managing our business that, considering and balancing any potential impact on you and your rights, we do not consider are overridden by the impact on you. Please contact us if you want to know more about how we have conducted this balance of interest.
Minimised data means that only the minimal amount of data needed for a certain kind of processing is included.
Pseudonymised data means that identifying information is replaced with something else so that additional information is needed to re-identify an individual. Pseudonymisation is a security measure.
AI Medical Technology AIM AB 2023. All rights reserved.