For the purpose of the Data Protection Act 1998 and from 25 May 2018 unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679)(“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 1998 (the “Data Protection Laws”), this policy applies where we are acting as the data controller.
2.0 Personal information we may obtain from you
We may collect and obtain and use the following Personal Information about you:
2.1 Transactional data
Information you supply to us directly – this includes the information that you provide when filling in forms on our site, registering to use our services, or corresponding with us through our site or by phone, email or otherwise. Information we collect about you – this includes information provided through your visits to our site, which includes location and traffic data, weblogs, resources you access and other communication data. As our site uses a number of security features including but not limited to SSL (https), TLS and hashing encryption so the data you submit using the contact forms will be encrypted once your press the “Submit” button.
The legal basis for processing this data is consent in you submitting the information.
Information received from other sources – this includes information we receive about you from third parties including business partners, sub-contractors, advertising networks and search information providers. We will notify you when we receive information about you from them and the purposes for which we intend to use that information. On this occasion we will be the data processor, within the limitations of the contracted Data Processor – Data controller contract with the third party.
We may process data about your use of our websites. This usage data may include your IP address, geographical location, length of visit, page views and website navigation pathways as well as information about the timing, frequency and pattern of your use. This accumulation of data is used to assist system administration and to analyse the use of our website. The legal basis for processing this data is legitimate interests, namely monitoring and improving the website and our services
2.2 Marketing Data
You may also decide to opt in for one of our services by completing one of the forms across the Otinova website. Your data is collected with your explicit consent at multiple touch points across the Otinova.co.uk website, including, but not limited to, in the Medical Professional portal. Your data is then securely transmitted and stored for the sole purpose of fulfilling our service to you, in accordance with GDPR policy.
Your consent is obtained at the point of submitting your email address on the Otinova website, and consent can be removed at any point by clicking on the “Unsubscribe” link in the footer of any marketing email received by us, or alternatively by emailing your request from the subscribed email address to [email protected].
2.3 Our use of social media
We do use a Facebook Pixel for marketing purposes. This pixel provides us with information on our advertising performance, allows us to transmit advertising messages to recent visitors of our website across the Facebook network, and create lookalike audiences for future advertising activity. Information obtained from the Facebook pixel is anonymised and we have no means of identifying a user solely from information provided by the Facebook Pixel.
3.0 Where we store personal data about you
The information we obtain from you will be stored at a destination within the European Economic Area (“EEA”). Staff members operating within the EEA who work for or on behalf of us may process this information. Such staff members may, among other things, be involved in the processing of payment Personal Information, the provision of support services and the delivery of your request(s) for us to provide services.
Because the transmission of Personal Information via the internet cannot be assumed completely secure, we cannot guarantee the security of any of your Personal Information transmitted to our site; you are therefore responsible for any risk associated with such transmission. We do at all times implement appropriate, technical and organisational measures to ensure the transmission of your Personal Information is executed as securely as possible, in a manner appropriate to the risks, and upon receipt of your Personal Information we will continue at all times to enforce strict security procedures and features in an attempt to prevent any unauthorised access.
4.0 How we use your information
The information we hold about you may be used in any of the following ways:
- To provide and to improve our services to you
- To send you further information about our services based on a request we have received from you
- To fulfil our obligations to you i.e. to process your orders
- To provide you with notification about any changes to our services relevant to you
We may also use the Personal Information we hold about you to provide you with information about other services we offer which we feel may be of interest to you. We may provide this information electronically via email, telephonically via SMS or telephone, and/or by post. and, in each case, you have not opted out of receiving that marketing. If you wish to reject such communication regarding our other services, we will give you the opportunity to terminate our permission to contact you for such purposes.
We will get your express opt-in consent before we share your personal data with any company outside the Kestrel Medical group of companies for marketing purposes.
5.0 Disclosure of your information
We do not share any personal data with any third parties unless it is lawful for us to do so, if required by law to do so or if you provide us with permission to do so.
Disclosure of your personal information to third parties will occur if:
- We sell or purchase any business or assets. In such case, we may authorise the disclosure of your Personal Information to prospective sellers or buyers of such business or assets
- Kestrel Medical Ltd. or the substantial majority of its assets are sold to a third party. In such case, your Personal Information may be one of the transferred assets
- We are required to disclose your Personal Information in order to fulfil any legal obligation, to enforce our Terms and Conditions, or to protect the property, rights or safety of Kestrel Medical Ltd., users of our services or others. In such case, information may be exchanged with third party companies or organisations in order to prevent fraud or reduce credit risk
6.0 About Cookies
6.1 Cookies used by our service providers
- Google Analytics – When someone visits our website otinova.co.uk, we make use of the Google Analytics service to collect standard information about visitors to the sites and their behaviour (e.g. what pages they viewed). The data provided by Google Analytics is anonymised and in no way enables us to identify individual visitors, however, Google Analytics will place a cookie on your device to enable the service. For more information about how Google Analytics cookies work on websites visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
- WordPress – Cookies are used to maintain information for the purposes of being logged into the WordPress service. For example if you subscribe to our service you will be given an account which will allow you to login and access the service. Cookies are used to maintain this login within the site and for the purposes of supplying the service. You can read more about what cookies WordPress uses, here.
- WooCommerce – we use WooCommerce to provide the subscription and membership aspects of our service. WooCommerce uses a number of cookies for the e-commerce aspects (buying products, adding them to baskets, etc.). Further details on what cookies WooCommerce use can be found here.
- Google Services: – Cookies are sometimes used to track user devices which is found using IP geo-location and is used for tracking and monitoring purposes. Cookies may also be used for the purposes of Google AdWords, G-Static, DoubleClick, and Google Analytics.
- Facebook – We use a Facebook Pixel to track our advertising performance on social media and any conversions that occur on our website as a result of that advertising. This is not limited to, but includes online orders and visits to our website.
- Hotjar – Hotjar allows us to track user journeys on our website, and capture feedback when users choose to share this with us. We do this by recording user sessions, analysing heatmaps, and user surveys across our site. In order to do this, HotJar takes device and IP readings, but any personal identifiable data is anonymised by Hotjar prior to being monitored by any member of Kestrel Medical Ltd. All data sent via Hotjar is anonymised prior to sending.
- WordFence – Wordfence is a security plugin that logs IP addresses to protect both ourselves as the data controller and yourself as a customer of Otinova.
7.0 Retention of data
Unless stated elsewhere in this document or in our terms of services we only store the data necessary to provide the services we provide to you. We will keep this data for as long as it is lawful for us to do so (this may be for as long as you are a customer or because of a legal obligation to retain the information, whichever is the longest).
8.0 Third party processors
We use a number of third-party cloud-based services for the purposes of effectively running our business and providing our services to you.
In all cases where we are using a third-party service or company, we will only provide the minimal amount of information, anonymised where possible, for the purposes of delivering the service to us and to meet our requirements.
We always carry out due diligence against all our third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data we supply.
9.0 Your rights
Under current data protection legislation in the UK, you have rights as an individual which you can exercise in relation to the data we store and process about you. You can find more information about your rights on the Information Commissioner’s website: https://ico.org.uk/for-the-public/
9.1 Marketing Consent
You retain the right to request us to refrain from processing your Personal Information for the purposes of marketing. To exercise such right, you may reply to any information we send you, detailing your request that we refrain from sending any further marketing correspondence, or you can exercise this same right by contacting us electronically via email at [email protected]. We may at times provide links on our site to third party websites, including without limitation those owned or managed by our partner networks, affiliates or advertisers. These websites have separate privacy policies, and we therefore cannot accept any responsibility for the content. As such, choosing to follow these links is a choice you make at your own risk, and we advise that you check these websites’ individual privacy policies before submitting any Personal Information.
If you want to make a complaint about the way we are processing your data, you can contact us, using the contact details below. You also have the right to complain to the Information Commissioner’s Office: https://ico.org.uk/concerns/
9.3 How to withdraw consent and object to processing
Where we are processing your data and needed to ask your permission to do so, you are able to withdraw your consent at any time. If you wish to stop receiving our marketing emails you can do so, by clicking on the “unsubscribe” link at the bottom or the email. Otherwise, you can contact us, using the contact details below.
If you wish to raise concerns about the way we are processing your data or would like to raise an objection, then please email us via [email protected] with your concerns.
9.4 Keeping your data up to date
It is important that any of your data that we process is kept up to date. We will from time to time ask you to verify your contact details but if you wish to update any information we hold about you, please contact us using the contact details below.
If you believe any of the Personal Information that we process is inaccurate you are entitled to contact us to correct any inaccuracies at [email protected]. Where we agree that the Personal Information held by us is inaccurate we will correct such inaccuracies without undue delay.
We will not be responsible for correcting inaccuracies in third party Personal Information unless you have informed us of such inaccuracies and we will provide you with reasonable assistance in complying with your obligations as data controller under the applicable Data Protection Laws in relation to any inaccurate third party data
9.5 Erasure of your data (the “right to be forgotten”)
Under some circumstances you may request us to delete your data from our systems. Where this is possible (e.g. we don’t have any legal purpose for continuing to process your data) we will erase it from our systems.
If we no longer have a legal basis to process your Personal Information or if the legal basis that we are relying on is consent and you subsequently withdraw your consent then we will stop processing your personal data. To the extent that you no longer wish to be contacted by us we will need to maintain a record of that to ensure that we do not contact you again in the future.
You are responsible for ensuring that any third party request to be forgotten is applied to any third party Personal Information that you send to us, we will provide you with reasonable assistance in complying with your obligations as data controller under the applicable Data Protection Laws in relation to any third party requests to be forgotten.
If you wish to exercise your right to be forgotten, please contact us via [email protected] or 01202 658444.
Your right to portability allows you to request a machine-readable format of the data you supplied to us and associated service logs (where we store them). Please contact us, using the contact details below, if you wish to receive a CSV export of your data.
9.7 Access to your data
You have the right to ask us about what data we hold about you, how we process it and provide you with a copy of the information, free of charge and within one month of your request.
To make a request for any personal information we hold and process about you, we would prefer it if you could put it in writing or in an email to the addresses below. We will need to verify your identity before providing the information and where necessary may contact you further to ensure we understand what data you are requesting.
10.0 Cyber Security
For a complete copy of our Cyber Security Policy please send an email to [email protected]
11.0 Changes to our privacy notice
Otinova is securely hosted on a server within the UK by a third party. This server is managed and maintained by our Digital Agency, Transcend Marketing Ltd.
13.0 How to contact us
Otinova.co.uk is owned by Kestrel Medical Ltd. (“we”) operates the otinova.co.uk website and is incorporated and registered in England and Wales with company number 04122830 with registered office at Kestrel House, 7 Moor Road, Broadstone, Dorset BH18 8AZ.
If you have any questions about how we collect and use your information not covered in this privacy notice, or if you wish to speak to someone about our approach to data protection and privacy, please contact:
[email protected] or call us 01202 658444
14.0 More information
For more information about your data rights and privacy or data protection in general visit the Information Commissioner’s Office website: https://ico.org.uk