Privacy statement

About

Information we collect
Customer records: When signing up for the services customers provide contact information to Simendo: contact name, name of Health Care Institution (“HCI”) and department, position, office address, direct telephone number and e-mail.

User records: When registering an account with the Simendo software, the user supplies certain personal details: name, email address, career status, country of residence and name HCI and department. Furthermore when using our software, after logging in to your account, scores information will be transmitted and stored on our servers. Date of registration and date of last login are stored alongside the registered personal details.

Access logs are stored for our web server and email server, which contain the IP-address of the computer used to access our software and websites (web server) and email addresses of users who receive messages from https:///www.mysimendo.com. These logs are not linked to user records.

Email addresses for newsletters: When registering an account, users can opt-in to receive occasional newsletters from www.simendo.eu.

How we use your information
We use customer records to be able to fulfill the agreement that we have with the HCI. This includes amongst other purposes the sending of invoices, responding to queries and support calls, provisioning user accounts and other processing that we need to undertake to ensure that we meet our obligations pursuant to the agreement that we have with the HCI. Our legal ground for these processing purposes is the performance of the agreement that we have with the HCI.

To be able to provide our services, certifying skills, it is essential that we are able to identify users, measure their performance, keep track of progress and be able to report on users’ performance to their supervisors. Name and email address are used to be able to identify the user, email address is used to issue certificates and HCI affiliation is used to link a user to their supervisors. Score information is used to track performance and issue certificates after sufficient progress. Career status and last time of login is used to provide supervisors with a better overview of performance and usage. Country of residence will be used for website localization. Our legal ground for these processing purposes is the performance of the agreement that we have with the HCI.

Access logs are necessary to detect and prevent abuse, and to investigate incidents when they do occur. Our legal ground for this purpose is our legitimate interest to be able to provide a stable and safe service to our user.

When opting in to newsletters the user will occasionally receive marketing type communications. Our legal ground for this purpose is the consent of the user. Users can opt-out at any time by clicking the link “Unsubscribe from this newsletter” included in the email.

How we share your information
Customer records may be shared with our support staff, staff and outside debt collection agencies involved in collecting outstanding invoices and our accountants and attorneys, all to the extent that is legitimate and proportional in light of the pursued purpose.

User records are shared with users themselves, their supervisors and regional supervisors. (Regional) Supervisors will be able to see a user’s name, career status and training progress in the form of the last 3 scores submitted per exercise, and based upon that the progress (passed/failed) per exercise and curriculum. When completing a curriculum, users and their supervisors will receive an email with a PDF file which is the curriculum certificate. This certificate lists name, HCI affiliation, the country of the HCI and the scores on which the certificate is based (three per exercise).

We share anonymised user data (scores) with accredited research institutions to help them validate scientific research into our services.

Storage and processing
Controller. Simendo processes personal data as a Controller, as defined in the GDPR. This applies to all data collected as outlined in the section “Information we collect”. The collected data is stored exclusively at secure hosting facilities in The Netherlands provided by a hosting provider (the Processor). Simendo has a data processing agreement in place with its provider. All hosting is performed securely and according to industry best practices. All transfers of data between users and the Processor are done in accordance with the data processing agreement. No personal data is transmitted outside of the European Economic Area.

Data retention
Customer Records. These records are maintained for the term of the agreement that we have with the HCI. To the extent that these records are part of our (financial) administration we will retain these records for an additional seven [7] years beyond the date of termination of the agreement.

User Records. We try to minimize both the types of information stored and the length of time that the data is stored. In practice, this means that a user record is stored until one of the following situations occurs:

A user chooses to delete their account
A user account is no longer connected to a Health Care Institution license, which will cause the user account to be deleted after two weeks’ time. This could happen when:The HCI license has expired
The HCI has been removed
The HCI supervisor has removed the user from the hospital
The user has left the HCI license (usually in order to switch to a different HCI)
The period of two weeks is used to allow users an opportunity to register to a different HCI, before their account is deleted. Furthermore, score records stored are a maximum of three scores per exercise, and are removed when a certificate expires or when a curriculum is reset. When no certificate expiry time is set this means that score records can be kept until the user account is deleted.

Server access logs. Server access logs are kept for a maximum of four weeks, after which they are deleted by an automatic process. An exception is made when the logs need to be retained longer for an investigation. In that case the logs are removed as soon as the investigation has been concluded.

Email addresses for newsletters. Email addresses used to send newsletters are stored until the user opts out of receiving further emails.

User rights and choices
We respect privacy rights, therefore we try to minimize the amount and duration of data we collect and store. Furthermore users have the following rights:

A user may exercise their right to be forgotten by deleting their account on the “Edit account” page, after logging into https://www.mysimendo.com.
To view and/or change a user record, a user can login to https://www.mysimendo.com and go to their account page.
To receive an overview of all data in their record, a user can send a request to support@simendo.eu.
Furthermore, users have the right to file a complaint with the Autoriteit Persoonsgegevens (AP) at https://www.autoriteitpersoonsgegevens.nl. International users can file a complaint with the data processing authority in their EU country of residence. A full list of these data processing authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en.

Privacy statement contact information
For additional information about our privacy statement, please contact us at support@simendo.eu. Our full contact information is:

Simendo B.V.
Ungerplein 2-22
3033 BR Rotterdam
The Netherlands
Tel. +31 (0)10 213 02 20

Last updated: 7 March 2019