Back to Terms & Policies

Privacy

Privacy Policy - General

Privacy Policy - UpHill Route

Privacy

Privacy Policy - General

These Terms of Use apply to users of the platform.

1. Who We Are

UpHill S.A. (hereinafter “UpHill”), corporate entity no. 513509593, registered with the Commercial Registry Office under the same number, with its registered office at Estrada Municipal 506, Ubimedical, 6200-284 Covilhã, hereinafter referred to as “UpHill”, is the controller responsible for processing your personal data collected through the UpHill platforms and website (hereinafter the “Platform”) for the purposes identified below. In particular, data collected on the UpHill Platform allows the user to register and use the services made available by UpHill on the Platform from time to time (including the services Events, Simulate and Route, and the forums for sharing protocols and cases using UpHill Notation).
Please consult here the information regarding the processing of personal data related to the use of the “UpHill Route” service.

2. Protection and Privacy of Personal Data

UpHill guarantees users of this Platform (hereinafter “Users”) respect for their privacy by adopting the necessary measures to protect their personal data.
UpHill is aware of its responsibility in collecting and processing the personal data entrusted to it and in keeping it secure, ensuring full privacy, confidentiality, and integrity, in strict compliance with the law, namely the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), Law no. 58/2019 which ensures the implementation of the GDPR in the national legal order (hereinafter “LPDP”), and any other applicable legislation or regulations concerning personal data protection and privacy that are in force.
In this context, UpHill aims, among other things, to inform Users of the situations in which their personal data is processed, as well as how their personal data is collected, who its recipients are, how privacy is protected when using the services available on the Platform, and their rights regarding the processing of personal data carried out.

3. What Are Personal Data?

Personal data means any information, regardless of its nature and medium, including sound and image, relating to an identified or identifiable natural person. An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Other Important Definitions

Supervisory Authority

An independent public authority established by a Member State of the European Union responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of individuals regarding processing and to facilitate the free movement of data within the European Union. In Portugal, the supervisory authority is the National Data Protection Commission (CNPD).

Consent

Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement, by a statement or clear affirmative action, to the processing of personal data relating to them for a specific purpose.

Controller

A natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.

Processor

A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Personal Data Subject

An identified or identifiable natural person whose personal data is collected through the Platform.

Processing

Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

4. Data Controller

UpHill, whose identification and contact details are provided at the beginning of this Policy (1. Who We Are), is responsible for processing Users’ personal data for the purposes indicated below.

5. Data Protection Officer (DPO)

The DPO is responsible for clarifying any doubts or concerns regarding how your personal data is processed and for ensuring that your rights are protected.
You may contact UpHill’s DPO at the following address: dpo@uphill.pt

6. General Principles Applicable to the Processing of Personal Data

When processing personal data collected through the Platform, UpHill undertakes to ensure that such data are:
  • Processed lawfully, fairly, and transparently in relation to the data subject;
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • Adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
  • Accurate and kept up to date whenever necessary, with appropriate measures adopted to ensure that inaccurate data are erased or rectified without delay;
  • Stored in a form that allows identification of the data subject only for the period necessary for the purposes for which the data are processed;
  • Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

7. Purposes, Legal Basis, and Retention Periods for the Processing of Personal Data

1. User registration on the Platform and management of communication and services

Data categories

Identification data, contact data, username and password, gender, civil identification, date of birth, IP address, browser identifier, banking/payment data (e.g., NIB, IBAN, tax identification number), and professional category/medical specialty.

Legal basis

Pre-contractual and contractual steps; and UpHill’s legitimate interest in communicating information about subscribed services and the use of services on the Platform.

Retention period

While the user remains subscribed to the Platform services or longer when required to comply with legal obligations.

2. Support and service management through the Platform

Data categories

Identification and contact data (e.g., name and email), professional information, and details regarding requests for information or complaints.

Legal basis

Pre-contractual steps and contract with the user; and UpHill’s legitimate interest in responding to questions and complaints.

Retention period

Only for the period necessary to respond to inquiries.

3. Information sharing in blogs and forums available on the Platform

Data categories

Identification and contact data (e.g., name, email address, phone number) and information related to health topics shared by users.

Legal basis

UpHill’s legitimate interest in providing blogs and forums for discussion.

Retention period

For the duration necessary to manage participation or longer if required by law.

4. Contact management for registration and promotion of events organized by UpHill

Data categories

Identification and contact data, payment data (e.g., NIB, IBAN, tax identification number), and event registration information.

Legal basis

Pre-contractual steps and contract for event registration; legitimate interest in managing event participation and promotion; and the Platform’s Terms and Conditions.

Retention period

For the time necessary to manage participation in the event or longer if required by law.

5. Sending marketing communications to Platform users

Data categories

Identification data, contact data, and professional/medical specialty information.

Legal basis

User consent.

Retention period

Until the personal data are no longer necessary for the purpose collected or until consent is withdrawn.

8. When Do We Share Users’ Personal Data?

UpHill may rely on other entities to provide certain services. These services may involve access to users’ personal data, for example suppliers or service providers (e.g., consulting services or data storage providers).
In such cases, UpHill ensures through contracts and data processing clauses that any processor acting on its behalf provides sufficient guarantees of implementing appropriate technical and organizational measures in accordance with GDPR and LPDP requirements.
UpHill may also disclose personal data when necessary (i) under applicable law; (ii) to comply with legal obligations or court orders; (iii) in response to requests from public authorities; (iv) to fulfill regulatory obligations; (v) to ensure the safety of data subjects or prevent fraudulent activities.
As a rule, personal data are not transferred to third countries (outside the EU) and are stored on servers located within the EU. However, if certain processors require such transfers, they will only occur to countries with an adequacy decision by the European Commission or under binding agreements based on standard contractual clauses and appropriate safeguards in compliance with GDPR and LPDP.

9. What are the User’s rights as a Personal Data Subject?

UpHill guarantees Users, as Personal Data Subjects, the right at any time to access, rectify, update, restrict, and erase their Personal Data, as well as the right to object and to withdraw Consent, without this affecting the lawfulness of the processing carried out based on that Consent. Users also have the right to data portability, under the terms and conditions established by law.
Right of access: whenever the User requests access to their collected personal data, they may obtain confirmation as to whether their Personal Data is being processed by UpHill and, in particular, obtain the following information:
  1. The reasons why the Personal Data is being processed;
  2. The types of Personal Data being processed;
  3. The entities to whom UpHill may transmit the Personal Data;
  4. The retention period of the Personal Data or, if this is not possible, the criteria used to determine that period;
  5. The rights that the User holds regarding the processing of Personal Data.
Right of rectification: whenever the User considers that their Personal Data (objective Personal Data that has been provided by them) is incomplete or incorrect, they may request that it be rectified or completed.
Right to erasure: the User may request that their Personal Data be erased when one of the following situations applies:
  1. The Personal Data is no longer necessary for the purpose for which it was collected or processed;
  2. Consent on which the processing is based is withdrawn and there is no other legal ground for the processing;
  3. The User objects to the processing and there are no overriding legitimate interests justifying the processing;
  4. The Personal Data has been unlawfully processed;
  5. The Personal Data must be erased to comply with a legal obligation.
The right to erasure does not apply where processing is necessary for the following purposes:
  1. Exercising the right of freedom of expression and information;
  2. Compliance with a legal obligation requiring processing;
  3. As previously mentioned, statistical purposes and scientific research, insofar as exercising the right to erasure would seriously impair the achievement of the objectives of such processing; or
  4. The establishment, exercise, or defense of legal claims in judicial proceedings.
Right to restriction of processing: restriction of processing allows the User to request that UpHill restrict access to certain Personal Data or suspend certain processing activities. Specifically, the User may request restriction of processing in the following cases:
  1. If they contest the accuracy of the Personal Data, for a period allowing UpHill to verify its accuracy;
  2. If UpHill no longer needs the Personal Data for a specific processing purpose;
  3. If the User has objected to processing, unless it is verified that UpHill’s legitimate interests override those of the User.
Right to data portability: the User may request to receive the Personal Data they have provided in a structured, commonly used, and machine-readable format. They also have the right to request that such data be transmitted to another Controller, provided this is technically feasible. The right to data portability applies in the following cases:
  1. When the processing is based on explicit Consent or on the performance of a contract; and
  2. When the processing is carried out by automated means.
Right to object: the User has the right to object to processing in the following situations:
  1. When the processing is based on the legitimate interest of the Controller;
  2. When the processing is carried out for purposes other than those for which the data was originally collected, but which are compatible with them;
  3. When the processing is carried out for direct marketing purposes.
In such cases, UpHill will cease processing the Personal Data unless it has compelling legitimate grounds to carry out such processing that override the interests of the Users.
Right to withdraw Consent: in cases where processing is based on Consent, the User may withdraw it at any time.
Right to lodge a complaint with the Supervisory Authority:
If the User wishes to submit a complaint regarding matters related to the processing of Personal Data, they may do so with the CNPD, the competent Supervisory Authority in Portugal.
For more information, please visit www.cnpd.pt.
Any request to exercise rights or complaint regarding data processing by UpHill will be carefully analyzed and a response will be provided within 30 (thirty) days, without prejudice to the extension of this period in cases of manifest complexity of the situation submitted.

10. How Can Users Exercise Their Rights?

For matters related to personal data protection collected through the Platform, users should contact UpHill at: dpo@uphill.pt

11. What measures has UpHill adopted to ensure the security of Users’ Personal Data?

Personal Data is stored on high-security servers with hosting providers established in the European Union that comply with the most rigorous international requirements. The databases in which this data is stored are encrypted and are virtually inaccessible except through the Website interface. The hosting services subcontracted by UpHill guarantee the strictest security standards, not only regarding access via the Internet but also from the perspective of physical access to the servers and the facilities where they are installed.
Additionally, a set of technical and organizational audits is carried out on a regular basis to ensure strict compliance with appropriate information security measures. Data is encrypted both in transit (TLS 1.2 SHA256-RSA) and at rest (AES256). There is integration with Single Sign-On systems (to avoid the use of proprietary credentials). Backups are performed daily, encrypted, and stored in a separate location.
Furthermore, there is continuous monitoring regarding threats and attempted attacks, as well as vulnerabilities in the infrastructure and in the code.

12. Cookie Policy

UpHill uses cookies on the Platform to improve the user experience and enable secure operations. Please consult the Cookie Policy for more information.

13. Changes to the Privacy Policy

UpHill reserves the right to modify this Privacy Policy at any time. When changes occur, the “last updated” date at the top of the page will be updated. If the changes are substantial, a notice will be displayed on the Platform.

14. Applicable Law

This Privacy Policy, as well as the collection, processing, or transmission of user data, is governed by the GDPR, the LPDP, and any applicable regulations in Portugal.

Move towards Patient-Centred care with UpHill

Talk to Sales