Privacy

Privacy Policy - UpHill Route

These Terms of Use apply to users of the platform.

1. Who We Are

UpHill S.A. (hereinafter “UpHill”) has developed software whose functions and use may involve the processing of personal data by UpHill, by healthcare service providers, and by healthcare professionals who use, or whose collaborating healthcare professionals use, the UpHill platform and benefit from the “UpHill Route” services (the “Hospitals” and the “Healthcare Service Providers”), namely for the purposes of: (i) developing the functionalities of the “UpHill Route” service (development of algorithms based on scientific evidence—referenced therein—with the highest quality available at the time of their creation, aimed at identifying and disseminating best practices in treatment, planning, and follow-up of healthcare services through clinical pathways defined with the purpose of optimizing the clinical care provided by healthcare professionals to patients (the “Healthcare Professional”)); (ii) ensuring adherence of diagnoses and prescriptions, as well as other therapeutic decisions, to the standards and protocols of the Hospitals; (iii) enabling the participation of patients of Healthcare Service Providers and Hospitals (hereinafter “Patients”) in healthcare acts involving auxiliary services for medical diagnosis; (iv) monitoring and evaluating the Patient’s clinical condition and the progression of their clinical situation; and (v) enabling communication between healthcare professionals necessary for the provision of healthcare to the Patient, including on an ongoing basis.

UpHill, the Healthcare Service Provider, and the Hospitals are each, independently, the data controller responsible for the processing of personal data, namely of Patients, depending on the purposes and means of processing determined by each entity and relating to the activities carried out by each within the operation and use of the “UpHill Route” platform, as detailed below.

2. Protection and Privacy of Personal Data

UpHill guarantees Patients whose personal data are collected through the UpHill platform and website (hereinafter the “Platform”), through healthcare professionals who are Healthcare Service Providers or who carry out their activity on behalf of them or within Hospitals, respect for their privacy, adopting the necessary measures to protect their personal data.

UpHill will process the personal data entrusted to it in the provision of the “UpHill Route” services ensuring their full privacy, confidentiality, and integrity, in strict compliance with the law, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), Law no. 58/2019 which ensures the implementation of the GDPR in the national legal order (hereinafter “LPDP”), and any other applicable legislation or regulation concerning personal data protection and privacy that may be in force.

In this context, UpHill, the Healthcare Service Providers, and the Hospitals intend, among other things, to inform Patients of the situations in which they process their personal data, as well as to inform them about how their personal data are collected, who their recipients are, how their privacy is protected when using the services available on the Platform, and about their rights regarding the personal data processing carried out.

UpHill also intends to provide the same information to all healthcare professionals, whether they constitute Healthcare Service Providers or carry out their activity on behalf of them or within Hospitals, whose personal data are processed within the use of the functionalities of “UpHill Route” (hereinafter “Healthcare Professionals”).

The definitions set out in the UpHill Privacy Policy, as well as the general principles applicable to the processing of personal data of the Data Subject, apply to this Policy.

3. Data Controllers

Each of the entities mentioned below is responsible for the processing of your personal data within the scope of the data processing purposes described below, relating to each of the indicated data controllers:

UpHill, corporate entity no. 513509593, registered with the National Registry of Legal Persons under the same number, with registered office at Estrada Municipal 506, Ubimedical; 6200-284 Covilhã;
Each of the Healthcare Service Providers and/or Hospitals with which the Patient carries out medical consultations using auxiliary services from the Platform, whose identity and contact details are provided in their respective personal data protection policies made available in the context of the provision of their healthcare services (hereinafter the “Hospital Privacy Policies”).

4. Data Protection Officer (hereinafter “DPO”)

The DPO is responsible for clarifying any doubts or concerns regarding the way your personal data are processed and for ensuring the guarantee of the exercise of your rights.

You may contact UpHill’s DPO through the following address: dpo@uphill.pt

You will find the contacts of the DPOs of each Hospital as well as each Healthcare Service Provider that has appointed a DPO in their respective Privacy Policies.

5. Processing of Special Categories of Personal Data

Health Data

Healthcare Service Providers and Hospitals process Special Categories of Personal Data through the use of the Platform, in particular data relating to the Patient’s health.

Healthcare Service Providers and Hospitals collect Patient data through the Platform for the provision of healthcare services.

The collection of Patient personal data on the Platform occurs in three ways: (i) through the Healthcare Professional to complete the Patient’s clinical information; (ii) by the Patient themselves after completing forms/questionnaires made available through digital means sent by UpHill on behalf of the Healthcare Provider or Hospital to the Patient to monitor their clinical condition; (iii) through the collection of information stored by the Hospital via interface between the Platform and the Hospital (for example through APIs – application programming interfaces).

APIs are subject to high technical measures to ensure information security.

Without prejudice to the above, health-related data of the Patient collected through the UpHill platform will only be processed by or under the responsibility of professionals bound by professional confidentiality.

6. Finalidades, Fundamentos de Licitude e Prazos de Conservação no Tratamento de Dados Pessoais

Os seus Dados Pessoais recolhidos através da Plataforma podem ser tratados para as seguintes finalidades, por cada um dos distintos Responsáveis pelo Tratamento, com os seguintes fundamentos de licitude e de acordo com os seguintes prazos de conservação:

1. Prestação de cuidados ou tratamentos de saúde com recurso a serviços auxiliares na tomada de decisão e no diagnóstico médico e interações entre o Hospital ou o Prestador de Saúde e o Utente conexos com a contratação e prestação desses serviços.

Categorias de Dados

Dados de identificação (e.g., nome, n.º de utente de saúde, número de identificação interno da instituição, idade); dados de contacto (e.g., n.º de telefone; e-mail) dados relativos ao estilo de vida e hábitos do Utente e dados de Saúde.

Fundamento de Licitude

Execução da prestação de cuidados de saúde, nos termos da alínea h), do n.º 2, do artigo 9.º do RGPD (e artigo 6.º, n.º 1, alínea b) do RGPD).

Prazo de Conservação

Durante o período necessário para a prestação de cuidados ou tratamentos de saúde de forma continuada ou, por um período mais longo, para cumprimento de obrigações legais.

Responsável pelo Tratamento

Prestador de Serviços de Saúde ou Hospital.

2. Monitorização e avaliação do estado clínico do Utente e evolução da sua jornada clínica, bem como comunicação com o Utente

Categorias de Dados

Dados de identificação (e.g., nome, n.º de cartão, idade); dados de contacto (e.g., n.º de telefone; e-mail) dados relativos ao estilo de vida e hábitos do Utente e dados de Saúde.

Fundamento de Licitude

Execução da prestação de cuidados de saúde, nos termos da alínea h), do n.º 2, do artigo 9.º do RGPD (e artigo 6.º, n.º 1, alínea b) do RGPD).

Prazo de Conservação

Durante o período necessário para a prestação de cuidados de saúde de forma continuada ou, por um período mais longo, para cumprimento de obrigações legais.

Responsável pelo Tratamento

Prestador de Serviços de Saúde ou Hospital.

3. Comunicação de dados pessoais por Profissional de Saúde (i.e., que utiliza os serviços em prática individual) a outros Profissionais de Saúde para prestação de cuidados de saúde.

Categorias de Dados

Dados clínicos do Utente.

Fundamento de Licitude

Consentimento do Utente.

Prazo de Conservação

Apenas durante a comunicação de Dados Pessoais de um Profissional de Saúde para outro profissional de saúde.

Responsável pelo Tratamento

Prestador de Serviços.

4. Apoio na gestão dos Serviços prestados através da Plataforma para esclarecimento de dúvidas ou condições de funcionamento desses serviços.

Categorias de Dados

Dados de contato (e.g., email dados de identificação (e.g., nome), dados relativos à profissão/especia lidade do Profissional de Saúde e informação relativa ao pedido de informação ou sobre a reclamação efetuada.

Fundamento de Licitude

Execução da prestação de serviços contratualizados com a UpHill e interesse legítimo da UpHill, enquanto Responsável pelo Tratamento, em responder às dúvidas e reclamações efetuadas sobre os serviços prestados.

Prazo de Conservação

Por regra, até os Dados Pessoais deixarem de ser necessários para a finalidade que motivou a sua recolha ou Tratamento, em princípio, enquanto o Prestador de Serviços de Saúde e/ou Hospital mantiver a utilização da Plataforma e, em qualquer caso, até a questão que suscitou dúvidas estar resolvida.

Responsável pelo Tratamento

UpHill.

5. Para subscrição pelosPrestadores deServiços deSaúde eHospitais da Plataforma, inclusão de utilizadores daPlataforma e gestão da comunicação com os mesmos

Categorias de Dados

Dados de identificação, dados de contacto, password e nome de utilizador, endereço de IP, identificador do browser, dados bancários e relacionados com o pagamento dos serviços UpHill (e.g., NIB, IBAN, n.º de identificação fiscal) e dados relacionados com a profissão/especialidade médica.

Fundamento de Licitude

Diligências pré-contratuais e execução da prestação de serviços contratualizados com a UpHill e interesse legítimo da UpHill, enquanto Responsável pelo Tratamento, em registar os dados dos Prestadores de Serviços de Saúde para que possam usufruir dos serviços da Plataforma.

Prazo de Conservação

Apenas durante a subscrição dos serviços pelos Prestadores de Serviços de Saúde ou, por um período de tempo mais longo, mas apenas se for necessário para cumprimento de uma obrigação legal.

Responsável pelo Tratamento

UpHill.

6. Purposes, Legal Basis, and Retention Periods in the Processing of Personal Data

Your Personal Data collected through the Platform may be processed for the following purposes by each of the different Data Controllers, based on the following legal grounds and according to the following retention periods:

1. Provision of healthcare or medical treatment

using auxiliary services in decision-making and medical diagnosis and interactions between the Hospital or Healthcare Provider and the Patient connected with the contracting and provision of such services.

Categories of Data

Identification data (e.g., name, health user number, internal institutional identification number, age);
contact data (e.g., phone number, email);
data relating to the Patient’s lifestyle and habits;
health data.

Legal Basis

Provision of healthcare services pursuant to Article 9(2)(h) GDPR (and Article 6(1)(b) GDPR).

Retention Period

For the period necessary for the continuous provision of healthcare services or longer if required to comply with legal obligations.

Data Controller

Healthcare Service Provider or Hospital.

2. Monitoring and evaluation of the Patient’s clinical condition and clinical journey as well as communication with the Patient.

Categories of Data

Identification data, contact data, lifestyle and habit data, and health data.

Legal Basis

Provision of healthcare services under Article 9(2)(h) GDPR and Article 6(1)(b) GDPR.

Retention Period

For the period necessary for continuous healthcare provision or longer if required by law.

Data Controller

Healthcare Service Provider or Hospital.

3. Communication of personal data by a Healthcare Professional (i.e., one who uses the services in individual practice) to other Healthcare Professionals for the provision of healthcare.

Categories of Data

Patient clinical data.

Legal Basis

Patient consent.

Retention Period

Only during the communication of personal data from one healthcare professional to another.

Data Controller

Healthcare Service Provider.

4. Support in the management of services provided through the Platform to clarify questions or operating conditions of those services.

Categories of Data

Contact data (e.g., email), identification data (e.g., name), data relating to the profession/specialty of the Healthcare Professional, and information relating to the information request or complaint submitted.

Legal Basis

Performance of services contracted with UpHill and UpHill’s legitimate interest in responding to questions and complaints regarding the services provided.

Retention Period

As a rule, until personal data are no longer necessary for the purpose for which they were collected or processed, generally while the Healthcare Provider and/or Hospital maintains use of the Platform and, in any case, until the issue that raised the question has been resolved.

Data Controller

UpHill.

5. Subscription of Healthcare Providers and Hospitals to the Platform including the creation of Platform users and management of communication with them.

Categories of Data

Identification data, contact data, username and password, IP address, browser identifier, banking and payment data (e.g., NIB, IBAN, tax identification number), and data relating to the medical profession/specialty.

Legal Basis

Pre-contractual steps and performance of services contracted with UpHill and UpHill’s legitimate interest in registering Healthcare Providers so they can use the Platform services.

Retention Period

During the subscription to the services or longer if required to comply with legal obligations.

Data Controller

UpHill.

6. Sending informational communications regarding new functionalities and Platform content to Hospitals, Healthcare Providers, and Healthcare Professionals.

Categories of Data

Identification data, contact data, browser identifier, profession/specialty data.

Legal Basis

Performance of services and UpHill’s legitimate interest in informing users about new Platform features.

Retention Period

Until the data are no longer necessary for the purpose for which they were collected.

Data Controller

UpHill.

UpHill also uses data collected through the Platform to generate statistical and anonymized information intended to be processed, after anonymization, for: (i) monitoring the level of adherence of Healthcare Professionals’ diagnoses and prescriptions to the medical protocols of institutions subscribing to UpHill services; and (ii) developing and improving decision-support algorithms for medical diagnosis and prescription and for product analysis and improvement. The information is processed in aggregated and anonymized form and therefore does not constitute personal data processing within the meaning of the GDPR.

7. Under what circumstances do we communicate Personal Data of Healthcare Professionals, Healthcare Service Providers, or Patients?

UpHill and the Hospitals and Healthcare Service Providers may rely on other entities to provide certain services. Such provision of services may involve access by these entities to Personal Data. This may be the case with suppliers or service providers of UpHill, Healthcare Service Providers, or Hospitals (e.g., entities providing support services such as consulting professionals or information storage services).

In such cases, the Data Controller (UpHill, one or more Hospitals and/or one or more Healthcare Service Providers, depending on the case) ensures through contracts and clauses for the Processing of Personal Data that any Processor that processes Personal Data on its behalf and for its account provides guarantees for the implementation of appropriate technical and organizational measures so that the Processing meets the requirements set out in the GDPR and the LPDP or any other applicable law on the matter, ensuring the confidentiality and security of the data, including compliance with the rights of the Personal Data Subjects.

The Data Controller may also transmit Personal Data of Healthcare Service Providers or Patients to third parties when such transmission is necessary or appropriate (i) under applicable law, (ii) to comply with legal obligations or court orders, (iii) to respond to requests from public or governmental authorities and other administrative authorities, (iv) when necessary to comply with a legal, regulatory, or other obligation, as well as (v) to ensure the security of Personal Data Subjects or otherwise prevent fraudulent conduct.

As a rule, Personal Data of Healthcare Professionals, whether or not they are Healthcare Service Providers, and of Patients are not transferred to third countries (outside the European Union), and are maintained on servers located within the European Union. However, the use of certain Processors for the provision of support services that involve the Processing of some Personal Data on behalf of UpHill, Hospitals, and/or Healthcare Service Providers will be limited to third countries for which an adequacy decision has been adopted by the European Commission or, where this is not the case, based on a binding agreement established in accordance with standard data protection clauses adopted by the European Commission, accompanied, whenever justified, by the necessary and appropriate measures under applicable law to ensure the protection of the Personal Data subject to such transfer, strictly complying with the legal provisions set out in the GDPR and the LPDP or other applicable legislation regarding such transfers. Data Subjects may obtain a copy of the appropriate safeguards from the respective DPO.

8. What are the rights of Data Subjects (Healthcare Professionals, whether or not they are Healthcare Service Providers, and Patients)?

Within the scope of personal data processing carried out by each Data Controller identified above, each of them shall separately ensure that Data Subjects are guaranteed, at any time, the right of access, rectification, updating, restriction, and erasure of their Personal Data, the right to object, and the right to withdraw Consent, without affecting the lawfulness of the processing carried out on the basis of that Consent, as well as the right to data portability, under the legally established terms and conditions, each of them responding individually to the legal obligations in this regard.

Right of access

Whenever the Data Subject requests access to their collected personal data, they may obtain confirmation regarding the Processing carried out by the Data Controller of their Personal Data, namely obtaining the following information:

The reasons why the Personal Data are processed;
The types of Personal Data that are processed;
The entities to whom the Data Controller may transmit the Personal Data;
The retention period of the Personal Data or, if this is not possible, the criteria used to determine that period;
The rights available in relation to the Processing of Personal Data.

In the case of Data Controllers that process Health Data, the exercise of this right does not involve direct access by Patients to their clinical record nor does it override the special rules regarding access to clinical data as regulated by the applicable law in force at any given time, which must be respected.

The health data subject has the right, if they so wish, to be informed of their entire clinical record, except in exceptional circumstances duly justified where it is unequivocally demonstrated that such access may be harmful to them, or to have it communicated to a person designated by them.

Access to health information by its holder, or by third parties with their consent or under the law, shall be exercised through a physician with appropriate qualifications, if the data subject so requests, under the legally regulated terms.

Right to rectification

Whenever the Data Subject considers that the Personal Data (objective Personal Data provided by them) are incomplete or incorrect, they may request their rectification or completion.

Right to erasure

The Data Subject may request that Personal Data be erased when one of the following situations occurs:

The Personal Data are no longer necessary for the purpose for which they were collected or processed;
Consent on which the Processing is based is withdrawn and there is no other legal basis for it;
An objection to Processing is raised and there are no overriding legitimate grounds for the Processing;
The Personal Data have been unlawfully processed;
The Personal Data must be erased to comply with a legal obligation.

The right to erasure does not apply when the Processing is necessary for:

Exercising the right of freedom of expression and information;
Compliance with a legal obligation that requires Processing;
Statistical or scientific research purposes insofar as exercising the right to erasure would seriously impair the achievement of the objectives of that Processing; or
The establishment, exercise, or defense of legal claims in judicial proceedings.

Right to restriction of processing

Restriction of Processing allows the Data Subject to request that the Data Controller restrict access to certain Personal Data or suspend certain processing activities. Specifically, the Data Subject may request restriction of the Processing of Personal Data in the following cases:

If they contest the accuracy of the Personal Data, for a period allowing the Data Controller to verify its accuracy;
If the Data Controller no longer needs the Personal Data for a specific processing purpose;
If they have objected to the Processing, unless the legitimate interests of the Data Controller prevail over those of the Data Subject.

Right to data portability

The Data Subject may request to receive the Personal Data they have provided in a structured, commonly used, and machine-readable format. They also have the right to request that these data be transmitted to another Data Controller, provided this is technically possible.

The right to data portability applies when:

The Processing is based on Consent or the performance of a contract;
The Processing is carried out by automated means.

Right to object

The Data Subject has the right to object to Processing in the following situations:

When the Processing is based on the legitimate interest of the Data Controller;
When the Processing is carried out for purposes other than those for which the data were collected but which are compatible with them;
When the Processing is carried out for direct marketing purposes.

In such cases, the Data Controller will cease processing Personal Data unless there are legitimate grounds to continue such Processing that override the interests of the Data Subject.

Right to withdraw Consent

Where Processing is based on Consent, the Data Subject may withdraw it at any time.

Right to lodge a complaint with the Supervisory Authority

If the Data Subject wishes to submit a complaint regarding matters related to the Processing of Personal Data, they may do so with the data protection supervisory authority which, in Portugal, is the National Data Protection Commission (“CNPD”).

For more information, please visit:

www.cnpd.pt

Any request to exercise rights or complaint regarding data processing by the Data Controller will be carefully analyzed and a response will be provided within 30 (thirty) days, without prejudice to the extension of this period in cases of manifest complexity.

9. How can Data Subjects exercise their rights?

For matters related to the protection of Personal Data collected on the Platform, Data Subjects should contact UpHill through the following address: dpo@uphill.pt

Whenever a request concerns the exercise of a right or any other contact relating to Personal Data Processing activities for which the Data Controller is a Healthcare Service Provider or a Hospital, UpHill will forward the request to the respective Data Controller, in particular to the respective DPO where one has been appointed, and will inform the Data Subject accordingly.

UpHill further informs that, under Article 31(2) of the LPDP, in cases where the processing of Patients’ personal data is carried out for scientific research or statistical purposes, the rights of access, rectification, restriction of processing, and objection mentioned above may be limited to the extent necessary if exercising those rights is likely to make such purposes impossible or seriously impair their achievement.

Personal Data are stored on high-security servers with hosting providers established within the European Union that comply with the most rigorous international standards. The databases in which the data are stored are encrypted and are virtually inaccessible except through the Website interface.

The hosting services subcontracted by UpHill guarantee the highest security standards not only with regard to internet access but also in terms of physical access to the servers and the facilities where they are located.

Additionally, a set of technical and organizational audits is regularly carried out to ensure strict compliance with appropriate information security measures.

Data are encrypted in transit (TLS 1.2 SHA256-RSA) and at rest (AES256).
There is integration with Single Sign-On systems (to avoid proprietary credentials).
Backups are performed daily, encrypted, and stored in a separate location.

Furthermore, there is continuous monitoring of threats and attempted attacks, as well as vulnerabilities in the infrastructure and code.

11. Changes to the Privacy Policy

UpHill reserves the right to modify this “UpHill Route” Privacy Policy at any time.

In the event of changes to the Privacy Policy, the date of the last modification, available at the top of this page, will also be updated. If the change is substantial, a notice will be placed on the Platform.

This Privacy Policy, as well as the collection, processing, or transmission of data of the Healthcare Service Provider or the Patient, are governed by the provisions of the GDPR, the LPDP, and any applicable regulations in Portugal.

Move towards Patient-Centred care with UpHill

Talk to Sales