Last update: 30 November 2020
1.1 Who we are. We are MeTime Corporation Limited, with company number 669120 and registered address at 5 Fitzwilliam Square East, Dublin 2, Ireland (“we”, “our” or “us”).
1.2 Purpose. This Privacy Notice aims to make you aware of how and why we collect, use and process your personal data, who we share it with, and your legal rights. We encourage all users to read it in full.
1.3 Services summary. The MeTime Services make it easier for customers looking for information on Treatments to learn more about the providers and the Treatments they offer, match with providers in the locations they select, and share information with the providers they choose. The Services allows customers to:
1.3.1 create a customer account and upload and post information, photos and videos to their customer account;
1.3.2 review, edit and delete the information in their customer account;
1.3.3 send information, for example through online messaging and video conferencing, to providers the customer chooses for the purposes of enabling those providers to suggest Treatments based on information, profiles, preferences and photos. When a customer sends information to a provider through the Services, the provider receives that information through the provider’s account on the Services;
1.3.4 share the customer’s journey with users the customer chooses.
When a customer is ready he or she can use their own judgement to choose the best provider for them, and use the Services to book an appointment and pay for a Treatment.
2.1 To make things easier, in this Privacy Notice when we say:
2.1.1 “customer” we mean an individual that has a customer account on the Services;
2.1.2 “provider” we mean a clinic, company or organisation, or an individual professional or consultant, that has a provider account on the Services;
2.1.3 “Services” we mean the MeTime app, the website located at www.metime.com, any content and materials on our app and website, and any other software, products, services, information, tools and technology that we make available;
2.1.4 “Treatments” we mean advice, consultations, recommendations, products, services, procedures and treatments that a provider offers or supplies.
2.2 When we use the terms ‘personal data’, ‘controller’, ‘processor’ and ‘special categories of personal data’, those terms have the meaning given to them in the EU General Data Protection Regulation (GDPR).
3.1 When we are a controller. We are the controller of a customer’s account profile (for example name, user ID, password and other account registration details) and the information a customer uploads or posts to their customer account. This means we are responsible under data protection law for a customer’s personal data when it resides in a customer account. Despite this, we do not access or use the data that a customer uploads or posts to its customer account unless: (a) the customer asks us to do so (for example, the customer uses our Service interface to send information to a provider); (b) applicable law requires us to; or (c) as otherwise set out in this Privacy Notice. This Privacy Notice only applies to what we do with a customer’s personal data while it resides in the customer account.
3.2 When a provider is the controller. If a customer uses the Services to share or send its personal data to a provider, the provider is a distinct controller of the customer’s personal data. We do not influence how the provider uses the information that a customer sends to the provider through the Services, including while that data resides in the provider’s account on Services. The provider is responsible for informing the customer as to how the provider uses the information a customer sends to the provider. We encourage the customer to carefully read the provider’s privacy policies and to send the customer’s data protection queries and requests in relation to their Treatments or their relationship with a provider directly to the provider. We are not responsible for the privacy practices or security practices of a provider.
4.1 When we are a controller. To become a provider and use the Services you have to create a provider account on the Services. We are the controller of the provider account profile data (for example, name, user ID, password and other account registration details).
4.2 When a provider is a controller. We are a controller of the customer’s account and we are a controller of a customer’s personal data when it resides in the customer’s account on the Services. Paragraph 3 above sets out how we handle that personal data. The provider is a controller of any customer personal data that the provider receives to its provider account. We do not control how you either as an individual professional or consultant provider, or as an individual acting under the direction or employment of a business provider, handle the personal data that a customer sends to a provider using the Services, including while that personal data resides in the provider’s account on the Services. The controller of the customer’s personal data when it resides in the provider’s account on the Services is the provider.
4.3 Provider responsibilities when it is a controller. As the controller of the customer’s personal data residing in the provider’s account, the provider is responsible for compliance with all applicable data protection laws, including where it acts as a controller supplying privacy notices to customers, obtaining necessary consents for the processing of customer personal data and complying with data subject requests from customers (for example, access, correction and erasure requests). As stated in our terms of service for providers, we act as the provider’s processor in these cases and our provider terms of service set out how we process this personal data in accordance with the controller’s (i.e. the provider’s) instructions. You promise that you are authorised by the controller to provide instructions to us in respect of this processing. We are not liable in respect of any customer personal data that is controlled by the provider in contravention of any data protection laws or outside the scope of the permissions the customer grants to the provider.
5.1 Visitors: Anyone can generally visit our website without identifying themselves and we will only collect usage and troubleshooting information from the visit to help customise and improve experience on the Services.
5.2 Customers: When a customer signs-up for and uses the Services we may collect and process certain personal data:
5.2.1 Account profile information including the user ID and password for the customer account, first name, last name, home address, email address and telephone number;
5.2.2 Basic health related information including customer’s date of birth, gender, height and weight;
5.2.3 Other information a customer enters or uploads to a customer account including customer preferences, interests, feedback and responses to our surveys and questionnaires that a customer chooses to answer;
5.2.4 Usage and troubleshooting information including operating system, IP address, time zone setting, device model, browser type, browser plug-ins, connection speed and access times and how the customer has used the Services (for example, whether a customer has read an online message);
5.2.5 Image and camera information including any photographs a customer provides; access to the camera and microphone of the customer’s device’s to conduct assessments and video Treatments;
5.2.6 Location information including device-based settings (such as access to GPS location, camera and microphone) that determine the customer’s real-time location to enable the Services to match the customer with a provider near their chosen location. A customer can withdraw its consent to this at any time by changing its device settings;
5.2.7 Marketing and communications information including customer preferences on receiving marketing from us and our third parties and communication preferences;
5.2.8 Financial information including credit or debit card details, bank account details. Any payment information a customer provides is collected and processed directly by our third party payment processor;
5.2.9 Transaction information including information about payments and information about services and products a customer purchases from or through us;
5.2.10 Special categories of personal data including any health or medical information (such as medical records, medical history, treatment notes and health status) that a customer enters or uploads to its customer account. As part of the functionality of the Services we store this information on our servers or the servers of our third party IT suppliers.
5.3 Provider account profile data: When a provider signs-up for and uses a provider account on the Services we may collect and process certain provider profile data about the provider and its staff:
5.3.1 Account profile information including the user ID and password for the provider account, first name, last name, work address, work email address and work telephone number;
5.3.2 Professional information including specialties, experience, education, qualifications and headshot image;
5.3.3 Business information including information about the employer or organisation under whose direction or employment you are acting, such as business name, office address, opening hours, website address, social media pages and images;
5.3.4 Financial information including credit or debit card details, bank account details so that the provider can accept customer payments through the Services;
5.3.5 Location information including device-based settings (such as access to GPS location, camera and microphone) that determine the provider’s real-time location to enable the Services to match the customer with a provider near their chosen location. A provider can withdraw its consent to this at any time by changing its device settings.
5.4 Children. We do not knowingly collect personal data about anyone under the age of 18.
5.5 Third parties. We may obtain personal data about you from our third party providers and publicly available sources such as our payment processing providers, analytics providers, advertising networks and search information providers.
6.1 Customers. We use a customer’s personal data to provide it with a customer account, with use of the Services and to help customise and improve experience on the Services. A customer is in control of what it uploads and posts to its user account and what it sends to the providers it chooses to interact with through its customer account. On the Services a User can upload, send, edit and delete its information from its customer account.
6.2 Provider profile data. We use a provider’s profile data to provide it with a provider account, with use of the Services, and to help customise and improve experience on the Services.
6.3 Legal bases. In order to collect, process and share personal data for the purposes described in this Privacy Notice, we rely on a number of separate and overlapping legal bases, including where:
6.3.1 necessary to perform a contract we have with you, for example under our terms of service contracts with customers and providers we need to provide those users with an account and use of the Services;
6.3.2 consistent with obtained consent, for example, if you are a customer we will obtain your explicit consent in the case of any special categories of personal data, such as personal data concerning your health;
6.3.3 necessary for the legitimate interests of us or of a third party, provided those interests are not overridden by the customer’s interests or rights;
6.3.4 necessary to comply with our legal obligations;
6.3.5 necessary to protect the vital interests of the customer or of others.
6.4 Purposes. We may process personal data for more than one lawful ground depending on the specific purpose for which we are using that data. We only use personal data for the purposes for which we collected it, unless we believe that we need to use that personal data for another reason that is compatible with the original purpose or as applicable law permits. If we intend to process personal data for an unrelated purpose, prior to that processing we will explain the legal basis that allows us to do so.
6.5 De-identified information. We may also create and publicly share aggregated de-identified information, which is information that is not used or intended to be used to personally identify an individual. For example, we may share aggregated information to show aggregate statistics relating to the use of general functionality on the Services. If we combine aggregated data with personal data in a way that could, directly or indirectly, identify you, that combined is your personal data and we will treat it in accordance with this Privacy Notice.
6.5.1 Declining to provide information. A customer and provider may choose not to provide information in which case they may still be able to use some elements of the Services, although certain options or features may not be available or fully functional.
7.1 Customers. We may disclose a customer’s personal data to each provider that a customer chooses to interact with on the Services. For example, a customer may choose to send from its customer account a photo or questionnaire responses to a provider it chooses, it may choose to arrange a video conference consultation with a provider, or it may choose to arrange a booking on the Services. The Services provide functionality to enable a customer to delete from its customer account the information it has chosen to share with a provider. However, a provider may have its own records of this information and we have no control over these independent records and cannot delete them. We encourage a customer to contact the provider if it has any questions or requests in relation to this.
7.2 Provider profile data. On the Services a customer will be able to search for and see a provider’s profile data such as name, clinic information, specialties, experience, photograph and location. This is to help a customer choose a provider they want to send certain information to through the Services.
7.3 Other third parties.We may share personal data with:
7.3.1 our subsidiaries, related companies and affiliates;
7.3.2 third party service providers who support our business, for example, payment service providers, customer support providers and advertising networks (such as Stripe and Google Analytics);
7.3.3technology service providers who help us operate and support the functionality of the platform, including data hosting providers, IT service providers, video call service providers and support desk (such as Amazon Web Services and WhereBy);
7.3.4 our professional advisors, including lawyers, auditors and insurers;
7.3.5 possible acquirers or investors (and our and their advisors) in the context of facilitating or implementing a business reconfiguration or reorganisation or a transfer or sale of all or part of our assets or business, including, but not limited to a divestiture, acquisition or business reconfiguration. Alternatively, we may seek to acquire other businesses or merge with them;
7.3.6 regulators and law enforcement organisations if we are required to do so to meet relevant legal and regulatory obligations.
7.4 Our obligations. We will only provide these third parties with the personal data that is necessary. Where these third parties are processors, they are contractually required to only use the personal data in accordance with our instructions to provide their service to us and are contractually prohibited from using it for their own purposes.
7.5 Other disclosures. In addition to the disclosures set out above, we have the right to release personal data without consultation if we believe this is required: to comply with our legal obligations (which can include providing information as required by a court order); to protect the safety and security of our Services, staff, systems, property or any person; to investigate, prevent and minimise the effects of fraud; and otherwise to protect our vital interests or the vital interests of the customer or of others.
We maintain appropriate technical and organisational measures to protect a customer’s personal data, such as up-to-date antivirus protection, encryption, and disclosing personal data both internally and to our trusted third party service providers only on a ‘need-to-know’ basis. However, no method of transmission over the internet or method of electronic storage is completely secure. We therefore rely on our customers to play their part by maintaining the security of their customer account by keeping their login details and password secure and confidential.
9.1 Certain features and functionality of the Services require us to transfer to and store personal data of customers with recipients located outside the European Economic Area (EEA), including the USA. If the recipient is in a country that is not deemed by the European Commission to provide an adequate level of protection for personal data, we rely on certain legal mechanisms set out in EU data protection law. For example, we may enter into specific contracts approved by the European Commission with the recipient that contain standard commitments that aim to protect the privacy and security of the personal data that is transferred. Regardless of where customer personal data is processed, we apply the same protections described in this privacy notice. Please contact us if you would like further information on the specific mechanism we use when transferring customer personal data outside the EEA.
10.1 If you are a customer we will retain your profile data and information in the customer account (including any medical information), and if you are a provider we will retain your profile data, for as long as it is necessary to fulfil the purpose for which it was collected or as required by applicable laws. Typically, this is until one of the following occurs:
10.1.1 you delete your account;
10.1.2 you do not use your account for a period of 180 days; or
10.1.3 we no longer make the Services available. We will let you know in advance if this is likely to happen;
10.2 If you are a customer, until you delete the information using the in-built functionality of the Services;
10.3 If one of these events occurs, we will arrange for all of the personal data in your account to be deleted within 30 days, unless applicable law requires us to retain a copy.
11.1 We will collect, process and store personal data in a manner compatible with applicable law. Data subjects have the following rights under data protection law in relation to our processing of their personal data. The rights are not absolute and are subject to certain exemptions under applicable law:
11.1.1 request access to their personal data that we control;
11.1.2 request that their personal data is returned to them or to another controller in a commonly used machine readable format;
11.1.3 ask us to restrict the processing of their personal data or to correct or delete it (despite a deletion request, we may continue to process their personal data if we have a legal basis to do so);
11.1.4 if we rely on our legitimate interest to use their personal data, they have a right to object to this use. If they object we will stop processing their personal data if the law requires us to do so, unless we have compelling legitimate grounds to continue processing or where the processing is required for legal reasons;
11.1.5 if they have previously provided their consent, they have the right to withdraw their consent to our processing of their personal data at any time. We may continue to process their personal data in certain cases after they have withdrawn consent if we have a legal basis to do so or if their withdrawal of consent was limited to certain processing activities;
11.1.6 complain about how their personal data is being processed or how their complaint has been handled. Our lead supervisory authority is the Irish Data Protection Commission and its website is www.dataprotection.ie.
11.2 A data subject can make these requests by writing to us at [email protected] or alternatively can review, edit and or delete their information through their account section of the Services.
You may choose to consent to receive marketing communications from us about the Services. At any time you can choose to stop receiving marketing emails from us by contacting us or clicking the unsubscribe link at the bottom of the email or replying ‘STOP’ to an SMS. Even if you unsubscribe we still will contact where necessary, for example to send you important service-related information and in respect of bookings you have made.
The Services may contain links to other websites and services, which are managed and controlled by third parties. This Privacy Notice does not apply in those cases and we are not responsible for the privacy practices of such third parties.
We may update our Privacy Notice from time to time. The latest version of this Privacy Notice is always accessible on our app and website. We will let users know about any significant changes by notifying them through our app or website.
If we are the controller of your personal data and you have any questions or comments or want to exercise any of your data subject rights, you should write to us at [email protected] or use our online contact form.