- You are a patient being treated by a medical practitioner or hospital which makes use of our care pathways to follow-up on you as a patient (a Patient),
- You are a (healthcare) professional working for or with a medical practitioner or hospital which makes use of the Platform, or you may otherwise be involved in the treatment of a Patient and have received access to the Platform in that capacity (a Healthcare Professional);
- You are just visiting our website or you contact us otherwise because you are interested in what we do or in our services (an Interested Party).
Who are we?
We are AWELL HEALTH BV, a Belgian company with registered office at 1180 Brussels (Belgium), Alsembergsesteenweg 837, and business registration no. BE0696819789. We specialize in care pathways. We run a website www.awellhealth.com and we have developed software applications called Awell Care for Healthcare professionals and Awell Mycare for patients. Both can be accessed online and are referred to in this document as the Platform. We care about your privacy and have taken various measures to ensure that your personal data is kept confidential. All of your personal data is stored on a secure server within the European Economic Area.
What information do we collect and in which capacity?
If you are a Patient or Healthcare Professional, we process your personal data as a processor at the instruction of a data controller (the medical practitioner or hospital who contracted with us for the use of care pathways in the Platform). If you are an Interested Party, we collect and process your data in our own right and we act as a data controller. Personal data we may collect and/or process includes data such as your name, contact details, information included in the care pathways and other information included in the Platform, such as information about your use of the Platform.
Who has access to your data?
What are your rights?
You have certain rights in relation to your personal data, such as the right to modify or erase your data or to withdraw your consent if processing is based on consent.
- You may be a patient being treated by a medical practitioner or hospital which makes use of care pathways on the Platform to follow-up on you as a patient (a Patient). A Patient always make use of the Platform through or at the request of a medical practitioner or hospital. It is the medical practitioner or hospital who acts as the data controller of the Patient’s Personal Data (the Data Controller). Awell acts as a data processor for Patient Personal Data at the request of the Data Controller.
- You may be a (healthcare) professional working for or with a Data Controller which makes use of the Platform, or you may otherwise be involved in the treatment of a Patient and have received access to the Platform in that capacity (a Healthcare Professional).
- You may just visit our website or contact us or otherwise be in touch with us because you are interested in what we do or, for example because you consider entering into a contract with us, or because you apply for a job at Awell (an Interested Party). If you are a medical practitioner or hospital who subsequently enters into a contract with us in relation to the use of our Platform, you then become a Data Controller.
Personal Data processed
In this section you find more information about what types of Personal Data we process, why we process such Personal Data (purpose), on what legal basis we process such Personal Data, and how long we hold on to such Personal Data (retention period):
When you use the Platform
- user account data (e.g., email, name, gender, language, etc.);
- data entered by you in the Platform’s chats or contact forms;
- data sent to us by email or provided to us otherwise;
- data about the care pathway activated using the Platform (e.g. start, next steps, contextual information, progresses, etc.);
- data concerning a Patient’s health and other clinical data required by clinical team members to follow-up on the Patient (e.g., reported outcomes, symptoms, measurements made at home, etc.);
- data generated by the Platform about a Patient’s care pathway (e.g., reminders, alerts, etc.);
- data captured on your behavior in the Platform (e.g., time to complete steps, access to data or sections of the Platform, etc.);
- browsing data (e.g. IP addresses or domain names of the devices used by you to connect to the Platform; the URI (Uniform Resource Identifier) of requested resources; the time of the request, the method used to submit the request to the server; the size of the file received as a reply;
- the numeric code indicating the status of the reply given by the server (successful, error, etc.); other parameters regarding your operating system and device environment).
This data may be voluntarily provided by you on the Platform or may be automatically captured through the Platform. This data may also be entered into the Platform or provided to us by a third party in the following instances:
- If you are a Patient, your Personal Data may be entered into the Platform by the Healthcare Professional(s) or other third parties who you or the Data Controller have authorized to do so. Healthcare Professional(s) or third parties may only access your Personal Data in accordance with the applicable privacy regulations ánd the regulations which specifically apply to the access of medical files, and must always insure that you agree with such Personal Data being entered into the Platform.
- If you are a Healthcare Professional, your Personal Data may be entered into the Platform or provided to us by your employer who is the Data Controller (e.g. your (professional) e-mail account and/or user account details). The Data Controller must always ensure it has a legal basis for providing us with your Personal Data.
When you contract with Awell
If you enter into a contract with us as a Data Controller or otherwise (e.g. as a supplier), we will collect and process certain Personal Data about you, such as:
- your contact details (name, address, e-mail address, telephone number);
- your account number and other financial information;
- other information provided by you that may be relevant in the context of the execution of the contract.
In relation to this data, we act as a data controller. The processing of this Personal Data is necessary for the performance of our mutual contractual obligations. We will process this Personal data for the duration of our contract with you, and for a period of maximum  years thereafter (since we may need to hold on to some of this Personal Data for administrative purposes and since we may need some of this Personal Data to defend our interests should the need arise).
Please note that if you provide us with Personal Data of Patients, employees or other third parties, you must ensure that you comply with all applicable privacy regulations in doing so and that you must ensure that you have a legal basis for doing so and that the data subjects are sufficiently informed about you providing this information to us.
When you contact us
If you contact us (for example by e-mail, telephone or through the chatbot on our website), we may also collect and process certain Personal Data about you, such as – most likely- your contact details and browser information, or other information you may provide us with. By contacting us, you consent to us processing this information for the purpose of contacting you back and to answer any question you may have. We will continue to process this information until you withdraw your consent, or for a maximum of  years.
For marketing purposes
Awell will never use Patient Personal Data for marketing purposes.
If you have (previously) entered into a contract with us or if you have shown an interest in our Platform or related services by subscribing to our newsletter or otherwise, we may use your contact details for direct marketing purposes. In relation to this data, we act as a data controller.
This processing will either be based on your consent -for example, if you have subscribed to our newsletter or have asked to receive certain information-, or on our legitimate interest to do so -for example if you have previously contacted us to ask for a fee quote and we think you may be interested in an offer we have-.
You can always unsubscribe from our newsletter by clicking the unsubscribe link which is included at the bottom of each e-mail, or you can let us know that you object to us further using your Personal Data for marketing purposes in which case we will no longer contact you for marketing purposes.
Evaluating and improving the Platform
We may analyze Personal Data for the purpose of evaluating the operation of the Platform and for the purpose of improving the Platform. Personal Data which may be analyzed for these purposes includes for example the overall number of forms or messages sent through the Platform. If we analyze Personal Data for these purposes, we act as a data controller, and the processing of such data will be based on our legitimate business interest. We will never communicate the results of such analysis to third parties unless any Personal Data used for the purpose of such analysis has been aggregated and/or anonymized completely. We will never analyze Personal Data relating to a Patient’s health for our own purposes.
When you (want to) work for us
If you apply for a position with us, you will probably provide us with Personal Data in your cover letter and your CV (e.g. your name, contact details, grades, which schools you went to, previous jobs, etc.). In relation to this data, we act as a data controller. We will save the contact details, cover letter and CV of every job applicant in our candidate database for a period of  years after you first applied, and may contact you during that time regarding any job opening that may be of interest to you, unless if you let us know earlier that you want us to delete this data. We act as a data controller for this information and process this information based on your consent and/or our legitimate interest. If you only want us to contact you in regards to a specific job opening and you do not want us to keep your Personal Data in our database afterwards, you can also let us know when applying for the position. In that case, we will only hold on to your Personal Data for as long as the selection procedure for that specific position is ongoing.
Evidently, if you start working for us at some point, we will also process certain Personal Data about you. You will get more information (through our HR policy or otherwise) about what information we process about you as an employee and about how we expect you to deal with the Personal Data of others when you start to work for us.
Cookies and similar technologies
We use appropriate measures to protect the security of your Personal Data. These measures vary based on the sensitivity of the information that we collect, process and store and the current state of technology. Please note that no service is completely secure. So, while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur. Please note that you are responsible for choosing a strong password for access to the Platform and that you must ensure that you don’t share your password with anyone else. Please note that if you allow third parties (e.g. a caretaker) to access your Personal Data in the Platform, you do so at your own responsibility.
Notwithstanding the preceding, we operate with the aim of mitigating the risks associated with processing your Personal Data through several measures, including the following.
We only ever obtain, retain, process and share Personal Data that is essential to carry out our services and legal obligations: only that which is relevant and necessary is collected. In particular, by way of example, our electronic collections (i.e., via the Platform, etc.), have only fields that are relevant to the purpose of collection and subsequent processing, while the physical collection (i.e., face-to-face contacts, phone calls, etc.) is supported using scripts and internal forms using predefined fields.
Whenever possible, we utilize pseudonymisation to record and store Personal Data in a way that ensures that such data can no longer be attributed to a specific data subject without the use of separate additional information (i.e., personal identifiers) which are protected with encryption and other technical and operational measures of risk reduction and data protection.
Your data is encrypted “at rest” (in the database) and “in transit” (between your device and our servers).
Although we use encryption (i.e., using a secret key to make Personal Data indecipherable unless decryption of the dataset is carried out using such assigned key) as a form of pseudonymisation, we also utilize it as a secondary risk prevention measure for securing the Personal Data that we process. In particular, we utilize encryption via secret key for transferring Personal Data and/or a special category of information to any external party and provide the secret key in a separate format.
We use company-wide restriction methods for restricting access into the foundation of our processes, systems and structure, in order to ensure that only those with authorization and/or a relevant purpose, have access to Personal Data. In particular in relation to Patient Personal Data, which will often be medical data which is considered sensitive data under the applicable privacy regulations, access is restricted at all levels and only authorized Awell staff (on a need-to-know-basis), Healthcare Professionals and third parties explicitly authorized by you have access to such data.
No hard copy data.
We never store any Personal Data in hard copy format.
Recipients of Your Personal Data
Healthcare Professionals and third parties authorized by you
Healthcare Professionals involved in your care will have access to your Personal Data or, exceptionally, in case of a medical emergency) and must comply with applicable privacy regulations and the regulations which apply to the access to medical files at all times. You may also authorize other third parties (e.g. a caretaker) to access your Personal Data. You can withdraw such authorization at all times.
Third-party service providers
We may share your Personal Data with third-party service providers who need access to such data to perform their work on our behalf (e.g., sharing data with our storage provider for the purposes of storing your data on our behalf) (the (Sub-)Processors). These (Sub-)Processors are limited to only accessing or using this data to provide services to us and must provide reasonable assurances that they will appropriately safeguard the data. In particular, we use information audits to identify, categorize and record all Personal Data that is processed outside our company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing includes (but is not limited to):
- IT Systems and Services
- Communication Services
- Email Services
- Project Management Tools
- Customer Relations Management
- Support Tools
We may at times share your Personal Data with our trusted advisors, such as our accountant or our lawyer, or with other consultants who render services to us. If we do so, we will make sure they are bound by a confidentiality obligation and by a data processing agreement if they are processing Personal Data on our behalf.
Aggregated or de-identified data
We might share data with third parties if that data has been de-identified or aggregated in a way that does not directly identify you.
Exceptionally, we may also disclose your Personal Data to a third party for the following reasons:
- if such disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request (including to meet national security or law enforcement requirements); If we are required by law to disclose any of your Personal Data, then we will use reasonable efforts to provide you with notice of that disclosure requirement, unless we are prohibited from doing so by statute, subpoena or court or administrative order. Further, we object to requests that we do not believe were issued properly.
- to enforce our contracts and policies;
- to protect the security or integrity of our services and products;
- to protect ourselves, our other customers, or the public from harm or illegal activities;
- to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury;
- in the context of the sale of all or part of the shares or assets of Awell, including the sale of the Platform, to a third party. In such an instance, any third parties involved in the (proposed) transaction, will be bound by a strict obligation of confidentiality.
Location of processing
All Personal Data will be processed in the European Economic Area (EEA) only. If a transfer of any of such Personal Data out of the EEA is necessary to achieve the purposes mentioned in this policy, we will acquire your previous consent, after having informed you about any appropriate or suitable safeguard implemented by us or about the existence of an adequacy decision by the European Commission.
Regardless of in which capacity you make use of our services or Platform, you always have the rights listed below. If you are a Patient or Healthcare Provider whose Personal Data we process at the request of a Data Controller, please note that if you contact us regarding any of these rights, we will notify the Data Controller of your request and we will deal with your request in accordance with the Data Controller’s instructions.
Right of access.
You are always entitled to receive confirmation as to whether or not your Personal Data is being processed and, where that is the case, access and receive a copy of such Personal Data in an intelligible form. Furthermore, you are also entitled to receive information concerning: the purposes of the processing; the categories of Personal Data concerned; the recipients (or categories thereof) to whom the Personal Data have been or will be disclosed; where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from us rectification or erasure of personal data or restriction of processing of your Personal Data or to object to such processing; the right to lodge a complaint with a supervisory authority; the source of the Personal Data; the existence of automated decision-making; where Personal Data are transferred to a third country or to an international organization, the appropriate safeguards relating to the transfer.
Right to withdraw consent.
You are always entitled to withdraw, at any time, your consent to the processing of your Personal Data, both on legitimate grounds (even though they are relevant to the purpose of the collection) and if the processing is carried out for direct marketing purpose. The preceding will not affect the lawfulness of processing based on consent before the withdrawal.
Right to rectification, erasure and restriction.
Right to data portability.
You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from us, where technically feasible.
Right to lodge a complaint.
In any case, you have the right to lodge a complaint with the relevant supervisory authority, if you believe that there is an issue with the way we deal with your Personal Data. For Belgium, the relevant supervisory authority is the Belgian Data Protection Commission (Gegevensbescherminsautoriteit / Autorité de protection des données) based at, Rue de la Presse 35, 1000 Brussels (Belgium). The Belgian Data Protection Commission can be reached on the following telephone number: +32 (0)2 274 48 00 and on the following e-mail address: email@example.com.
Exercising your rights
You can contact us through any available means to exercise your rights, but we prefer that you send us an e-mail to the following address: firstname.lastname@example.org. As has already been highlighted before, if you are a Patient or Healthcare Provider whose Personal Data we process at the request of a Data Controller, please note that if you contact us regarding any of these rights, we will notify the Data Controller of your request and we will deal with your request in accordance with the Data Controller’s instructions. You can also contact the Data Controller directly in relation to your request.
What we do when we receive a privacy related request from you
Any privacy related request is passed to our Data Protection Officer as soon as received and a record of the request is noted. The following steps will be put in place:
- Identification: we will use all reasonable measures to verify the identity of the individual making the request, especially where the request is made using online services. In particular, where we are unable to utilize the request information to ensure that we can verify the data subject identity, we may contact the individual making the request to provide evidence of his/her identity prior to actioning any request. If a third party, relative or representative is requesting information or is asking us to take certain steps on behalf of a Patient, we will verify their authority to act on behalf of the Patient and may contact the Patient to confirm their identity and authorization prior to acting to the request.
- Responding to your request: We will respond to your request within one month; however, where the retrieval or provision of information is particularly complex or is subject to a valid delay, this period may be extended by two further months. If this is the case, we will write to you within one month and keep you informed of the delay in responding to your request and the reasons for such delay. If we need more information from you to be able to respond to your request, we will let you know. The information requested will be sent to you in writing or, where the request is made by electronic means, we will provide the information in a commonly used electronic format, unless an alternative format is requested.