Privacy policy

1. Identity and contact details of the data controller

This privacy policy applies to all personal data processed by CROSSuite BV, with its registered office at 2600 Antwerp, Uitbreidingstraat 390, bus 4, with company number 0893.863.413, which is the data controller of this website (hereafter referred to as “data controller“).

The data controller highly values your privacy and therefore processes your personal data in accordance with the European Regulation 2016/679 of April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereafter “GDPR”) as well as any future or additional legislation implementing it, as applicable.

For further questions or comments regarding how we handle your personal data, you can contact us via email at dpo@crossuite.com or by post to the aforementioned address.

2. What does "processing personal data" mean?

Processing personal data involves any processing of data that can identify you as an individual. The concept of ‘processing’ is very broad and includes collecting, storing, using, and sharing your data with third parties.

3. What Data Do We Process?

The data we process depends on your interaction with us, your preferences, and how you contact us. For our main activity as a provider of the HELD web and mobile application, we may process the following data:

3.1. Patient Data

- Identification details (surname, first name, address, SSN, date of birth, …).

- Contact information (address, email, phone).

- Account information (login, username, password, …).

- Information about healthcare providers with whom you are connected and who have access to your personal data in the HELD application.
- Medical records.
- Health data and information about your medical records.

- Insurance information.

- Feedback, reviews, testimonials and promotional content such as photos and videos.
- Contact history (e.g. email messages, messages sent through web forms, …).

- IP address, browser type, location data, how the individual arrived at the website (via strictly necessary and analytical cookies).

3.2. Patient’s mandate holder

- Identification details (surname, first name, address, date of birth, …).
- General contact information (address, email, phone).

4. On what grounds and for what purposes do we process your data?

We process your data for the purposes described below and do not collect and process more and no other types of data than those necessary for those purposes.

We process your data only to the extent based on one of the processing grounds listed in the GDPR, and as shown below.

Legal obligation

Certain data are processed by us to fulfill legal or regulatory obligations incumbent upon us. For example, in the context of tax and accounting obligations, in the area of patient rights or data protection.

Necessary for the execution of the agreement

Certain data are processed by us because it is necessary for entering into, executing or terminating an agreement with you as a data subject. For example, to allow you as a user to use the functionalities of our application HELD and to communicate smoothly with your healthcare provider.

Legitimate interest

Certain data are processed by us based on our legitimate interest which in specific cases outweighs any potential harm to your rights. For example, for promoting our activities to business contacts; improving the quality of our services; training employees and evaluating and maintaining data and statistics related to our activities, in the broad sense; preserving and using evidence in the context of liability, litigation or disputes and for the purpose of archiving activities; and ensuring security, both online on this website and on our premises.

Consent

Certain data are processed by us based on your consent. For example, for processing special categories of personal data such as health data.

5. Origin of data

We also obtain most of the data we process from you directly. Within the scope of our services, we may obtain data from you through external service providers or public sources.

6. With whom do we share your data?

We do not disclose your data to third parties, except when strictly necessary for the above-mentioned purposes, or if we are required to do so by law.

Where necessary, we use external service providers (processors) to support our operational purposes such as the management of our websites and IT systems. Where appropriate, these external service providers carry out certain data processing operations on our behalf. We will only share your data with these external service providers to the extent necessary for the relevant purpose. The data may not be used by them for other purposes. Furthermore, these service providers are contractually bound to ensure the confidentiality of your data by means of a “processing agreement” concluded with these parties.

Specifically, to the extent relevant in your situation, we share your data with the following third parties for the following purposes, with these third parties acting as processors on our behalf in certain cases:

Processors who assist us in the IT field in the provision of our application HELD and the secure storage of data entered through HELD;
Government bodies, judicial authorities and practitioners of regulated professions such as accountants and lawyers, for the purpose of complying with our legal obligations and defending our interests, as required.

7. How Long Do We Store Your Data?

We do not retain your data longer than necessary for the purpose for which the data was collected or is processed. Since the period for which the data can be kept depends on the purposes for which the data was collected, the storage period may vary in each situation. Sometimes specific legislation will require us to keep the data for a certain period of time. Our retention periods are always based on legal requirements and a balancing of your rights and expectations with what is useful and necessary to fulfill the purposes. At the end of the retention period, your data will be deleted or anonymized.

8. Where do we store your data and how is it protected?

We provide appropriate technical and organizational security measures to prevent the destruction, loss, falsification, alteration, unauthorized access or unauthorized disclosure to third parties as well as any other unauthorized processing of this data within the scope of our activities.

In addition, we also take care to ensure that the processors we use also implement appropriate security measures to minimize risks of incidents.

If, when using specific services or software tools, your data are processed outside the European Economic Area (EEA), this will only be done in/to countries that have been confirmed by the European Commission to ensure an adequate level of protection of your data, or measures will be taken to ensure the lawful processing of your data in these third countries.

9. What are your rights?

You have various rights in relation to the data we process about you. If you wish to exercise any of the rights set out below, please contact our GDPR responsible officer using the contact details included under the first title of this Privacy Policy

Right of access and copy
You have the right to inspect your data and obtain a copy thereof. This right also includes the possibility of requesting further information regarding the processing of your data, including the categories of data processed about you and for what purposes.
Right of adaptation or rectification
You have the right to have your data amended if you believe that we have incorrect data.
Right of data erasure (right to oblivion).
You have the right to request that we delete your data without unreasonable delay. However, we will not always be able to comply with such a request, inter alia when we still need the data in function of an ongoing contract, or when keeping certain of your data for a certain period of time is required by law.
Right to restriction of processing
You have the right to restrict the processing of your data. In this way, the processing is temporarily stopped until, for example, there is certainty about its accuracy.
Right to withdraw your consent.
Where processing is based on your consent, you have the right to withdraw this consent at any time by contacting us. For marketing messages you receive from us via email based on your consent, you can easily withdraw this consent by clicking on the unsubscribe link at the bottom of such message.
Right of Objection
You have the right to object to the processing of your data based on legitimate interest. This should be based on reasons specific to your situation. You may also object to the use of your data for direct marketing purposes. For marketing messages by e-mail, an opt-out will always be provided.
Right to portability
You have the right to obtain in electronic form the data you have provided to us with your consent or in execution of a contract. In this way, they can be easily transferred to another organization. You also have the right to request us to transfer your data directly to another organization, if this is technically possible.
Right to complain to your supervisory authority
Should you believe that we are processing your data in an incorrect manner, you always have the right to lodge a complaint with your data protection supervisory authority.

Belgian Data Protection Authority (GBA)
Press Street 35
1000 Brussels
contact@apd-gba.be

10. How can you exercise your rights?

You may exercise your rights by contacting us, either by e-mail to dpo@crossuite.com or by mail to 2600 Antwerp, Uitbreidingstraat 390 bus 4 provided you enclose a copy of the front of your identity card or other document by which you can be identified. The copy will only be used to identify you in accordance with the GDPR.

11. Changes

We reserve the right to modify this privacy statement. The most recent version will be available on our websites at all times. The date this privacy statement was last modified can be found at the top. In the event of a substantial change to the privacy statement, we will inform those affected by it directly, if possible.