Privacy policies | Singularity Health

DATA PROTECTION AND USE POLICY NEEDZAIO

FOR COLOMBIA:

This document responds to the need to comply with the provisions of Statutory Law 1581 of 2012, which dictates general guidelines for the protection of personal data, in development of the constitutional right that all people have to know, update and rectify the information that has been collected from them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution, as well as the right to information enshrined in article 20 Of the same.

Statutory Law 1581 of 2012, also establishes the duties that assist those Responsible for the Processing of personal data, among which stands out the adoption of an internal manual of policies and procedures to guarantee adequate compliance with the law and especially , for the attention of queries and claims, as well as article 13 of Decree 1377 of 2013 that establishes the obligation on the part of those. Responsible for the Treatment to develop their policies for the treatment of personal data and ensure that those in charge of this management give full compliance with them.

AREA OF APPLICATION

The policy established in this document will be applicable in the use of Needzaio developments and must be used for all personal data records that are processed, or created in the development of its missionary purpose. Needzaio is directly responsible for the processing of personal data, attending and implementing the ideal guidelines and procedures for the protection of personal data and their strict confidentiality.

DEFINITIONS For the purposes of applying the rules contained in this document and in accordance with the provisions of Article 3 of Law 1581 of 2012, in accordance with Article 3 of Decree 1377 of 2013, it is understood as:

Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data;

Privacy notice: Verbal or written communication generated by the person in charge, addressed to the owner for the processing of their personal data, by means of which they are informed about the existence of the information treatment policies that will be applicable, the form of access them and the purposes of the treatment that is intended to give personal data;

Database: Organized set of personal data that is subject to treatment;

Personal data: Any information linked to or that may be associated with one or more specific or determinable natural persons;

Public data: It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data related to the marital status of people, their profession or trade and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly executed judicial decisions that are not subject to reserve;

Sensitive data: Sensitive data is understood to be those that affect the privacy of the owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual orientation and biometric data, among others, the capture of still or moving image, fingerprints, photos, iris, voice, facial or palm recognition, etc.

Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the person responsible for the treatment;

Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data;

Owner: Natural person whose personal data is subject to treatment;

Transfer: The transfer of data takes place when the person in charge and / or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside from the country;

Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge;

Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion;

PROCESSING OF PERSONAL DATA PUBLIC DATA

Treatment will be given without prior authorization from the owner to personal data of a public nature and those contained in public registers, as they are not subject to any reservation.

SENSITIVE DATA

The processing of sensitive personal data will be restricted to what is strictly essential, and will request prior and express consent from the owners, informing about the exclusive purpose of their treatment when:

a) The owner has given their explicit authorization to said treatment, except in those cases that by law the granting of said authorization is not required;

b) The treatment is necessary to safeguard the vital interest of the owner and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;

c) The treatment is carried out in the course of legitimate activities and with the due guarantees of any other type of public or private organization, provided that they refer exclusively to its members or to people who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the owner;

d) The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;

e) The treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the holders must be adopted;

Compliance with the following obligations is guaranteed:

∙ Inform the owner that because it is sensitive data, he is not obliged to authorize its treatment.
∙ Inform the owner explicitly and in advance, in addition to the general authorization requirements for the collection of any type of personal data, the identification of data subject to treatment that are of a sensitive nature and the purpose of the treatment, and obtain consent express.
∙ Do not condition any activity on the owner providing sensitive data (unless there is a legal or contractual reason to do so)

DATA OF CHILDREN, GIRLS AND ADOLESCENTS

The processing of personal data of children and adolescents is prohibited except in the case of data of a public nature, in accordance with the provisions of article 7 of Law 1581 of 2012, and when such treatment complies with the following parameters and requirements : to. That responds and respects the best interests of children and adolescents. b. That the respect of their fundamental rights is ensured. Once the above requirements have been met, the legal representative or guardian of the child or adolescent will grant the authorization prior to the exercise of the minor's right to be heard, an opinion that will be valued taking into account the maturity, autonomy and ability to understand the matter. Any person in charge and manager involved in the processing of the personal data of children and adolescents, must ensure the proper use of them.

TO WHICH PERSONAL DATA THE LAW DOES NOT APPLY

a. To databases or files maintained exclusively for personal or domestic purposes.

b. Those whose purpose is national security and defense, the prevention, detection, monitoring and control of money laundering and the financing of terrorism.

c. Those whose purpose and contain intelligence and counterintelligence information.

d. Those that contain journalistic information and other editorial content.

e. The databases with financial, credit, commercial and service information, and the population and housing censuses.

DATABASE ADMINISTRATION

The management of personal information databases has two basic components, (i) functional administration, exercised by each of the areas that record information, and (ii) technical administration, carried out by officials of the Systems Group.

DATABASE SECURITY, PRIVACY AND PROTECTION MECHANISMS

Backups are stored as a first measure in the Google cloud. The database offers high levels of performance, scalability and convenience; thus providing an infrastructure for applications that execute queries from anywhere. Cloud SQL generates automatic backups that allow you to restore the database from any point in time. Data is automatically encrypted and Cloud SQL is compliant with SSAE 16, ISO 27001, PCI DSS v3.0, and HIPAA standards.

RIGHTS OF THE INFORMATION HOLDERS

a. Access, know, update and rectify the personal data that rest in their databases.

b. Request proof of the existence of the authorization granted by the owner for data processing, except for the exceptions of the law.

c. Receive information from the institution, upon request, regarding the use given to your personal data.

d. Modify and revoke the authorization and / or request the deletion of personal data, when in the Treatment the principles, rights and constitutional and legal guarantees in force are not respected.

e. Anonymization of the data that is required for processing and use, with prior authorization.

OF THE RIGHT OF ACCESS TO INFORMATION

The right of access to information is guaranteed, only to the holders of private personal data and their successors in title, after accreditation of such quality, legitimacy, or personality of their representative, making them available, without cost or any expense, in a manner Detailed and detailed, the respective personal data processed, through any means of communication, including electronic ones that allow direct access to the owner.

Said access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013, the owners of personal data or their successors in title may consult their data free of charge once a month or when substantial changes are presented in the treatment policies. ; in all other cases, the owner or his successors in title must pay the reproduction and shipping costs.

OF THE RIGHT OF CONSULTATION OF THE INFORMATION

The holders of personal data may consult the personal information that resides in any registry database. Consequently, the right to consult exclusively on private, sensitive personal data and those of minors is guaranteed, supplying the owners with the information contained in the databases and that are under the control of this. For the attention of requests for consultation of personal data, It is guaranteed:

a. Enable electronic means of communication or others that it considers pertinent and safe;

b. Establish forms, systems and other methods that will be reported in the privacy notice;

c. Use the customer service or claims services that are in operation.

OF THE RIGHT TO CLAIM

The owner of the personal data who considers that the information contained in a database should be subject to correction, updating or deletion, or when he or she notices the alleged breach of any of the duties contained in the law.

OF THE RIGHT TO RECTIFICATION AND UPDATING OF DATA

Needzaio can rectify and update at the request of the owner, his successor in title or his representative, the personal information, which is incomplete or inaccurate, in accordance with the procedure and the terms indicated above. In this regard, the following will be taken into account:

a. In requests for rectification and updating of personal data, the owner or his representative must indicate the corrections to be made and provide the documentation that supports his request.

b. Needzaio, has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the owner of the personal data. Consequently, electronic or other means that are considered pertinent and safe may be enabled.

c. Needzaio, may establish forms, formats, systems and other methods, which will be informed in the privacy notice and which will be made available to interested parties on the website.

OF THE RIGHT TO DELETE DATA

The owner of personal data, to request the deletion (elimination) of their personal data, for which the following assumptions will be taken into account:

a. That they are not being treated in accordance with the principles, duties and obligations provided for in the current regulations on Protection of Personal Data.

b. That they are no longer necessary or relevant for the purpose for which they were collected.

c. That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded. This deletion implies the elimination or safe deletion, total or partial, of the personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out.

The right to erasure is not an absolute right, Needzaio, as the person responsible for the processing of personal data, can deny or limit the exercise of the same when:

a. The owner of the data has a legal or contractual duty to remain in the database.

b. The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

c. The data is necessary to protect the legally protected interests of the owner, to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

d. The data is data of a public nature and corresponds to public records, which are intended to be publicized.

OF THE RIGHT TO REVOKE THE AUTHORIZATION

Any owner of personal data that corresponds to natural persons, can revoke at any time, the consent to the treatment of these, as long as it is not prevented by a legal or contractual provision. In the cases where the revocation of the authorization is possible, it will be attended under the following two modalities:

a. Total: On all consented purposes, that is, that Needzaio must completely stop processing the data of the personal data holder.

b. Partial: On certain consented purposes. In this case, Needzaio must partially suspend the processing of the owners data. Other purposes of the treatment are then maintained that the person in charge, in accordance with the authorization granted, can carry out and with which the owner agrees. The right of revocation is not an absolute right and Needzaio, as the person responsible for the processing of personal data, may deny or limit its exercise when:

a. The owner of the data has a legal or contractual duty to remain in the database.

b. The revocation of the authorization of the treatment hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

c. The data is necessary to protect the legally protected interests of the owner, to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

d. The data is data of a public nature and corresponds to public records, which are intended to be publicized.

DUTIES WITH THE PROCESSING OF PERSONAL DATA

Needzaio is aware that personal data are the property of the people to whom they refer and only they can decide on them.

Likewise, said data will be used only for the purposes for which it is duly empowered and respecting, in
any case, namely:

OF THOSE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Those responsible for the processing of personal data, in charge of the management of databases and / or data processing, must:

a. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data;

b. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the owner;

c. Properly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted;

d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

e. Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable;

F. Update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it is kept up-to-date;

g. Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment;

h. Provide the person in charge of the treatment, as the case may be, only data whose treatment is previously authorized in accordance with the provisions of the law;

i. Require the person in charge of the treatment, at all times, to respect the security and privacy conditions of the owners information;

j. Process inquiries and claims formulated in the terms indicated in the law;

k. Inform the person in charge of the treatment when certain information is under discussion by the owner, once the claim has been submitted and the respective process has not been completed;

l. Inform at the request of the owner about the use given to their data;

m. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the holders;

n. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

OF THOSE IN CHARGE OF THE TREATMENT

Those in charge of the processing of personal data on behalf of the person responsible for the treatment, must:

a. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data;

b. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

c. Timely update, rectify or delete the data in accordance with the law;

d. Update the information reported by those responsible for the treatment within five (5) business days from its receipt;

e. Process the queries and claims made by the owners in the terms indicated in the law;

F. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims by the owners;

g. Register in the database the legend "claim in process" in the manner in which it is regulated by law;

h. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce;

i. Allow access to information only to people who can have access to it.

DUTY OF SECRET AND CONFIDENTIALITY

Any person who intervenes in any phase of the processing of private, sensitive or minor personal data is guaranteed and required professional secrecy, with respect to them and the duty to keep them, obligations that will subsist even after the end of their relationship. working with Needzaio.

INFORMATION PROCESSING

GENERAL INFORMATION ABOUT THE AUTHORIZATION

Authorization for the processing of personal data will be requested in advance by any means that allows it to be used as evidence. Depending on the case, said authorization may be part of a larger document such as a contract, or a specific document (format, form, other, etc.). In the case of private personal data corresponding to natural persons, the description of the purpose of the data processing will be reported through the same specific or attached document. Needzaio will inform the owner of the data the following:

a. The treatment to which your personal data will be subjected and the specific purpose thereof.

b. The rights that assist you as the owner.

c. The website, email, and other communication channels through which you can make inquiries and / or complaints to the person in charge or in charge of the treatment.

d. The optional nature of the answer to the questions that are asked, when these relate to sensitive data or the data of girls, boys and adolescents.

Cases in which the authorization of the holder is not required

The authorization of the owner will not be necessary when it comes to:

a. Information required by a public or administrative entity in the exercise of its legal functions or by court order.

b. Data of a public nature.

c. Cases of medical or health emergency.

d. Treatment of information authorized by law for historical, statistical or scientific purposes.

e. Data related to the civil registration of people.

PROCEDURE FOR OWNERS TO EXERCISE THEIR RIGHTS GENERALITIES

a. Any query or claim regarding the inherent rights of the holders over personal data must be made through the single request format (web page).

b. The rights of access, updating, rectification, deletion and revocation of the authorization of personal data are very personal and may only be exercised by the owner. However, the owner may act through a proxy when he or she is in a situation of disability or minority of age, facts that make it impossible for him to exercise them personally, in which case it will be necessary for the attorney to prove such condition.

c. No value or fee will be required for the exercise of the rights of access, updating, rectification, deletion or revocation of the authorization in the case of personal data of natural persons.

d. In order to facilitate the exercise of these rights, Needzaio will make available to the interested parties, electronic formats suitable for this purpose.

PROCEDURES

Queries

Requirements for the attention of Queries.

If the consultation is in writing: An electronic communication must be sent, it must contain at least the request, a photocopy of the identification document, contact address (physical or electronic) and telephone number for notification purposes; for the representative or attorney-in-fact of the owner, authenticated document proving the representation, if applicable.

Terms for the attention of inquiries. Regardless of the mechanism that is implemented for the attention of consultation requests, these will be attended in accordance with the provisions of article 14 of Law 1581 of 2012, within a maximum term of ten (10) business days from the date of your receipt. In the event that a request for consultation cannot be answered within the aforementioned term, the interested party will be informed before the expiration of the term of the reasons for which no response has been given to their query, which in no case may exceed the seven (7) business days following the expiration of the first term.

Claims

The owner who considers that the information contained in a Needzaio database should be subject to some correction, update or deletion or when he / she notices the alleged breach of any of the duties contained in the regulations on the protection of personal data, may file a claim before the person responsible for the treatment. The claim may be submitted by the owner taking into account the information indicated in article 15 of Law 1581 of 2012 and the following general budgets:

Incomplete claim: if the analysis the claim is considered incomplete, Needzaio will immediately require the holder to correct the faults or errors within seven (7) business days following receipt of the claim.

Withdrawal: the claim that does not meet the request (derived from the incomplete claim) from Needzaio within two (2) months from the date of the request is considered abandoned.

Incompetence: in the absence of Needzaio competence to resolve the claim, it will be sent to the corresponding public or private authority within a maximum period of seven (7) business days and the interested party will be informed of the procedure given.

Registration: received the complete claim, it will be registered in the database with the notice "claim in process" and the reason for it will be indicated, the term for registration may not exceed five (5) business days from receipt , the notice will remain until the claim is resolved.

Term to resolve: the term to resolve the claim is fifteen (15) business days from the day following the date of receipt.
Exception: when it is not possible to address the claim within the initial term, Needzaio will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, in no case the term to answer the claim may exceed eight (8) days business following the expiration of the first term. Likewise, the owner of the information can exercise these rights at any time, after complying with the requirements established for this by Needzaio. In this regard, the following will be taken into account:

a. In requests for rectification and updating of personal data, the owner or his representative must indicate the corrections to be made and provide the documentation that supports his request.

b. Needzaio, has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the owner of the data. Consequently, electronic or other means that Needzaio deems pertinent may be enabled.

c. Needzaio, may establish forms, systems and other methods, which will be informed in the privacy notice and which will be made available to interested parties on the website.

d. When the request is made by a person other than the owner and it is not proven that it is acting in legitimate representation, it will be taken as not presented.

The owner of personal data has the right, at all times, to request Needzaio, the deletion (deletion) of their personal data when:

a. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.

b. They are no longer necessary or relevant for the purpose for which they were collected.

c. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion implies the total or partial elimination of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out.

Requirements for the attention of claims, rectifications, updating or deletion of data.

a. The claim will be formulated using the unique request form found on the website https://www.zaia.health/ with a clear and detailed description of the facts that give rise to the claim a photocopy of the identification document must be attached , indicate contact address (electronic) and telephone for notification purposes; for the representative of the owner, authenticated document that proves the representation, if it is the case.

b. The person interested in exercising this right must, in any case, use a means that allows proof of sending and receiving the request.

Terms for the attention of Claims.

The maximum term to attend it will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first finished.

Revoke Authorization

Any owner of personal data can revoke, at any time, the consent to the processing of these as long as it is not prevented by a constitutional, legal or contractual provision. For this, Needzaio must establish simple and free mechanisms that allow the holder to revoke his consent, at least by the same means by which he granted it. It should be taken into account that there are two modes in which the revocation of consent can occur:

The first may be for all the consented purposes, that is, that Needzaio must completely stop processing the data of the owner.

The second can occur on specific types of treatment, such as for advertising purposes, campaigns, courses, among others. With the second modality, that is, the partial revocation of consent, other purposes of the treatment that the person in charge, in accordance with the authorization granted, can carry out and with which the owner agrees are kept safe.

Requirements for the attention of revocation of authorizations.

a. Electronic communication must contain at least the application date, a photocopy of the identification document, contact address (physical or electronic) and telephone number for notification purposes; for the representative of the owner, authenticated document that proves the representation, if it is the case.

b. The person interested in exercising this right must, in any case, use a means that allows proof of sending and receiving the request.

Terms for the attention of Revocations.

SECURITY OF THE INFORMATION

SECURITY MEASURES

In development of the security principle established in Law 1581 of 2012, Needzaio will adopt the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

IMPLEMENTATION OF SECURITY MEASURES

Needzaio will maintain mandatory security protocols for personnel with access to personal data and the information system. The procedure must consider, as a minimum, the following aspects:

a. Training of Needzaio staff on the personal data treatment policy and the security mechanisms and protocols for the treatment of these.

b. Scope of the procedure with detailed specification of the protected resources.

c. Functions and obligations of the personnel.

d. Structure of the personal databases and description of the information system that treat them. and. Notification, management and response procedure for incidents.

F. Procedures for making backup copies and data recovery.

g. Periodic controls that must be carried out to verify compliance with the provisions of the security procedure that is implemented.

h. Measures to be taken when a support or document is transported, discarded or reused.

i. The procedure must be kept up to date at all times and must be reviewed whenever relevant changes occur in the information system or in its organization.

j. The content of the procedure must be adapted at all times to the current provisions on the security of
personal data.

FOR CANADA:

Questions about ZAIA?

Privacy policies

Unique request format