As a general rule our customers are the primary data controllers, and our responsibility is to protect the confidentiality, integrity and accessibility of personal data that is consumed and processed, on their behalf.
We also have responsibilities that result from interactions with our website, (Website Data) and personal details that users choose to provide either via the website or the app, on a strictly opt-in basis, in order for Alertive to communicate with them (Personal Details).
For the purposes of the Data Protection Act 1998, the data controller is Alertive Ltd of The Old Vicarage, 51 St John Street, Ashbourne, Derbyshire, DE6 1GP. Alertive is committed to protecting your privacy and developing technology that delivers a robust and safe experience.
3. RELEVANT DATA
There are three categories of Relevant Data:
- 3.1 The personal data that is collected and shared within our applications, on behalf of our customers – Custodian Data – includes the following:
- User first and last names
- Telephone numbers
- Job titles
- Data in messages that has the potential to contain personal information about individuals, patients or others
- Attachments in the form of images and audio files, which may contain personal data
- 3.2 Users can elect to provide Personal Details either via the website or via the App, in order to enable Alertive to communicate with them directly, with their express consent:
- Email address
- Telephone number
- 3.3 We also collect some anonymous demographic information from website visitors, including IP addresses, browser types, domain names, access times and referring Web site addresses (Website Data).
4. TREATMENT OF CUSTODIAN DATA
Alertive Custodian Data flows bi-directionally, between mobile and desktop applications and our Server, and is securely stored within both the Server database as well as the app’s local storage on the clients device.
Information that is stored securely across the platform:
- Password (Secured by Microsoft Active Directory)
- User First Name (if configured in Microsoft Active Directory)
- User Last Name (if configured in Microsoft Active Directory)
- Telephone Number (if configured in Microsoft Active Directory)
- Job Title (if configured in Microsoft Active Directory)
- Message Content (This can be predefined or free text, and has the potential for containing personal or sensitive information)
- Message Timestamps
- Image Attachments
- Audio Attachments
5. TREATMENT OF PERSONAL AND WEBSITE DATA
We only store cookies with the user’s prior consent; these cookies store session data used for functional and analytical purposes and none of this data can be used to identify any individual.
Data provided by the user to register their interest in our product and services, or to request a demo is stored in a database on the website, and only contains data provided by the user and is not shared with anyone.
6. USE OF PERSONAL DETAILS
Alertive may use Personal Details for the purposes of providing services to users or carrying out internal functions. This may include but is not limited to, performing statistical analysis, sending emails, providing customer support or arranging deliveries. Alertive may also use Personal Details to inform users of other products or services available from Alertive or its partners. Alertive may contact users via surveys, to conduct research about opinions on current services or about new potential services that may be offered. Alertive does not sell, rent or lease its customer lists to third parties nor use or disclose sensitive personal information.
All such third parties are prohibited from using personal information except to provide these services to Alertive, and they are required to maintain the confidentiality of your information.
Alertive may also use Personal Details:
- in connection with any sale of Alertive or all or a substantial part of its assets,
- in order to comply with any legal obligations
- in order to protect the rights, property or safety of Alertive, its customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
7. USE OF WEBSITE DATA
Alertive collects and uses non-personal information, to operate the Alertive website. Alertive keeps track of the websites and pages our customers visit, in order to determine what services are the most popular. This data is used to deliver customised content and tailored advertising to customers.
The following sub-processors are involved in data processing, within the EEA:
- Amazon Web Services
9. INFORMING INDIVIDUALS
The responsibility for informing individuals about the use of data, beyond what is covered in this document, remains the responsibility of the Customer, who is the data controller.
10. PUBLISHING OF DATA
No Relevant Data will be published on the internet, on any other media platform nor shared in any way, beyond what is covered in this document.
11. QUALITY OF DATA
Alertive deals with two categories of Custodian Data – static personal data which is defined as User Name, Telephone Number and Job Title, as well as non-static data which is entered into free text areas and uploaded in the form of images and audio. The quality of both these sets of data is controlled by the data controller.
12. PROPORTIONATE USE OF DATA
The static personal data provided by the data controller, allows users of the product to identify individuals. We are reliant upon customers to provide accurate up-to-date information and advise if the information in the system is not adequate, relevant, or appropriate.
13. RESPONSIBILITY TO KEEP DATA UPDATED
Static Personal information can be updated as needed, via a request from the customer or via an update of Active Directory information, which is controlled by the data controller. Free text input message data cannot be updated by design, as this would affect the integrity of the data, and in turn impact the quality of reporting and auditing.
14. RETENTION PERIODS
We do not define the retention period for data, but instead work with each data controller (Trust), to define the retention period based on their data retention policy and requirements.
15. DELETION POLICY
Alertive implement the required configuration, to ensure that data is deleted in compliance with our customer’s data retention policy and requirements.
16. INDIVIDUAL DATA REQUESTS
The process for responding to individual data requests about the information held about them, is as follows:
- Requests need to be made via contractually agreed support channels.
- The data request is reviewed and the identity of the user validated.
- All information pertaining to the individual will be extracted from the Alertive system and compiled into a report.
- The report will be secured with a passphrase and sent to the requester, either via email or through a method defined by the end user, within one calendar month.
17. STORAGE OF DATA
Data is stored as follows:
- Server – personal data is stored in a secure database within AWS RDS.
- Android application – Personal data is stored in an encrypted database within the local private storage area, which is inaccessible to end users.
- iOS – Personal data is encrypted and stored within the local private storage area, which is inaccessible to end users.
- Desktop – Personal data is stored in an encrypted database within the local storage area, which is inaccessible to end users.
- Personal Data – Any personal data supplied by the user is encrypted during transit.
- Website – Personal data supplied by the user is stored in an encrypted database and access to this database is restricted to the website, and works on an IP Whitelist basis.
18. APPLICATIONS THAT PROCESS DATA
- Alertive Apps and Server
- Microsoft Azure Notification Hubs (any Custodian Data is encrypted)
- Apple Push Notification Infrastructure (any Custodian Data is encrypted)
- Android Push Notification Infrastructure (any Custodian Data is encrypted)
19. STAFF ACCESS
Alertive can be downloaded and used safely, under the Bring Your Own Device initiative, over public internet.
20.TRANSFER OF DATA OUTSIDE THE EEA
Although we work with US Companies, we utilise their UK data centres and keep data within the UK. The exception to this rule, is when we use Apple or Google’s push notification services and when this is done, we ensure that Custodian Data is encrypted.
We use Firebase Crashlytics, a Google owned service within our Android and iOS Applications.
Crashlytics provides our developers with information about crashes and malfunctions within Alertive that users may experience which allows us to be proactive and resolve issues.
The Services allow us to collect the following information:
- Device state information
- Unique device identifiers (Model, Device Type, OS, language)
- Information relating to the physical location of a device
- Information about the Application and how the Application was used
- Time stamps
Data transmitted from Alertive to the Crashlytics Service is via a secure TLS connection and is neither stored or transferred to other service or resources, nor associated with other data available to Google.
For further information about Crashlytics:
- An RFC-4122 UUID which permits Google to deduplicate crashes
- The timestamp of when the crash occurred
- The app’s bundle identifier and full version number
- The device’s operating system name and version number
- A boolean indicating whether the device was jailbroken/rooted
- The device’s model name, CPU architecture, amount of RAM and disk space
- The uint64 instruction pointer of every frame of every currently running thread
- If available in the runtime, the plain-text method or function name containing each instruction pointer.
- If an exception was thrown, the plain-text class name and message value of the exception
- If a fatal signal was raised, its name and integer code
- For each binary image loaded into the application, its name, UUID, byte size, and the uint64 base address at which it was loaded into RAM
- A boolean indicating whether or not the app was in the background at the time it crashed
- An integer value indicating the rotation of the screen at the time of crash
- A boolean indicating whether the device’s proximity sensor was triggered