Privacy Statement
European Union and United Kingdom
Introduction
Sword Health takes your privacy seriously. This Privacy Statement describes our practices for collecting, storing, and processing the Personal Data of users of our Services in the European Union and United Kingdom.
It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “How to Exercise Your Rights” section.
We encourage you to read this Privacy Statement carefully.
We offer wellness and physical therapy services by virtually connecting our users to doctors of physical therapy, physical therapists, physiotherapists, or other professionals. We do this through our websites, including, but not limited to, www.swordhealth.com and related sites, and the Sword mobile applications (collectively, the “Sites”), as well as the Sword Health Digital Therapist device, Sword motion sensors, the Bloom Pod device, the Move wearable device, and other biofeedback technology and exercise monitoring equipment, and other electronic means such as video conferencing, chat, phone, and online events (the foregoing, together with the Sites, the “Services”).
The use of “Sword” in this Privacy Statement refers to the Sword Health contracting entity for your geographical region, as identified below.
For European Union users of the Services, the contracting entity is Sword Health, S.A. For users based in the European Union, Sword Health, S.A. is the data controller.
For UK users of the Services, the contracting entity is Sword Health UK, Ltd. For users based in the United Kingdom, Sword Health UK Ltd. is the data controller.
The Services are owned by Sword Health Technologies, Inc, and its affiliates, including, but not limited to Sword Health UK, Ltd., Sword Health, S.A., and Sword Health, Inc.
Sword provides the Services through which you can access telehealth, musculoskeletal care, pelvic health, durable medical equipment, and other wellness services provided by a professional (“Health Services”). Sword engages independent doctors of physical therapy and other professionals (each a “Professional” or together, the “Professionals”) to provide Health Services.
If you are accessing the Services from the United States click here.
To help you read this Privacy Statement, we have organised it into the following sections:
- Information You Provide to Us
- Information Collected While Using Our Services
- Information Collected from Other Sources
How We Use and Share Personal Data
- Use of Personal Data
- Sharing Personal Data
- Our Legal Basis for Processing Personal Data
- Cross Border Transfers
- Retention of Personal Data
- Right to Access
- Right to Rectification
- Right to Erasure
- Right to Restriction of Processing
- Right to Object to Processing
- Right to Data Portability
- Right to Withdraw Consent
- Right to Lodge a Complaint with Your Supervisory Authority
- How to Exercise Your Rights
Children’s Information
External Websites
Changes to This Privacy Statement
Contact Us or File a Complaint
Personal Data We Collect
We may collect information that identifies, or is reasonably capable of identifying, you (“Personal Data”) as further described in the categories below. We collect Personal Data from you, from your use of the Services, including when you visit the Sites, and from certain third party sources.
Information You Provide to Us
Sword collects information that you provide to us, including when you enrol, give updates about your condition, respond to a survey, or contact us. This information may include:
- Contact or other Identifying Information, such as your name, address, email address, telephone number, username, and password;
- Professional or employment-related information, such as the name of your employer, company, and other professional or employment information you provide to us;
- Mental and physical condition information, such as height, weight, general health, feelings of pain and fatigue, exercise patterns, personal motivations, and feelings of anxiety or depression;
- Medical information, such as current or former injuries, medical diagnoses, and whether you are cleared by a physician to exercise;
- Payment information where you are being directly billed for your use of the Services; and
- Communications with Sword, including with the Professionals.
Information Collected While Using Our Services
Sword may also collect certain information when you access, browse, and use our Services. This information is generated by the computer, tablet, mobile app, devices or electronic sensors used in the Services. This information may include:
- Internet and other electronic activity data, such as the name of the domain and host from which you access the Internet; the browser software you use, and your operating system; the date and time you access the service; how often you access the Services, and the Internet address of the website from which you directly linked to SWORD;
- Log and Troubleshooting Information, such as information about how our Services are performing when you use them, like service related diagnostic and performance information, including log files, timestamps, diagnostic or crash data, website/app performance logs, and error messages or reports;
- Identifiers or Geolocation data, such as Internet Protocol (IP) address, device identifier or geolocation (if enabled);
- Sensor data, such as the type and order of exercises, number of repetitions, duration, manner, and individual performance including range of motion, movement errors, and compliance with the assigned movement; and
- Data from Tracking Technologies, such as information from cookies, web beacons, tags or other tracking technologies, as further described below.
Information Collected from Other Sources
In connection with your use of the Services, we may combine or compare data we have collected from you with information collected from a third party. Some examples of information we may receive from a third party include:
- Eligibility Information: If you are participating in a program sponsored by your employer, insurance provider, health plan or other authorised benefits provider, information contained in an eligibility file, such as whether you are enrolled in the plan, your name, email, and some related health information;
- Information We Obtain From Your Health Care Providers and Other Sources: In connection with your treatment, we may collect medical records from your past, current, and future health care providers, which may include past or present diagnoses, previous treatments, general health, test results and reports, any family history of illness, and records of communications related to your health; and
- Information Collected From Third Parties: We may collect information available about you from third party service providers to improve the Services, such as identifying health factors related to your treatment to better tailor the Services to you.
How We Use and Share Personal Data
Use of Personal Data
We may use the Personal Data we collect for one or more of the following business purposes:
- To provide, personalise, improve, update, and expand our Services, including:
- For product testing and development, data analysis, and survey purposes; and,
- For scientific, statistical, and historical research;
- To communicate with you about the Services, including:
- To respond to your inquiries and concerns;
- Provide you with information or request action in response to technical, security, and other operational issues; and,
- To follow-up with you regarding your enrollment process;
- To create de-identified information (for example, aggregated statistics) related to the use of the Services or for scientific research;
- To comply with laws and regulations, including to respond to law enforcement or government requests as required by applicable law, court order, or governmental regulations and to monitor our compliance with those obligations;
- To collect data necessary to comply with EU, UK, and international legislation with respect to post-marketing surveillance and vigilance. Such data is necessary to monitor safety and performance of our product;
- To protect the integrity and maintain the security of our Services;
- To enforce our Terms and Conditions; and
- For any other purpose for which you may provide consent or as disclosed to you when your Personal Data to us.
When we use the term “de-identified information,” we mean information that is neither used, nor intended to be used, to identify an individual.
Sharing Personal Data
Sword does not share your Personal Data with third parties except as described in this Privacy Statement or with your additional consent (if applicable).
Sword may share Personal Data with the following categories of third parties for the following purposes:
- Service Providers: We may share your Personal Data with service providers, such as contractors and other third parties we use to support our organisation and provide us with services. These companies are subject to contractual obligations governing privacy, data security, and confidentiality consistent with applicable laws. These companies include our cloud services infrastructure providers, vendors that assist us in marketing and consumer research analytics, fraud prevention, security, communications infrastructure providers, vendors that help us provide some support functions, like phone support or survey tools, law firms, and third party partners for analytics and advertising purposes.
- Corporate Affiliates: We may share your Personal Data with our subsidiaries, affiliates, and associated organisations.
- Research Partners: We may share your Personal Data with research partners if you provide us with your express consent or if otherwise permitted by law. Research partners include commercial or non-profit organisations that conduct or support scientific research, the development of therapeutics, medical devices or related material to treat, diagnose, or predict health conditions. In some circumstances, a research partner or Sword may have a financial interest in the research arrangement.
- Health Care Providers, Health Plans, Insurance Companies, and Similar Organisations: Personal Data that we create or obtain about you may be shared with health care providers, health plans, insurance companies or other similar health care organisations as permitted by law or pursuant to your consent.
- Law Enforcement, Government Agencies, or Other Third Parties: From time to time, we may be required to provide Personal Data to a third party in order to comply with a subpoena, court order, government investigation, or other similar legal process. If we disclose your Personal Data to law enforcement, we will reasonably attempt to provide you with advance notice, unless we are prohibited from doing so. We may share your Personal Data if we believe it is reasonably necessary to:
- Comply with valid legal process (e.g., subpoenas, warrants);
- Respond to a government request;
- Enforce or apply our Terms and Conditions;
- Investigate fraud;
- Protect the security or integrity of the Services;
- Protect the rights, property, or safety of Sword, our employees/contractors, members or users; or
- At your direction or with your permission.
- Corporate Transaction: If we are involved in a bankruptcy, merger, acquisition, reorganisation, or sale of all or a portion of our assets, we may share or transfer your Personal Data as part of such corporate transaction.
- Employer: In very limited circumstances, we may share your Personal Data with your employer if legally permissible to do so. For example, if you have access to the Services through your employer, Sword may share your Personal Data to confirm eligibility for the Services.
Our Legal Basis for Processing Personal Data
Under the GDPR/UK GDPR, we have to specify what our legal basis for processing your Personal Data. We collect, use, and share the Personal Data we have in the ways we described above:
- As necessary to fulfil our Terms and Conditions, such as to provide you with the Services;
- With your consent we process your Personal Data where it comprises health data, which you may revoke at any time;
- As necessary to comply with legal obligations, such as responding to law enforcement requests or subpoenas;
- To protect your vital interests, such as in case of a health emergency;
- We rely on our legitimate interests or the legitimate interests of a third party, such as our users, where they are not outweighed by your interests, or fundamental rights and freedoms ("legitimate interests"):
- To promote new developments and features of our Services;
- To improve, promote, and develop our Services in an informed way;
- To ensure the ongoing security of our Services and to ensure they are continuously available and functioning;
- To research and innovate; and
- To provide you with customer services.
Cross Border Transfers
As part of your use of the Services, your Personal Data may be transferred for processing to countries outside of your country of residence. Some of these countries may have data protection laws that are less protective than the rules of your country. Nonetheless, we will take steps to ensure your Personal Data is adequately protected as required by applicable data protection laws, including the GDPR/UK GDPR, and will not be used in a way contrary to this Privacy Statement. We rely on the following transfer mechanisms:
- Adequacy Decisions: We rely on decisions from the European Commission (or where applicable, the UK Secretary of State) recognizing that certain countries and territories outside of the European Economic Area or the UK (as applicable) ensure an adequate level of protection for Personal Data. These decisions are referred to as “adequacy decisions.”
- Standard Contractual Clauses: We utilise standard contractual clauses approved by the European Commission (and the equivalent standard contractual clauses for the UK, where appropriate) for transfers to the United States and Canada. For a copy of the standard contractual clauses, contact us as described below.
Retention of Personal Data
Sword will retain the Personal Data you provide while creating your account and your profile until such time as you delete your account or you request deletion provided you are entitled to request deletion under applicable law, whichever comes first. Any health records created as a result of your use of the Services will be securely maintained by Sword for a period that is no less than the minimum number of years such records are required to be maintained under applicable law. Sword may also retain certain information as reasonably necessary to comply with our legal obligations (including law enforcement requests), resolve disputes, maintain security, prevent fraud and abuse, as well as to comply with tax, securities, and regulatory compliance requirements.
Your Data Protection Rights
Under applicable data protection laws, you have the rights described below.
Right to Access
You have the right to ask us for copies of your Personal Data.
Right to Rectification
You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Right to Erasure
You have the right to ask us to erase your Personal Data in certain circumstances.
Right to Restriction of Processing
You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.
Right to Object to Processing
You have the right to object to the processing of your Personal Data in certain circumstances, (in particular, where we don’t have to process the information to meet a contractual or other legal requirement, or where we are using the data for direct marketing). This applies where we rely on the lawful basis of legitimate interest.
Right to Data Portability
You have the right to ask that we transfer the Personal Data you gave us to another organisation, or to you, in certain circumstances.
Right to Withdraw Consent
You have the right to withdraw your consent, where we rely on consent as the legal basis for processing your Personal Data. Where you withdraw your consent, the withdrawal will not affect the lawfulness of processing based on consent before the withdrawal.
Right to Lodge a Complaint with Your Supervisory Authority
For EU Residents, you can complain to the relevant Supervisory Authority if you are unhappy with how we have used your Personal Data. A list of Supervisory Authorities and related contact information is provided below and can be found here.
For UK Residents, you can also complain to the ICO if you are unhappy with how we have used your Personal Data (see contact details below).
How to Exercise Your Rights
If you wish to exercise your rights, please send an email to help@swordhealth.com. When submitting your request, please provide us with your name and contact information for purposes of enabling us to begin verifying your identity. We may request additional information about you if needed to verify your identity. Unless you have previously provided us your Personal Data for another purpose, we will only use the Personal Data provided in the verification process to verify your identity or authority to make a request, and to track and document your request to meet our obligations. Certain exceptions or exemptions may apply that will limit your ability to exercise these rights.
Tracking Technologies
We may use technologies such as cookies, web beacons or pixels, tags, scripts, and other storage technologies (collectively “Tracking Technologies”) to collect or receive information on the Sites. These Tracking Technologies may help us save your preferences, understand how you navigate through the Sites, and improve your experience.
Cookies and Other Tracking Technologies
Cookies are small data files that we transfer to your device to collect information about your use of the Sites. Cookies can be recognized by the website that downloaded them or other websites that use the same cookies. This helps websites know if your browsing device has visited them before. We may use both first party and third party cookies on the Sites for the following purposes: to make the Sites function properly; to improve the Sites; to track your interaction with the Sites; to enhance your experience with the Sites; to remember information you have already provided; to collect information about your activities over time and across third party websites or other online services in order to deliver content tailored to your interests; and to provide a secure browsing experience during your use of the Sites.
The length of time a cookie will stay on your browsing device depends on whether the cookie is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your browsing device until they expire or are deleted. The following types of cookies may be used on the Sites:
- Strictly Necessary Cookies. These cookies are essential because they would enable you to use the Sites. For example, strictly necessary cookies allow you to access secure areas of the Sites and for us to provide the Sites. These cookies do not gather information about you for marketing purposes. This category of cookies would be essential for the Sites to work and they cannot be disabled.
- Functional or Preference Cookies. We may use functional cookies to remember your choices so we can tailor the Sites to provide you with enhanced features and personalised content. For example, these cookies can be used to remember your name or preferences on the Sites. We would not use functional cookies to target you with online marketing. While these cookies can be disabled, this may result in less functionality during your use of the Sites.
- Performance or Analytic Cookies. These cookies collect passive information about how you use the Sites, including webpages you visit and links you click. We would use the information collected by such cookies to improve and optimise the Sites. We would not use these cookies to target you with online marketing. You would be able to disable these cookies.
We may also use tracking technologies to collect “clickstream” data, such as the domain name of the service providing you with Internet access, your device type, IP address used to connect your computer to the Internet, your browser type and version, operating system and platform, the average time spent on the Sites, web pages viewed, content searched for, access times and other relevant statistics, and assign unique identifiers to the device or other credentials you use to access the Sites for the same purposes. Our Sites and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
Managing Your Tracking Technology Preferences
When viewing the Sites, you can accept or reject the use of cookies. In addition, many browsers allow you to manage your cookie preferences at the individual browser level. You can set your browser to reject and/or delete some or all cookies. If you reject or delete cookies, please be aware that you may not be able to use some or all portions or functionalities of the Sites.
Do Not Track. Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, the Sites currently do not process or respond to “DNT” signals.
Location Information. You may be able to adjust the settings of your device so that information about your physical location is not sent to us or third parties by: (a) disabling location services within the device settings; or (b) denying certain websites or mobile applications permission to access location information by changing the relevant preferences and permissions in your mobile device or browser settings. Please note that your location may be derived from your WiFi, Bluetooth, and other device settings. Please see your device settings for more information.
Analytics Tools. We may use tools such as Google Analytics, Facebook, and LinkedIn to help analyse how individuals use the Sites. Such third parties may use cookies, APIs, and SDKs on our Sites to enable them to collect and analyse user and device related data and information on our behalf. These tools use cookies to collect information such as how often users visit the Sites, what pages they visit, and what other websites they used prior to coming to the Sites. We use the information we get to improve our Sites and to tailor the Sites to you. We may use Google Analytics to obtain information about your visits to the Sites. Google’s ability to use and share information collected by Google Analytics about your visits to the Sites is restricted by Google Analytics Terms of Service and the Google Privacy Policy. You may prevent your data from being used by Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add-on.
Children’s Information
We are committed to protecting the privacy of children. We do not collect Personal Data directly from anyone who is, to our knowledge, under the age of 13. If you are under the age of 13, please do not provide any information to us through the Sites or Services. If you become aware that an individual under age 13 has provided their information directly to us, please contact us as described in the “Contact Us” section, so that we can delete the information.
External Websites
The Sites may contain links to other websites, including, but not limited to, investor relations, job applicant information gathering, assessment, and testing sites. These third party sites have their own privacy practices and measures to secure and protect your information. This Privacy Statement does not apply to any third party sites. We encourage you to review the privacy statement of any other third party website you may visit.
Changes to This Privacy Statement
This Privacy Statement is effective as of the date stated at the bottom of this Privacy Statement. We may change this Privacy Statement from time to time. Please be aware that, to the extent permitted by applicable law, our use of your Personal Data is governed by the Privacy Statement in effect at the time we collect the information. If you visit the Sites or use the Services after a change to this Privacy Statement is posted on the Sites, you will be bound by such change.
Contact Us or File a Complaint
If you have any questions or comments regarding this Privacy Statement, please contact us at:
Sword Health, S.A.
Avenida Sidónio Pais 153, Edifício A, Piso 5,
4100-467 Porto, Portugal.
or by emailing us at:
You may also contact Sword’s Data Protection Officer directly by sending an email to: DPO@swordhealth.com.
EU Residents can also complain to their Supervisory Authority by locating their applicable Supervisory Authority on the European Data Protection Board’s directory of Supervisory Authorities at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
UK Residents can also complain to the ICO if you are unhappy with how we have used your Personal Data through the methods below:
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk