How we handle your personal data
Aurabox is designed to help you share your personal health care information in a safe and secure way.
Secure by default
We understand that your privacy is of paramount importance, and we are committed to protecting the personal information you share with us. As part of our commitment to transparency and compliance with data protection laws, this page is designed to help you understand how we collect, use, and safeguard your personal data when you interact with our services.
Our privacy practices are structured to provide security and confidentiality to your personal information while enabling us to deliver a superior service experience. Whether you're new to our services or a long-time user, we want you to feel informed and confident about how your personal data is handled here.
We invite you to read the following sections to learn more about our data handling practices. Should you have any questions or need further clarification, please do not hesitate to contact us. Your trust in our services is valued, and we're committed to maintaining that trust by respecting your privacy and ensuring the security of your personal data.
Aurabox is fully compliant with EU and UK GDPR requirements.
Data collection
What data we collect
Aurabox collects personal health information provided by your or your care team. This information includes your name, date of birth, sex, address, medical imaging and other diagnostic healthcare data, as well as other information relating to your medical care and treatment.
How we collect data
This data is provided to Aurabox in the following ways:
- By you, when you have an Aurabox account
- By your care team, when they use Aurabox, and
- By the organisations that create the data, such as medical imaging providers
Use of Data
Aurabox collects your personal health data for the following purposes:
- To allow you to aggregate your health data and share it safely with your medical team
- To allow doctors to aggregate and share health data on behalf of their patients, to improve treatment outcomes
Aurabox does not use any automated data processing. Your information is stored in Aurabox exactly as provided.
Data sharing
Personal data sharing
As part of the service provided by Aurabox, you may share your data with registered medical professionals on the Aurabox platform.
Sharing by your care team
Doctors use Aurabox to collaborate on the care of patients to improve treatment outcomes. This includes sharing patient records.
Third party sharing
Aurabox does not share your data with third parties except where you grant permission to do so. When you sign up for an Aurabox account, you will be asked if you wish to allow anonymised sharing and the circumstances under which this will occur.
Legal Requirements
Aurabox may have legal requirements to share your data for law enforcement or regulatory purposes. You may not be informed when this occurs, however Aurabox will always attempt to notify you where possible.
Data security
The security of your personal data is a top priority. We employ robust measures to protect your information from unauthorized access, alteration, and loss. Our data security practices are guided by comprehensive standards and regulations to ensure the highest levels of data protection.
We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. These include advanced encryption technology, strict data access policies, and continuous monitoring of our IT systems to detect and mitigate threats.
Your data is stored in secure facilities, and access is restricted to authorized personnel only, based on their role, requirement in the organization, and subject to stringent confidentiality obligations.
For any concerns about data security, or if you require more detailed information on our specific measures, please contact our support team. We are here to ensure that your personal data remains secure and that your privacy is always respected.
Data rights
At Aurabox, we are committed to upholding your rights under the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). We recognize the importance of your data privacy and strive to provide you with full control over your personal information. Here is an overview of your data rights and how you can exercise them:
Access to Your Data
Right to Access: You have the right to access your personal data that Aurabox processes. This allows you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- You can do this by accessing your account or by contacting us.
Correction and Update of Your Data
Right to Rectification: If any data we hold about you is incomplete or inaccurate, you are entitled to ask us to correct it. This ensures your data is up-to-date and accurate.
- You can do this by accessing your account or by contacting us.
Deletion of Your Data
Right to Erasure (‘Right to be Forgotten’): Under certain circumstances, you can request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This is particularly relevant where the data is no longer necessary for the purposes for which it was collected or where you withdraw consent.
- You can do this by deleting your account or by contacting us.
Restriction of Processing
Right to Restrict Processing: You have the right to block or suppress the processing of your personal data under certain conditions. During the period of restriction, we can store your data, but not process it further.
- You can do this by contacting us.
Data Portability
Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy, or transfer personal data easily from Aurabox to another data controller in a safe and secure way, without hindrance to usability.
- You can download your data directly from your account or by contacting us.
Withdrawal of Consent
Right to Withdraw Consent: If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time. This includes the right to withdraw consent to us using your personal data for marketing purposes.
- You can do this by accessing your account or by contacting us.
Automated Decision Making and Profiling
Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except as allowed under relevant laws.
Aurabox does not currently use Automated Decision Making and Profiling. You will be notified via email if this changes, and given the option to consent.
Managing Your Permissions
Setting and Updating Permissions: Aurabox allows you to set your permissions during registration and at any time thereafter by visiting Account > Permission in your Aurabox profile. This feature ensures that you have continuous control over how your information is handled and used by us.
At Aurabox, we take your data rights seriously and provide all the necessary tools and support to help you manage your privacy effectively. Should you wish to exercise any of these rights, or if you have any questions about your personal data, please contact our Data Protection Officer through the designated channels on our website. Your privacy and trust are our utmost priority
International data transfers
When you sign up for an Aurabox account, your data is stored in a specific geographic and regulatory region, named during the registration process. Generally, data is retained in that regulatory region.
International data transfers may occur for the following reasons:
- You or your doctors may request data that is held outside the region that your account is provisioned in
- You or your doctors may share data with a user outside the regulatory region, however the data will still reside with the region. It is not currently possible to share patients between two Aurabox regions.
- You provide your data to doctor using Aurabox a region outside your geographic area
Aurabox may also transfer data via a third-party service that is not available in the region your account is located in, for the purpose of providing the service. This currently applies where:
- You upload medical imaging via our upload services and the transport service is not located in your region. This data is encrypted and only held briefly before it is transferred to our storage systems.
- Data uploads in Australia go via Singapore
- Data uploads in the UK go via Ireland
- You data is being sent for de-identification. This deidentification is provided by Google and the location of the de-identification service cannot be guaranteed.
Aurabox may transfer non-healthcare related personal information to third-parties outside your geographic areas for the purposes of marketing and communications. This information will be provided via our Sub-Processor List.
Data retention
The period for which Aurabox retains data depends on the kind of data and the reason it was provided:
Personal healthcare information
This information is retained as long as you or your doctors account is active with Aurabox. Accounts are deleted immediately when requested, and this deletion is not reversible.
Name and billing information
Your name and billing information are retained after account deletion for a minimum of 7 years or as required by local tax law (whichever is longer).
Physical media
Where data is provided to Aurabox on physical media (e.g. USB key), this information is securely transferred into Aurabox and the physical media securely stored and destroyed.
Changes and updates
Any changes this information, our Privacy Policy or Terms of Service will be communicated via email.
Please contact us if you have further questions.