FotoConsent
General Privacy Notice


1. Privacy Policy

This notice applies across all websites that we own and operate and all the services we provide, including our online and mobile services products, and any other apps or services we may offer (for example, events or training). For the purpose of this notice, we’ll call them our “Services”. 

GDPR Ltd, trading as FotoConsent ("FotoConsent", "we", "us" “our”) are committed to protecting your privacy. This privacy notice describes the ways in which we collect data from you when you use our Services or which you otherwise provide to us, and what we may use it for. It should be read in conjunction with our Terms and Conditions of Use (https://fotoconsent.co.uk/terms-and-conditions).

When we say ‘personal data’ we mean any data relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

'Special categories' of personal data (“Sensitive Personal Data”) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.


2. Why does FotoConsent collect and store data?

FotoConsent needs to collect, process and store personal data about you in order to deliver efficient and effective Services.

Legal basis for processing

We often have two main legal bases for processing personal data. Firstly, where it is necessary for the purposes of the legitimate interests pursued by FotoConsent or by a third party to process your information. We can do that so long as we do not interfere with your fundamental rights or freedoms.

Secondly, because we have your consent (i.e. agreement) to us processing your personal data. Our Subscribers, their Patients and other users are asked to give consent when signing up to use our Services. Under the GDPR, consent is a legal basis for processing personal data. You can withdraw your consent at any time. This is explained further below in the section entitled 'Your rights under GDPR'.

To process personal data about criminal convictions or offences, we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

The other reasons we can rely upon to process your personal data under GDPR is as follows:

  • Where we are under a legal obligation or an obligation under a contract to process/disclose the data.

  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person.

  • The legal basis for processing Sensitive Personal Data is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing. The basis we can use are:

    • With your consent;

    • Where we need to protect the vital interests (i.e. the health and safety) of you or another person;

    • Where you have already made your Sensitive Personal Data public;

    • Where we or another person needs to bring or defend legal claims; and/or

    • Substantial public interest grounds

3. Data we may collect from you

We may collect and process the following data about you, we call this “User Data”:

  • Information that you provide by filling in forms on our Services. This includes information provided at the time of registering to use our Services, posting material or requesting further services.

  • Information you provide when you report a problem with our Services;

  • If you contact us, we may keep a record of that correspondence.

  • We may ask you to complete surveys that we use for research purposes, although you do not have to respond to them.

  • Detailed personal information such as age, sex, date of birth, contact details (telephone numbers and email addresses)

  • Details of transactions you carry out through our Services and of the fulfilment of your orders.

  • Details of your visits to our Services including, but not limited to, traffic data, location data, weblogs and other communication data and, the resources that you access. 

We may collect information about your computer, including where available your IP address, operating system and browser type for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.

Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, take a look at our Cookie Policy (https://fotoconsent.co.uk/cookie-policy).

By using our Services, you warrant that all data provided by you in any registration forms or other submissions is accurate, current and complete.


4. Who the personal data relates to

We collect and hold personal data about:

  • Patients This includes current and former patients who have signed-up to our Services and is limited to their name, email address and date of birth for the sole purpose of authenticating access to data stored on them by a paid for, unpaid for or trial subscribers (“Subscribers”) who have signed-up to and been granted use of our Services under our Terms and Conditions of Use (https://fotoconsent.co.uk/terms-and-conditions).

  • Healthcare Professionals This includes current and former Healthcare Professionals who have signed-up as Subscribers to our Services.

  • Invited Users This includes current and former persons other than the Subscriber (and Patients covered above) who have been invited to use our Services by a Subscriber.

We will minimise our holding and use of sensitive categories of personal information.


5. Data we hold but do not have access to

Our Services enable our Subscribers to capture, store and share sensitive personal and medical data about their Patients in a GDPR compliant manner (the “Purpose”). All data captured by our Subscribers as part of the Purpose is end-to-end encrypted, preventing us, or anyone else, other than the Subscriber and the Patient from accessing that data. Patient consent is granted between the Patient and the Subscriber only and is handled in accordance with FotoConsent’s Healthcare Professional Privacy Notice, available here https://fotoconsent.co.uk/healthcare-professional-privacy-policy).  

From time to time as part of the Purpose Subscribers may, in accordance with FotoConsent’s Healthcare Professional Privacy Notice, share patient data with other Subscribers.

FotoConsent does not accept any responsibility or liability for any direct, indirect or consequential loss or damage incurred from a Subscriber’s breach of the Healthcare Professional Privacy Notice, misuse of our Services or otherwise.


6. How do we use your data?

First and foremost, we use your personal data to operate our Services and to manage our relationship with you. We also use your personal data for other purposes, which may include the following:

To communicate with you. This may include:

  • providing you with information you’ve requested from us or information we are required to send to you;

  • operational communications, like changes to our Services, security updates, or assistance with using our Services;

  • marketing communications (about FotoConsent or another product or service we think you might be interested in), if you have opted-in to receive such information in accordance with your marketing preferences;

  • asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with) .

To support you: This may include assisting with the resolution of technical support issues or other issues relating to our Services, whether by email, in-app support or otherwise.

To enhance our Services and develop new ones: For example, by tracking and monitoring your use of our Services so we can keep improving, or by carrying out technical analysis of our Services so that we can optimise your user experience and provide you with more efficient tools.

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our Services fairly and in accordance with our Terms and Conditions.

To market to you: In addition to sending you marketing communications, we may also use your personal data to display targeted advertising to you online – through our own Services or through third party websites and their platforms.

To analyse, aggregate and report: We may use the personal data we collect about you and other users of our Services (whether obtained directly, automatically or from third parties) to produce aggregated and anonymised analytics and reports, which we may share publicly or with third parties.


7. Protecting and sharing data

FotoConsent may make User Data available to successors in title to our business. 

We may engage third party companies and individuals to facilitate our Services, to provide the Services on our behalf and to perform services related to administration of our Services (including, without limitation, mobile application market places, payment processing, maintenance, hosting and database management services). These third parties may have access to or be provided with your data only to perform these tasks on our behalf. These third parties that operate through websites may have their own privacy policies. We encourage you to read the privacy policies and other terms of such websites before using the services.

Our staff only have access to your personal data when and if they need to use it to provide the Service to you. We will also disclose information as required by law.


8. How long do we hold your data for?

The length of time we keep your personal data depends on what it is and whether we have an on-going business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal, tax or accounting requirements).

We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an on-going business need to retain it, in accordance with our data retention policies and practices. Following that period, we’ll make sure it’s deleted or anonymised.


9. Your rights under GDPR

Right to be informed: We will provide you with a privacy notice to tell you how we are using your personal data.

Right of access: You have the right to obtain access to your own personal data at any time so you are aware of and can verify the lawfulness of processing. Information will be supplied within one month of receipt of the request. This can be extended by a be supplied within one month of receipt of the request. This can be extended by a further two months where requests are complex or numerous. This will be provided free of charge unless you ask for multiple copies or the request is manifestly unfounded or excessive. We can also refuse your request if it adversely affects the rights and freedoms of others or is manifestly unfounded or excessive. You can make a subject access request by contacting support@fotoconsent.co.uk using the subject heading “Data Subject Access Request”.

Right of rectification: You have the right to have your personal data rectified if it is inaccurate or incomplete. If we have disclosed this to third parties, we will tell you if this is appropriate and we will inform them of the rectification where possible.

We must respond within one month, extendable by two months where the request for rectification is complex.

Right of erasure: You have the right to request the deletion of personal data where there is no compelling reason for its continued processing or if we are processing it in an unlawful manner – for example if we are using it for a different purpose than originally stated.

Right to restrict data processing: Under certain circumstances, you have a right to 'block' or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not to further process it. We can retain just enough information about you to ensure that the restriction is respected in future. 

Right to data portability: You can obtain and reuse your personal data for your own purposes across different services. This right applies where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means. 

Right to object: You have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

  • Direct marketing (including profiling); and

  • Processing for purposes of scientific/historical research and statistics.

If we process personal data for the performance of a legal task or our organisation's legitimate interests, you must have an objection on "grounds relating to your particular situation"

We must stop processing the personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

  • The processing is for the establishment, exercise or defence of legal claims. 

Right to withdraw consent at any time: You may contact FotoConsent to request this. Although we may not be able to accept your request for certain types of data, please contact us if you wish to discuss this further.

The right not to be subject to automatic decisions: You have the right not to be subject to automatic decisions. These are decisions that are made about you by computer alone, that have a legal or other significant effect on you.

Right to complain: You can complain about any matter relating to our Services, including how we use your personal data:

  • In the first instance please contact us at support@fotoconsent.co.uk.

  • If you wish to complain about our use of your personal data you may complain to the UK Information Commissioner's Office (ICO) at https://ico.org.uk  


10. Legal requirements

While it is unlikely, we may be required to disclose your User Data by a court order or to comply with other legal requirements. We will use all reasonable endeavours to notify you before we do so, unless we are legally restricted from doing so.


11. No commercial disposal to third parties

We will not sell, rent, distribute or otherwise make User Data commercially available to any third party without your prior permission.


12. Storage of User Data

The User Data we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.


13. The internet

Given that the Internet is a global environment, using the Internet to collect and process User Data necessarily involves the transmission of data on an international basis. Therefore, by using our Services and communicating electronically with us, you acknowledge and agree to our processing of your User Data in this way.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your User Data, we cannot guarantee the security of your User Data transmitted to our Services; any transmission is at your own risk. Once we have received your User Data we will use procedures and security features to try to prevent unauthorised access.

Our Services may, from time to time, contain links to other websites which are outside our control and are not covered by this Privacy Policy. If you access other websites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours. We do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.


14. Updates to this Privacy Notice

We reserve the right to update and change this Privacy Notice from time to time to reflect any changes in the way in which we process your personal data or changing legal requirements. Any changes we make to the Privacy Notice will be posted on this page. Please check back at intervals to see any updates or changes to this Privacy Notice.


15. Information about us

Please contact us at the following email address with any questions and/or complaints about our service to you support@fotoconsent.co.uk.

GDPR Ltd trading as FotoConsent registered offices are: 

GDPR Ltd,
20-21 Jockey’s Fields, 
London, 
WC1R 4BW
UK