Privacy Policy
Privacy Policy
RIPPON MEDICAL SERVICES LTD
BY USING OUR SERVICES YOU AGREE TO THE USE OF THE DATA THAT WE COLLECT IN ACCORDANCE WITH THIS PRIVACY POLICY
Rippon Medical Services Limited (“We”) are committed to protecting and respecting your privacy. This policy (together with our website terms and conditions and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting and using our services www.ripponmedicalservices.co.uk you are accepting and consenting to the practices described in this Privacy Policy. For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is Rippon Medical Services Limited, a company registered in England and Wales under company number 08132885 with registered office at 6 Brunswick Street, Carlisle, Cumbria, CA1 1PN. Our nominated representative for the purpose of the Act is Jane Rippon. Our registration number with the ICO is ZA277154
We collect the minimum amount of information about you that is commensurate with providing you with a satisfactory service. This Policy indicates the type of processes that may result in data being collected about you. Your use of this website gives us the right to collect that information.
We may collect and process the following data about you:
Our website uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our cookie policy. We use information held about you in the following ways:
We will not share or sell your information for the purpose of marketing or other personal gain. We may share your information with selected third parties
At Rippon Medical Services Ltd we use Pabau software system, their privacy policy can be seen here,
Pabau collects personal information about you in a variety of ways when you visit our website, use our web application, or deal with us by email or on the phone. This information may include your name and contact information and other information relating to your account with us, such as your credit card details. We also automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
Use of Information
The personal information we collect is used to provide you with services you request and to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary. We may use your personal information to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose. If you do not provide personal information to us we may not be able to provide our services or services most suited to your needs.
Information Sharing
We may disclose personal information when we believe it violates our Terms of Service, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party. From time to time third party service providers who assist us with our activities, such as website hosts, IT back-up service providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf. To assist us in improving our products and services, we monitor aggregated data that is collected by our Pabau application and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information. We will not sell, rent or share your personal information with third parties in other ways without your consent unless we are entitled by law to do so. By providing your personal information to us, you consent to us transferring this information to third party IT providers, including our website host and back-up service provider, outside of Australia.
Questions or complaints
You can contact us at: support@pabau.com
3rd Party
TO HELP US DELIVER PABAU WE HAVE SHARE INFORMATION AND DATA WITH VARIOUS 3RD PARTY APPS. WE LIST THOSE APPS HERE AND OUTLINE THE AGREEMENTS IN PLACE:
Google Inc.
We use Google Analytics to help us understand the way people use Pabau so we can make it better and communicate relevant information to users. To provide this Google collects anonymised statistical data about the use of our website and applications.
Read Google Analytics’ Privacy Policy
Zendesk Inc
Our customer support system and emails are provided by Zendesk. Customers email addresses will appear in Zendesk along with all discussion between the customer and ourselves. Zendesk store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://help.zendesk.com/hc/en-us/articles/229138227-Zendesk-Certifies-to-Privacy-Shield
Slack Inc
We primarily use Slack for internal electronic communications. It’s likely these discussions will regard certain customers from time to time, and data in regard to those customers will be shared. Slack store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://slack.com/privacy-shield-notice
Stripe
We process debit and credit card payments using Stripe Payments Europe Limited. a worldwide payments provider. The main capture is through their european subsidiary based in Ireland, but some of the data is passed to Stripe Inc. the parent company in the USA. For this transfer to be lawful they employ the European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful transfer of such data under the EU Data Directive.
Cloudflare Inc
Cloudflare provides content distribution, security and DNS services for web traffic transmitted to and from Pabau. It allows us to efficiently manage web traffic and help secure the application from malicious activity. The primary information Cloudflare has access to is information in and associated with the astic website URL that the user is interacting with (which includes End-User IP address). All information (which will include service data) contained in web traffic transmitted to and from Pabau is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information. Our relationship with Cloudflare is governed by a specific (GDPR compliant) EU Data Processing Agreement.
Healthcode
https://www.healthcode.co.uk/latest-news/314-data-in-the-spotlight-in-2016
XERO
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. We offer optional XERO integration. GDPR Info https://www.xero.com/uk/campaigns/xero-and-gdpr/
GoCardless
We process direct debit payments via GoCardless, a EU payments provider. You can check for GDPR compliancy here: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Your data is in safe hands
Data Backups
Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications:
- PCI DSS Level 1
- ISO 27001 (Information Security Management System)
We ourselves are ISO 9001 accredited & registered with the ICO.
Disaster Recovery
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data centre, we engineered a DR plan where we regularly run tests.
We perform real-time file replication to disk at each data centre, and near real-time data replication between the production data centre and the disaster recovery centre. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
Network Protection
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau’s lines of defence is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
Uptime
We use datacentre facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
GDPR
We are GDPR compliant, some points from our side include:
- Database encryption at storage level.
- Having breach policies in place.
- Ability for auditing specific circumstances such as a patient record being accessed.
- Permissions surrounding user groups and what they can access on a client card.
- Hosted within the EU.
- Ability to pull out a record in its entirety if a patient was to request.
- Date and audit stamps for most activity.
Managing Director
Rippon Medical Services Ltd
Medical Advanced Aesthetics &
Minor Surgery Clinic
2 Spinners Yard
Fisher Street
Carlisle
CA3 8RE
Owner contact email: info@ripponmedicalservices.co.uk
Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
The Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
All Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without any consequences on the availability or the functioning of the service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party's consent to provide the Data to the Owner.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
The Personal Data used for each purpose is outlined in the specific sections of this document.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
Personal Data collected: address, date of birth, email address, first name, last name and phone number.
Personal Data collected: email address.
Personal Data collected: phone number.
Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of this Application.
Personal Data collected: Cookies and Usage Data.
Place of processing: United Kingdom – Privacy Policy .
These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.
Personal Data collected: email address.
Place of processing: United States – Privacy Policy .
Pabau collects personal information about you in a variety of ways when you visit our website, use our web application, or deal with us by email or on the phone. This information may include your name and contact information and other information relating to your account with us, such as your credit card details. We also automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
Use of Information
The personal information we collect is used to provide you with services you request and to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary. We may use your personal information to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose. If you do not provide personal information to us we may not be able to provide our services or services most suited to your needs.
Information Sharing
We may disclose personal information when we believe it violates our Terms of Service, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party. From time to time third party service providers who assist us with our activities, such as website hosts, IT back-up service providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf. To assist us in improving our products and services, we monitor aggregated data that is collected by our Pabau application and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information. We will not sell, rent or share your personal information with third parties in other ways without your consent unless we are entitled by law to do so. By providing your personal information to us, you consent to us transferring this information to third party IT providers, including our website host and back-up service provider, outside of Australia.
Questions or complaints
You can contact us at: supp*rt@pabau.com
3rd Party
TO HELP US DELIVER PABAU WE HAVE SHARE INFORMATION AND DATA WITH VARIOUS 3RD PARTY APPS. WE LIST THOSE APPS HERE AND OUTLINE THE AGREEMENTS IN PLACE:
Google Inc.
We use Google Analytics to help us understand the way people use Pabau so we can make it better and communicate relevant information to users. To provide this Google collects anonymised statistical data about the use of our website and applications.
Read Google Analytics’ Privacy Policy
Zendesk Inc
Our customer support system and emails are provided by Zendesk. Customers email addresses will appear in Zendesk along with all discussion between the customer and ourselves. Zendesk store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://help.zendesk.com/hc/en-us/articles/229138227-Zendesk-Certifies-to-Privacy-Shield
Slack Inc
We primarily use Slack for internal electronic communications. It’s likely these discussions will regard certain customers from time to time, and data in regard to those customers will be shared. Slack store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://slack.com/privacy-shield-notice
Stripe
We process debit and credit card payments using Stripe Payments Europe Limited. a worldwide payments provider. The main capture is through their european subsidiary based in Ireland, but some of the data is passed to Stripe Inc. the parent company in the USA. For this transfer to be lawful they employ the European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful transfer of such data under the EU Data Directive.
Cloudflare Inc
Cloudflare provides content distribution, security and DNS services for web traffic transmitted to and from Pabau. It allows us to efficiently manage web traffic and help secure the application from malicious activity. The primary information Cloudflare has access to is information in and associated with the astic website URL that the user is interacting with (which includes End-User IP address). All information (which will include service data) contained in web traffic transmitted to and from Pabau is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information. Our relationship with Cloudflare is governed by a specific (GDPR compliant) EU Data Processing Agreement.
Healthcode
https://www.healthcode.co.uk/latest-news/314-data-in-the-spotlight-in-2016
XERO
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. We offer optional XERO integration. GDPR Info https://www.xero.com/uk/campaigns/xero-and-gdpr/
GoCardless
We process direct debit payments via GoCardless, a EU payments provider. You can check for GDPR compliancy here: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Your data is in safe hands
Data Backups
Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications:
- PCI DSS Level 1
- ISO 27001 (Information Security Management System)
We ourselves are ISO 9001 accredited & registered with the ICO.
Disaster Recovery
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data centre, we engineered a DR plan where we regularly run tests.
We perform real-time file replication to disk at each data centre, and near real-time data replication between the production data centre and the disaster recovery centre. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
Network Protection
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau;s lines of defense is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
Uptime
We use datacenter facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
GDPR
We are GDPR compliant, some points from our side include:
- Database encryption at storage level.
- Having breach policies in place.
- Ability for auditing specific circumstances such as a patient record being accessed.
- Permissions surrounding user groups and what they can access on a client card.
- Hosted within the EU.
- Ability to pull out a record in its entirety if a patient was to request.
- Date and audit stamps for most activity.
The User declares to be aware that the Data Controller may be required to reveal personal data upon request of public authorities.
This Application does not support “Do Not Track” requests.
To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.
This privacy policy relates solely to this Application.
Latest update: May 01, 2018
By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Your rights
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at Rippon Medical Services Ltd, Medical Advanced Aesthetics & Minor Surgery Clinic, 2 Spinners Yard, Fisher Street, Carlisle, CA3 8RE. info@ripponmedicalservices.co.uk. Our site may, from time to time, contain links to and from the websites of, our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Access to information
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.
Changes to our privacy policy
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.
Contact
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Rippon Medical Services Ltd, Medical Advanced Aesthetics & Minor Surgery Clinic, 2 Spinners Yard, Fisher Street, Carlisle, CA3 8RE. info@ripponmedicalservices.co.uk
RIPPON MEDICAL SERVICES LTD
BY USING OUR SERVICES YOU AGREE TO THE USE OF THE DATA THAT WE COLLECT IN ACCORDANCE WITH THIS PRIVACY POLICY
Rippon Medical Services Limited (“We”) are committed to protecting and respecting your privacy. This policy (together with our website terms and conditions and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting and using our services www.ripponmedicalservices.co.uk you are accepting and consenting to the practices described in this Privacy Policy. For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is Rippon Medical Services Limited, a company registered in England and Wales under company number 08132885 with registered office at 6 Brunswick Street, Carlisle, Cumbria, CA1 1PN. Our nominated representative for the purpose of the Act is Jane Rippon. Our registration number with the ICO is ZA277154
We collect the minimum amount of information about you that is commensurate with providing you with a satisfactory service. This Policy indicates the type of processes that may result in data being collected about you. Your use of this website gives us the right to collect that information.
We may collect and process the following data about you:
- Information you give us. You may give us information about you by filling in forms on our site www.ripponmedicalservices.co.uk (our site) or by corresponding with us by phone, e-mail or by visiting our clinic. This includes but is not limited to information you provide when you register to use our site, subscribe to our service, search enquire about a treatment or participate in discussion boards or other social media functions on our site. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph.
- We use the information collected primarily to process the task for which you visited our site. All reasonable precautions are taken to prevent unauthorized access to this information. This safeguard may require you to provide additional forms of identity should you wish to obtain information about your account details. Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
- Your Internet browser has the in-built facility for storing small files- ‘cookies’ – that hold information which allows a website to recognize your experience. You have the ability to prevent your computer from accepting cookies but, if you do, certain functionality on the website may be impaired. Technical information including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our clinic.
- We do not disclose any personal information obtained about you from this website to third parties except when we need to do so. We may use the information to keep in contact with you and inform you of developments associated with our business. You will be given the opportunity to remove yourself from any mailing list or similar device. If at any time in the future we should wish to disclose information collected on this website to any third party, it would only be with your knowledge and consent. We may from time to time provide information of a general nature to third parties – for example, the number of individuals visiting our website or completing a registration form, but we will not use any information that could identify those individuals.
Our website uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our cookie policy. We use information held about you in the following ways:
- Information you give to us. We will use this:
- To register you with our website and to administer our website services.
- To provide you with services and information that you have requested about Rippon Medical Services Ltd for example information about treatments and services that you have requested.
- To contact you for the purposes of patient feedback and market research for Rippon Medical Services Ltd.
- To provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- To notify you about changes to our service;
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- Information we collect about you. We will use this information:
- To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- To improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- To allow you to participate in interactive features of our service, when you choose to do so;
- As part of our efforts to keep our site safe and secure;
- To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- To make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
We will not share or sell your information for the purpose of marketing or other personal gain. We may share your information with selected third parties
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with you.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- If Rippon Medical Services Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Rippon Medical Services Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
At Rippon Medical Services Ltd we use Pabau software system, their privacy policy can be seen here,
Privacy Policy of Pabau
Policy summary
Personal Data collected for the following purposes and using the following services:
Analytics
Google Analytics
Personal Data: Cookies and Usage DataContacting the User
Contact form
Personal Data: address, date of birth, email address, first name, last name and phone numberMailing list or newsletter
Personal Data: email addressPhone contact
Personal Data: phone numberInfrastructure monitoring
StatusCake
Personal Data: Cookies and Usage DataManaging contacts and sending messages
MailChimp
Personal Data: email addressFurther information about Personal Data
Pabau
PRIVACY POLICYPabau collects personal information about you in a variety of ways when you visit our website, use our web application, or deal with us by email or on the phone. This information may include your name and contact information and other information relating to your account with us, such as your credit card details. We also automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
Use of Information
The personal information we collect is used to provide you with services you request and to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary. We may use your personal information to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose. If you do not provide personal information to us we may not be able to provide our services or services most suited to your needs.
Information Sharing
We may disclose personal information when we believe it violates our Terms of Service, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party. From time to time third party service providers who assist us with our activities, such as website hosts, IT back-up service providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf. To assist us in improving our products and services, we monitor aggregated data that is collected by our Pabau application and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information. We will not sell, rent or share your personal information with third parties in other ways without your consent unless we are entitled by law to do so. By providing your personal information to us, you consent to us transferring this information to third party IT providers, including our website host and back-up service provider, outside of Australia.
Questions or complaints
You can contact us at: support@pabau.com
3rd Party
TO HELP US DELIVER PABAU WE HAVE SHARE INFORMATION AND DATA WITH VARIOUS 3RD PARTY APPS. WE LIST THOSE APPS HERE AND OUTLINE THE AGREEMENTS IN PLACE:
Google Inc.
We use Google Analytics to help us understand the way people use Pabau so we can make it better and communicate relevant information to users. To provide this Google collects anonymised statistical data about the use of our website and applications.
Read Google Analytics’ Privacy Policy
Zendesk Inc
Our customer support system and emails are provided by Zendesk. Customers email addresses will appear in Zendesk along with all discussion between the customer and ourselves. Zendesk store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://help.zendesk.com/hc/en-us/articles/229138227-Zendesk-Certifies-to-Privacy-Shield
Slack Inc
We primarily use Slack for internal electronic communications. It’s likely these discussions will regard certain customers from time to time, and data in regard to those customers will be shared. Slack store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://slack.com/privacy-shield-notice
Stripe
We process debit and credit card payments using Stripe Payments Europe Limited. a worldwide payments provider. The main capture is through their european subsidiary based in Ireland, but some of the data is passed to Stripe Inc. the parent company in the USA. For this transfer to be lawful they employ the European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful transfer of such data under the EU Data Directive.
Cloudflare Inc
Cloudflare provides content distribution, security and DNS services for web traffic transmitted to and from Pabau. It allows us to efficiently manage web traffic and help secure the application from malicious activity. The primary information Cloudflare has access to is information in and associated with the astic website URL that the user is interacting with (which includes End-User IP address). All information (which will include service data) contained in web traffic transmitted to and from Pabau is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information. Our relationship with Cloudflare is governed by a specific (GDPR compliant) EU Data Processing Agreement.
Healthcode
https://www.healthcode.co.uk/latest-news/314-data-in-the-spotlight-in-2016
XERO
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. We offer optional XERO integration. GDPR Info https://www.xero.com/uk/campaigns/xero-and-gdpr/
GoCardless
We process direct debit payments via GoCardless, a EU payments provider. You can check for GDPR compliancy here: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Your data is in safe hands
Data Backups
Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications:
- PCI DSS Level 1
- ISO 27001 (Information Security Management System)
We ourselves are ISO 9001 accredited & registered with the ICO.
Disaster Recovery
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data centre, we engineered a DR plan where we regularly run tests.
We perform real-time file replication to disk at each data centre, and near real-time data replication between the production data centre and the disaster recovery centre. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
Network Protection
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau’s lines of defence is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
Uptime
We use datacentre facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
GDPR
We are GDPR compliant, some points from our side include:
- Database encryption at storage level.
- Having breach policies in place.
- Ability for auditing specific circumstances such as a patient record being accessed.
- Permissions surrounding user groups and what they can access on a client card.
- Hosted within the EU.
- Ability to pull out a record in its entirety if a patient was to request.
- Date and audit stamps for most activity.
Contact information
Owner and Data Controller
Jane-Louise RipponManaging Director
Rippon Medical Services Ltd
Medical Advanced Aesthetics &
Minor Surgery Clinic
2 Spinners Yard
Fisher Street
Carlisle
CA3 8RE
Owner contact email: info@ripponmedicalservices.co.uk
Types of Data collected
Among the types of Personal Data that this Application collects, by itself or through third parties, there are: first name, last name, date of birth, phone number, email address, address, Cookies and Usage Data.Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
The Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
All Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without any consequences on the availability or the functioning of the service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party's consent to provide the Data to the Owner.
Mode and place of processing the Data
Methods of processing
The Data Controller processes the Data of Users in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
Place
The Data is processed at the Data Controller's operating offices and in any other places where the parties involved with the processing are located. For further information, please contact the Data Controller.Retention time
The Data is kept for the time necessary to provide the service requested by the User, or stated by the purposes outlined in this document, and the User can always request that the Data Controller suspend or remove the data.The use of the collected Data
The Data concerning the User is collected to allow the Owner to provide its services, as well as for the following purposes: Contacting the User, Analytics, Infrastructure monitoring and Managing contacts and sending messages.The Personal Data used for each purpose is outlined in the specific sections of this document.
Detailed information on the processing of Personal Data
Personal Data is collected for the following purposes and using the following services:· Analytics
The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
· Contacting the User
Contact form (this Application)
By filling in the contact form with their Data, the User authorizes this Application to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.Personal Data collected: address, date of birth, email address, first name, last name and phone number.
Mailing list or newsletter (this Application)
By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning this Application. Your email address might also be added to this list as a result of signing up to this Application or after making a purchase.Personal Data collected: email address.
Phone contact (this Application)
Users that provided their phone number might be contacted for commercial or promotional purposes related to this Application, as well as for fulfilling support requests.Personal Data collected: phone number.
· Infrastructure monitoring
This type of service allows this Application to monitor the use and behavior of its components so its performance, operation, maintenance and troubleshooting can be improved.Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of this Application.
StatusCake (TrafficCake Limited)
StatusCake is a monitoring service provided by TrafficCake Limited.Personal Data collected: Cookies and Usage Data.
Place of processing: United Kingdom – Privacy Policy .
· Managing contacts and sending messages
This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.
MailChimp (The Rocket Science Group, LLC.)
MailChimp is an email address management and message sending service provided by The Rocket Science Group, LLC.Personal Data collected: email address.
Place of processing: United States – Privacy Policy .
Further information about Personal Data
· Pabau
PRIVACY POLICYPabau collects personal information about you in a variety of ways when you visit our website, use our web application, or deal with us by email or on the phone. This information may include your name and contact information and other information relating to your account with us, such as your credit card details. We also automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
Use of Information
The personal information we collect is used to provide you with services you request and to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary. We may use your personal information to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose. If you do not provide personal information to us we may not be able to provide our services or services most suited to your needs.
Information Sharing
We may disclose personal information when we believe it violates our Terms of Service, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party. From time to time third party service providers who assist us with our activities, such as website hosts, IT back-up service providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf. To assist us in improving our products and services, we monitor aggregated data that is collected by our Pabau application and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information. We will not sell, rent or share your personal information with third parties in other ways without your consent unless we are entitled by law to do so. By providing your personal information to us, you consent to us transferring this information to third party IT providers, including our website host and back-up service provider, outside of Australia.
Questions or complaints
You can contact us at: supp*rt@pabau.com
3rd Party
TO HELP US DELIVER PABAU WE HAVE SHARE INFORMATION AND DATA WITH VARIOUS 3RD PARTY APPS. WE LIST THOSE APPS HERE AND OUTLINE THE AGREEMENTS IN PLACE:
Google Inc.
We use Google Analytics to help us understand the way people use Pabau so we can make it better and communicate relevant information to users. To provide this Google collects anonymised statistical data about the use of our website and applications.
Read Google Analytics’ Privacy Policy
Zendesk Inc
Our customer support system and emails are provided by Zendesk. Customers email addresses will appear in Zendesk along with all discussion between the customer and ourselves. Zendesk store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://help.zendesk.com/hc/en-us/articles/229138227-Zendesk-Certifies-to-Privacy-Shield
Slack Inc
We primarily use Slack for internal electronic communications. It’s likely these discussions will regard certain customers from time to time, and data in regard to those customers will be shared. Slack store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://slack.com/privacy-shield-notice
Stripe
We process debit and credit card payments using Stripe Payments Europe Limited. a worldwide payments provider. The main capture is through their european subsidiary based in Ireland, but some of the data is passed to Stripe Inc. the parent company in the USA. For this transfer to be lawful they employ the European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful transfer of such data under the EU Data Directive.
Cloudflare Inc
Cloudflare provides content distribution, security and DNS services for web traffic transmitted to and from Pabau. It allows us to efficiently manage web traffic and help secure the application from malicious activity. The primary information Cloudflare has access to is information in and associated with the astic website URL that the user is interacting with (which includes End-User IP address). All information (which will include service data) contained in web traffic transmitted to and from Pabau is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information. Our relationship with Cloudflare is governed by a specific (GDPR compliant) EU Data Processing Agreement.
Healthcode
https://www.healthcode.co.uk/latest-news/314-data-in-the-spotlight-in-2016
XERO
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. We offer optional XERO integration. GDPR Info https://www.xero.com/uk/campaigns/xero-and-gdpr/
GoCardless
We process direct debit payments via GoCardless, a EU payments provider. You can check for GDPR compliancy here: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Your data is in safe hands
Data Backups
Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications:
- PCI DSS Level 1
- ISO 27001 (Information Security Management System)
We ourselves are ISO 9001 accredited & registered with the ICO.
Disaster Recovery
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data centre, we engineered a DR plan where we regularly run tests.
We perform real-time file replication to disk at each data centre, and near real-time data replication between the production data centre and the disaster recovery centre. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
Network Protection
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau;s lines of defense is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
Uptime
We use datacenter facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
GDPR
We are GDPR compliant, some points from our side include:
- Database encryption at storage level.
- Having breach policies in place.
- Ability for auditing specific circumstances such as a patient record being accessed.
- Permissions surrounding user groups and what they can access on a client card.
- Hosted within the EU.
- Ability to pull out a record in its entirety if a patient was to request.
- Date and audit stamps for most activity.
Cookie Policy
This Application uses Cookies. To learn more and for a detailed cookie notice, the User may consult our cookie policy.Additional information about Data collection and processing
Legal action
The User's Personal Data may be used for legal purposes by the Data Controller, in Court or in the stages leading to possible legal action arising from improper use of this Application or the related services.The User declares to be aware that the Data Controller may be required to reveal personal data upon request of public authorities.
Additional information about User's Personal Data
In addition to the information contained in this privacy policy, this Application may provide the User with additional and contextual information concerning particular services or the collection and processing of Personal Data upon request.System logs and maintenance
For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) use other Personal Data (such as the IP Address) for this purpose.Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.The rights of Users
Users have the right, at any time, to know whether their Personal Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Data Controller at the contact information set out above.This Application does not support “Do Not Track” requests.
To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.
Changes to this privacy policy
The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. If a User objects to any of the changes to the Policy, the User must cease using this Application and can request that the Data Controller remove the Personal Data. Unless stated otherwise, the then-current privacy policy applies to all Personal Data the Data Controller has about Users.Information about this privacy policy
The Data Controller is responsible for this privacy policy, prepared starting from the modules provided by iubenda and hosted on iubenda's servers.Definitions and legal references
Personal Data (or Data)
Any information regarding a natural person, a legal person, an institution or an association, which is, or can be, identified, even indirectly, by reference to any other information, including a personal identification number.Usage Data
Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.User
The individual using this Application, which must coincide with or be authorized by the Data Subject, to whom the Personal Data refers.Data Subject
The legal or natural person to whom the Personal Data refers.Data Processor (or Data Supervisor)
The natural person, legal person, public administration or any other body, association or organization authorized by the Data Controller to process the Personal Data in compliance with this privacy policy.Data Controller (or Owner)
The natural person, legal person, public administration or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.This Application
The means by which the Personal Data of the User is collected.Cookies
Small sets of data stored in the User's device.Legal information
Notice to European Users: this privacy statement has been prepared in fulfillment of the obligations under Art. 10 of EC Directive n. 95/46/EC, and under the provisions of Directive 2002/58/EC, as revised by Directive 2009/136/EC, on the subject of Cookies.This privacy policy relates solely to this Application.
Latest update: May 01, 2018
By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Your rights
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at Rippon Medical Services Ltd, Medical Advanced Aesthetics & Minor Surgery Clinic, 2 Spinners Yard, Fisher Street, Carlisle, CA3 8RE. info@ripponmedicalservices.co.uk. Our site may, from time to time, contain links to and from the websites of, our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Access to information
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.
Changes to our privacy policy
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.
Contact
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Rippon Medical Services Ltd, Medical Advanced Aesthetics & Minor Surgery Clinic, 2 Spinners Yard, Fisher Street, Carlisle, CA3 8RE. info@ripponmedicalservices.co.uk