Privacy Policy

Introduction

At Montu Group UK Ltd we are dedicated to improving the lives of people with various conditions that can be managed through treatment using medical cannabis. We bring together patients, healthcare providers, academia, life science companies and regulators to evolve medical cannabis and treatment; combining the most advanced technology, data- driven knowledge and our expertise in medical cannabis .

Montu Group UK Ltd (or “we,” “our,” or “us”) respects your privacy, and we are committed to protecting it through our compliance with this policy. Transparency and clarity are important for us and we want you to feel in control of and understand how we handle your personal data.

Our company is registered with the Companies House (number 14043081) and has its London office at 128 City Road, London, United Kingdom, EC1V 2NX.

This Privacy Policy (our “Privacy Policy”) describes the types of information we may collect from you or that you may provide when you visit the website and the Montu application (our “Application”) and through email, text, and other electronic communications between you and and our services for collecting, using, maintaining, protecting, and disclosing that information through .

We may revise this policy from time to time and will notify you if we are making any significant changes.

Please read this policy carefully so that you understand the terms and how they apply to you.

If you have any questions about how we process your information, please do not hesitate to get in touch by contacting us at qa@montugroup.com

Important information

For the purposes of the General Data Protection Regulation (GDPR), when you access our Services we are acting as the data controller (this is a legal term that describes a person or entity that controls the way your data is used and processed). We are registered under the Data Protection Act 2018 with the Information Commissioner’s Office (the UK data protection regulator). Our registration number is ZB357212 and can be viewed online on www.ico.org.uk. You can also access useful guidance and information about your rights in relation to your personal data on that website.

By accessing or using our Services you acknowledge and consent to the collection and use of information in accordance with this Privacy Policy, our Terms of Service together with our End-User Licence Agreement (EULA if applicable) and any additional terms of use incorporated by reference into the EULA. By accessing our Services you agree that we may treat your information as set out in this Privacy Policy. If you do not agree with any of the terms of this Privacy Policy, our EULA or Terms of Service, you are advised not to use our Services.

Please take the time to read and understand how this policy applies to you. We reserve the right to change this Privacy Policy from time to time by changing it or updating it on the website.

It does not apply to information collected by:

us offline or through any other means, including on any other website operated by Montu Group UK Ltd or any third party;
any third party through any application or content (including advertising) that may link to or be accessible from or on the website or Application.

Information we may collect from you

Personal data means any information relating to an identified or identifiable living individual (Personal Data). It does not include data where sufficient information has been removed or randomised such that an individual can no longer be identified directly or indirectly (Anonymous Data).

We collect information about you if you register with or use our website;
We may collect, use, store and process different kinds of Personal Data about you that you submit through your use of the Services:

Identity information including your first names, age range demographic, and gender that you provide by completing forms on the website, including if you register as a user of the Services,
upload or submit any material via the Services, or when you request any information;
Contact information including your email address**;
Login information including information in connection with an account sign-in facility.

How is your personal data collected?

We use different methods to collect data from and about you, including

Direct interactions: you may provide us with your identity and contact details when you register to use our Services. You may provide further data by submitting information via the website, responding to surveys or providing feedback.
Automated technologies or interactions: when you interact with our Services, we will automatically collect technical data about the device you are using, your browsing actions and patterns and (if you enable location sharing) your location data, using cookies or other similar technologies (explained further below).
Integration with third-party health information sites: if you choose, when prompted, to grant them permission to access other health or fitness related applications installed on your device, we may access and use your Third-party Health information sites data collected by those third-party applications, as defined above. You may disable such permissions at any time in your device settings and/or via the relevant third- party application.

How we use your Personal Data and purposes for processing your data

We take the protection of your personal information very seriously and will only ever use your Personal Data lawfully and in accordance with the requirements of Data Protection Legislation.

Common legal grounds for processing your data:

The most common purposes for which we use your personal data and the legal grounds on which we do so are:

to enable us to perform our contract we have entered into or are about to enter into with you to provide you with the services and information offered through the website, subject to our EULA and Terms of Service with you, and to improve those services; where it is necessary for our legitimate interests (or those of a third-party) as a commercial organisation for the purposes of managing and planning our business, and your interests and fundamental rights do not override those interests, in which case we may (keeping our information secure at all times and in a way that is proportionate and respects your privacy rights) use your personal information which we collect in the course of running and/or improving our business and developing new products and services, including:
audit the website access and data from the Services; improve the layout and/or content of the pages of the website and customise them for users; identify visitors to the website; conduct analysis and carry out research to further and improve medical care and treatment of health conditions and diseases; analyse aggregated and anonymised outcome data to provide recommendations on patients journeys and develop technology to automate guidance; forecast demand of service and to understand other trends in use, including which features users use the most and nd the most helpful, and what features users require from us.

This does not involve making any decisions about you - it is only about improving the Services we deliver to you and other users. Strict confidentiality and data security provisions will apply at all times; troubleshoot bugs within the Services; and troubleshoot and help you with any questions/enquiries; or where we need to comply with a legal or regulatory obligation.

Legal grounds for processing Special Category Data:

Due to the nature of our Services, we will collect and process certain types of data about you which are classified by law as being Special Category Data. Special Category Data includes information about your health and other medical data, which we collect in order to effectively provide our Services to you. In order to lawfully process such data, we will only do so where one of the following conditions applies:

You have given your explicit consent to such processing of your personal data

Where you have consented to the processing, we will also use your personal data to:

provide your surgeon, doctor or other health professional with information about the progress of your recovery and treatment, for example, survey scores or symptom surveys;

or to (always having removed personal identifiers, such as your name, address and contact details) improve our healthcare products and services, and our artificial intelligence systems, so that we can deliver better healthcare to you and other users, and further research into care and disease progression. This does not involve making any decisions about you - it is only about improving our products, services and software so that we can deliver a better experience to you and other users, and help achieve our aim of making healthcare affordable and accessible to everyone. Strict confidentiality and data security provisions apply at all times.

No General Marketing

To better track your progress pre- or post- treatment, we may contact you via email, over the phone or through sms, requesting you to fill out a survey or answer questions about your treatment and recovery progress. We may still contact you, even if you de-register via the website. Please note, we will only contact you with information related to your treatment and use of the website, including to share articles, referrals or other content related to your treatment which we think would be of particular interest to you. We will not, without your express opt-in permission, use it to send you general marketing emails on behalf of third-parties.

You have the right to obtain confirmation from us as to whether we are processing your personal data and to request to opt out of any marketing.

You also have the right to ask that we update any information we hold about you that may be incorrect. It is important that the information we hold about you is accurate and up to date.

In certain circumstances, you have the right to request that we restrict the way in which we process your data, or that we erase all personal information that we hold about you.

You have the right to object to certain types of processing including marketing.

We will do our best to respond to your request within one month, however, if that is not possible due to the number or complexity of requests we will notify you and keep you updated. Please write to qa@montugroup.com

For further information on your rights, please visit https://ico.org.uk/your-data-matters/

Purposes for which we will use your Personal Data

When processing your personal data, we will always rely on one or more of the following lawful grounds:

Ground 1: It is necessary in order for us to perform a contract we have entered, or are about to enter into with you (such as our EULA, to provide the services made available through the Website).

Ground 2: It is necessary for our legitimate interests (or those of a third-party) as a commercial organisation for the purposes of managing and planning our business and your interests and fundamental rights do not override those interests.

Ground 3: You have provided your express consent to the processing of your personal data for

the relevant specified purpose.

Ground 4: It is necessary for the purposes of preventative or occupational medicine, medicinal diagnosis or the provision and management of healthcare and treatment.

Ground 5: It is necessary for reasons of public interest to ensure high standards of quality and

safety of healthcare and medical devices.

Ground 6: It is necessary for the purposes of complying with a legal or regulatory obligation.

Information sharing

We may share your information, including information that you submit to the Website:

if required or authorised by law or a legal process, such as to law enforcement bodies to assist in their functions and courts of law; and third-parties in connection with negotiations prior to any merger, sale of our assets, financing or acquisition of part or all of our business to another company (at this stage, we would only share Anonymous Data and not your personal information).
In the event that we undergo re-organisation or are sold to a third-party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third-party.
We may disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Services or the rights, property or personal safety of any person.
We may disclose aggregate statistics about visitors to the website and in order to describe our services to prospective partners, sponsors and other reputable third-parties and for other lawful purposes, but these statistics will include no personally identifiable information.

Security

We place great importance on the security of all personal information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.

You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the website whilst it is in transit over the internet and any such submission is at your own risk.

You are responsible for keeping your password confidential to prevent unauthorised access to your personal data and we ask that you do not share your password with anyone.

Data Storage, Security and Transfers

We are committed to protecting the security of your data by endeavouring to ensure appropriate technologies and processes are maintained to avoid unauthorised access or disclosure. We store all your personal data on secure servers.

Where you have chosen a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

Your personal information which we collect is generally transferred to and stored on secure third-party servers located in the UK or European Economic Area (EEA). Such storage is necessary in order to process the information. Where your data is processed or stored outside of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is in place:

we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
where we use certain service providers, we may use specific contractual terms approved by the European Commission which give personal data the same protection it has in the EEA;

Any transfers made will be in full compliance with the Data Protection Legislation.

We encrypt your data at transmission to and from and at rest. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We ensure that processing, analysis and research environments in relation to anonymised data and personal data are separated and that access to this data is restricted. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

Retention

We retain personal data in line with the NHS Records Management Code of Practice for Clinical Audit data. This means that we hold data for two years from the point of last use, at which point the data is reviewed and deleted if no longer needed.

In the event of being notified of the death of an website user, we will ensure that no emails are sent and the data will be reviewed and retained for two years from when the website was last accessed by the user.

We may also retain aggregate information without limit beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.

Your rights

The information we provide in this section is a brief summary of your rights under the GDPR and relevant local legislation (such as the Data Protection Act 2018 in the UK) and you should still read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Right to understand how your data is used: You have the right to know how we will use your personal information. This is described in this Privacy Policy.

Right to withdraw consent: To the extent that we process data on the basis of your consent, you have the right to withdraw that consent at any time by emailing qa@montugroup.com . If you have given additional consent for your data to be shared to a third-party, you have the right to withdraw this consent at any time by email. Withdrawal will not affect the lawfulness of any processing undertaken prior to your withdrawal;

Right of access: Understand and request a copy of information we hold about you (known as a Subject Access Request). Recordings of your phone calls and video calls (if applicable) with us and other medical notes can be accessed via the website. For other information, you can make a request by email;

Right to rectification of your Personal Information: Ask us to rectify any information which you believe is inaccurate or erase information we hold about you, subject to limitations relating to our obligation to store medical records for prescribed periods of time;

Right to restrict our processing: Ask us to restrict our processing of your personal data or object to our processing of your data for any specific purpose;

Rights in relation to automatic decision making: If we use any systems which make decisions about you by automated means, we will tell you about the existence of such systems and the outcome of such decisions and you have the right to appeal such decisions to a human decision-maker;

Right to data portability: You may ask for your data to be provided in exercise of this right, and we will provide an extract of your data record in our standard format. However, we will not carry out any reformatting, conversion or migration of that data to other systems; and

Right to object to use of data for marketing: Prevent the use of your personal information for direct marketing purposes.

You may also contact the Information Commissioner’s Office (the data protection regulator in the UK): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Cookies & other technologies

When you interact with the Services, we try to make that experience simple and meaningful. When you visit the website, a web server sends a cookie or other similar technology to your computer or mobile device (as the case may be). Cookies are small pieces of information which are issued to your computer or mobile device when you visit a website or access or use a mobile or other devices and store and sometimes track information. A number of cookies we use last only for the duration of your web session and expire when you close your browser. Other cookies are used to remember you when you return to the website and will last for longer.

The cookies and/or other similar technologies we use collect information, such as the type of internet browser or mobile device you use, any website from which you have come to the website, your IP address and/or the operating system of your computer or mobile device.

We use cookies to remember that you have viewed us before. This means we can identify the number of unique visitors we receive. This allows us to:

make sure we have enough capacity for the number of users that we get; customise elements of the promotional layout and/or content of the pages of the Services; and collect anonymous statistical information about how you use the Services (including how long you spend on the Services and which devices you use to access them) and where you have come to the Services from, so that we can improve the website and learn which parts of the Services are most popular with users.

Some of the cookies used by the Services are set by us, and some are set by third-parties who are delivering services on our behalf. These third-parties each have their own cookie policies. As we make changes to our website and Services, the list of third-parties is subject to change. An up to date list of third-parties can be provided on request.

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting the ’All About Cookies‘ website which includes additional useful information on cookies and how to block cookies using different types of browser or mobile device.

Please note, however, that by blocking or deleting cookies used on the Services, you may not be able to take full advantage of the Services.

External links

The Services may, from time to time, contain links to external websites. We have not reviewed the content of and are not responsible for the privacy policies or the content of such websites.

Changes to this Privacy Policy and Further Information

We may revise this Privacy Policy from time to time and in doing so we may change what kind of information we collect, how we store it, who we share it with and how we use it. The most current version of the policy will govern our use of your information and will always be found on our website. Please regularly refer to this page for the latest version of our privacy policy. If we make a change to this policy that we believe, in our sole discretion, is material, we will notify you via an email to the email address associated with your account. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Please submit any questions, concerns or comments you have about this Privacy Policy or any requests concerning your personal data by emailing qa@montugroup.com

References:

NHS Digital - NHS Digital has responsibility for standardising, collecting and publishing data and information from across the health and social care system in England.

Information Commissioners Office - The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

General Data Protection Regulation - The legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

NHS Records Management Code of Practice - The Records Management Code of Practice for Health and Social Care 2016 sets out what people working with or in NHS organisations in England need to do to manage records correctly

Data Protection Act 2018 - ensures data protection laws fit for the digital age where increasing amount of data is being processed.