Information Audit Document
This Information Audit Document Submitted by the Data Protection Officer of Medfields Limited Sandeep Anand describes how Medfields Limited (“Medfields,” “we,” “our” or “us”) hold, use, store and share information in connection with your use of our services, and applications (collectively, the “Services”).
This Information audit document does not apply to information our customers may process when using our Services. We may collect and receive information about users of our Services (“users,” “you,” or “your”) from various sources, including: (i) information you provide through your user account on the services (your “Account”) if you register for our Services; (ii) your use of the Services; and (iii) from third-party websites, services, and partners. We recommend that you read this Information Audit Document in full to ensure you are fully informed.
HOW WE COLLECT INFORMATION
Information You Provide
Account Registration : When you register for an Account, we may ask for your contact information, including items such as name, company name, address, email address, Zip Code and telephone number.
- First Name
- Last Name
- Company Name
- Email Address
- Physical Address
- Phone Number
Payment Information : When you add your financial account information to your Account, that information is directed to our third-party payment processor. We also do not store your financial account information on our systems.
Data we collect for payment details are:
- Payment Method
Communications : if you contact us directly or through our chat window, we may receive additional information about you such as your
- Email address
- Phone Number
- Contents of the message
- Attachments you may send us
- Any other information you may choose to provide
The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
Information We Collect When You Use Our Services.
- Customer Signup Date
- IP Address
- Backend access (Username, Password and SSH port if any for servers having control panels)
- Frontend access (Username, Password and SSH port if any for servers having control panels)
- Control Panel access (Username, Password and SSH port if any for servers having control panels)
- Client Knowledge Base details collected from client and stored internally in the Medfields local network
- Client Knowledge Base access (Username and Password)
- Client Policy details (Shared by the client and documented by Medfields)
- Ticketing systems logins (Username and Password)
- Access to tools or platforms or systems other than the above mentioned.
- Clients domain registration platform
- Last Login Details to our client platform
- Customer chat tool ID
Information We Receive from Third Parties.
- Third-Party Partners. We may also receive publicly available information about you and combine it with data that we have about you.
- General Information is collected when you access our website. We use your IP address to identify your location/country when you use our website. We also record the information such as, the page you visited more, the time you spend in our website, the number of visit you made and if you are referred from any other websites or links.
HOW WE USE INFORMATION
We use the information we collect in various ways, including to :
- If you sign up for a support plan from us, we request certain personal information from your end on your registration form. You are requested to provide the details mentioned in (1.1.a) such as name, email address etc. In order to resolve issues, we may be required to login to servers remotely, communicate with your customers and/or conduct research on proper fixes. Information that users provide through secure & voluntary submissions, which are required for us to remotely access servers and helpdesk systems
- In order to contact our sales or support team, you must share your contact information mentioned in (1.1.a) and (1.1.c) such as Name, Email address and name of the company you represent. We use this information to contact you about the services on our site in which you have expressed interest. Also, if we have trouble processing your order, we will use this information to contact you.
- We use the data (1.3.c, 1.3.d, 1.3.e, 1.3.f, 1.3.g, 1.3.h, 1.3.i, 1.3.j , 1.3.k, 1.3.l, 1.3.m) to Improve our service quality, train employees and expand our services.
- We use the data (1.3.c, 1.3.d, 1.3.e, 1.3.f, 1.3.g, 1.3.h, 1.3.i, 1.3.j , 1.3.k, 1.3.l, 1.3.m) to understand, analyze and train our employees with respective client knowledge base. Develop new services, features, and prepare customer case studies.
- We use the data to (1.1.a and 3.m) communicate with you, either directly or through one of our employees including for customer service, feedbacks, to provide you with updates and other information relating to the Services.
- Find and prevent fraud.
- We may use the data for compliance purposes, including enforcing our Terms of Service, or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
HOW WE SHARE INFORMATION
We may share the information we collect in various ways, including the following:
- Vendors and Service Providers. We may share information with third-party tools or software with your consent for helping you provide our Services.
- Business Transfers. Information may be disclosed and otherwise transferred after your consent to any potential acquirer, successor, or assignee as part of any proposed merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
HOW WE RETAIN/DELETE YOUR INFORMATION
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
At anytime, before, during or after our service commitments, you have the right to delete the data on a request to us through our email email@example.com
LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
Medfields takes privacy issues seriously and wants to protect your rights. We understands and respect your concerns regarding privacy and make your online experience satisfying and safe. To do so, we employ a variety of security technologies and measures designed to protect information from unauthorized access, use, or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Our project office is located in a 24/7 public access restricted space secured by state police department. Our office infrastructure are 24/7/365 monitored with CCTV cameras and access to the working spaces are restricted by a biometric system.
If you are a registered user, you may access certain information associated with your Account by logging into our Services or emailing firstname.lastname@example.org. If you terminate your Account, any public activity on your Account prior to deletion may remain stored on our servers and may remain accessible to the public. To protect your privacy and security, we may also take reasonable steps to verify your identity before updating or removing your information.
YOUR DATA PROTECTION RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
If you are a resident of the EEA, you have the following data protection rights:
- Transparency and modalities: In order to ensure that personal data are processed fairly, EU data protection law obliges Medfields to communicate transparently with data subjects regarding the processing of their data.
- Rights of data subjects: We at Medfields are obliged to give effect to the rights of our clients under EU data protection law.
- Identifying data subjects: Third parties might attempt to exercise a data subject’s rights without proper authorisation to do so. Medfields will ask data subjects to provide proof of their identity before giving effect to their rights.
- Exemption where the controller cannot identify the data subject : If Medfields cannot identify the data subject, Medfields is exempt from the application of certain rights of that data subject.
- Time limits for complying with the rights of data subjects : Medfields is obliged to give effect to the rights of data subjects within specified time periods, in order to avoid the frustration of those rights through excessive delays.
- Right to basic information : Medfields is only entitled to a minimum set of information mentioned in (1)(2)and (3) concerning the purposes for which their personal data will be processed.
- Right of access: EU data protection law obliges Medfields to provide data subjects with access to their personal data.
- Right to rectification: Medfields will ensure that inaccurate or incomplete data are erased or rectified. Data subjects have the right to have personal data rectified where the controller fails to comply with the Directive.
- Right to erasure (the “right to be forgotten”): Our clients have the right to have personal data erased or “blocked” where Medfields fails to comply with the Directive (especially where the data are inaccurate or incomplete).
- The right to restrict processing: In some circumstances, data subjects may not be entitled to require Medfields to erase their personal data, but may be entitled to limit the purposes for which the Medfields can process those data (e.g., the exercise or defence of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest; or such other purposes as the data subject may consent to).
- Notifying third parties regarding rectification, erasure or restriction: Where a controller has disclosed personal data to any third parties, and the data subject has subsequently exercised any of the rights of rectification, erasure or blocking, the controller must notify those third parties of the data subject’s exercising of those rights. The controller is exempt from this obligation if it is impossible or would require disproportionate effort.
- Right of data portability: Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online
- Right to object to processing: Data subjects have the right to object, on any compelling legitimate grounds, to the processing of personal data, where the basis for that processing is either “public interest” or “legitimate interests”, those lawful bases are not absolute, and data subjects may have a right to object to such processing. Right to object to processing for the purposes of direct marketing: Data subjects have the right to object to the processing of their personal data for the purposes of direct marketing
- If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing email@example.com
- In addition, you can object to the processing of your personal information, ask us to restrict the processing of your personal information, or request portability of your personal information. Again, you can exercise these rights by emailing firstname.lastname@example.org
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
INTERNATIONAL DATA TRANSFERS
This audit was done and the report was submitted by Sandeep Anand, Data Protection Officer, Medfields Limited.