Dated 18 May 2022
This Data Protection Statement provides information about the ways in which Pivot Health collects, stores and uses personal data relating to individuals (data subjects). This Data Protection Statement relates to personal data received by Pivot Health where data subjects contact, or request services from, Pivot Health directly, and personal data received by the Pivot Health indirectly, for example through your medical insurer or employer.
Pivot Health is a trading name of Spectrum Connected Health (Company Registration number 536927), with a registered address at
95 Merrion Square
Pivot Health provides curated, evidence-based programmes focused on human connected musculoskeletal care that is amplified through technology to deliver better clinical outcomes, improved patient experiences and lower costs.
Pivot Health are registered with the Data Protection Commissioner (DPC) as a Data Controller. As a Data Controller, Pivot Health employs appropriate technical and organisational measures to meet its obligations under the EU General Data Protection Regulation 2016/679 (GDPR) and Data Protection Act 2018, ensuring that all Data Processors which we work with do the same.
Where we provide services to you on behalf of a client, we may act as a Data Processor. In this case we employ the same technical and organisational measures to ensure we meet our obligations under relevant legislation.
In accordance with Article 37 of the GDPR, Pivot Health has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data, you can do so by e-mailing [email protected] or by writing to us at:
95 Merrion Square
Pivot Health processes personal data for several different purposes which arise from our services. When processing personal data Pivot Health adheres to the requirements of lawfulness, fairness & transparency, purpose limitation, data minimisation, accuracy, retention, security and accountability.
We collect two types of data: personal data, and special category (sensitive) data:
Whenever Pivot Health processes personal data, a legal basis for that processing is assigned. Where you engage directly with us, that processing will primarily be based on “consent”. Where you are referred to us by a 3rd party (e.g., a medical insurer, employer or other body, that processing will be based on “performance of a contract” initially, and additionally “consent” thereafter as you engage with our services. Additional processing of your personal data (for example when monitoring service levels, internal reporting activities, billing etc) is carried out under “legitimate interest”.
When you contact Pivot Health to avail of any of our services, we will ask you to provide, either by phone or electronic means, your name, address, date of birth, telephone number, and email address. We may also ask you to provide answers to screening and/or risk assessment questionnaires. This information provided may be used by Pivot Health to:
Where payment for services is required, we will collect and process billing and payment information.
Pivot Health provides services for health insurance providers, employers and other companies with which we have appropriate data sharing agreements in place. Where relevant, these 3rd parties may provide us with basic personal information relating to you to enable us to contact you and arrange provision of services.
When you are in receipt of Pivot Health Services you will be asked to provide further sensitive (Special Category) data to allow your service provider to:
When we communicate with you regarding our products and services for the first time, we will give you the option to “opt-in,” and on every subsequent communication there will be an option to “unsubscribe.” If you subscribe to our email newsletter, we use email tracking to record and save your email address to your subscriber record to monitor and store your preferences.
We will never use your data for direct marketing purposes without your consent. You may opt out at any time, including at the time the data is collected, or on every subsequent marketing message.
It should be noted that other methods of communication for the purposes of operating the service (e.g., confirmation of appointments or reminders, etc.) do not fall under “direct marketing”
Where Pivot Health provides a service to you in connection with a 3rd Party referral (e.g., health insurer, employer, etc), we may provide them with personal data in order to accurately identify you, some limited information on the nature of the service provided (physiotherapy, dietetics etc) and an indication of the outcome (treatment concluded, onward referral etc) for your case to be managed effectively. We will never provide any sensitive medial information relating to you without your consent.
As Pivot Health and its associated companies with whom we have a Data Sharing Agreement (as listed above, but not limited to) can, where necessary, operate on shared systems, limited personal data will be visible to essential personnel across these associated companies. Pivot Health will never share your personal information with any other third party without your consent unless required to do so by law.
All of your personal and health data is stored securely, offsite and in electronic format on our systems. All electronic data is hosted within platforms which are secure, password protected and encrypted. For some services additional platforms may be used for the purposes of collecting and storing data. Pivot Health has adequate measures in place to ensure that your information is held securely, within the EU. Any personally identifiable information you elect to make available publicly on our sites – e.g., posting comments on any of our social media channels or blog posts – will be available to others.
Where Pivot Health processes and stores data in the UK, we do so under the Adequacy decision which was adopted by the European Commission on 28 June 2021. This adequacy decision allows personal data to flow freely from the European Union to the United Kingdom. Under Article 45 of the GPDR, the European Commission has the power to determine whether a country outside of the EU offers an adequate level of data protection.
Access is restricted to essential personnel of Pivot Health and partner companies who are bound by their professional ethics and/or confidentiality/data sharing agreements.
We may provide non-personal data to third parties, where such information is combined with similar information of other users of our website. For example, we might inform third parties regarding the number of unique users the services we provide, the demographic breakdown of our service users, or the number of, demographic breakdown, and activities that visitors to our website engage in while on our website.
The third parties to whom we may provide this information may include, commercial partners, sponsors, licensees, researchers and other similar parties. We will never disclose your Personal Data to third parties unless you have consented to this disclosure or unless the third party is required to fulfil your order (in such circumstances, the third party is bound by similar data protection requirements).
We will disclose your Personal Data if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other statutory requirement.
Your data will be held by Pivot Health as long as is legally required. In the case of healthcare, we retain records for a minimum of eight years from the date of last treatment. In the case of children’s records, the period of eight years begins from the time they reach the age of 18.
After that time period your data will be securely deleted, as per our data destruction policy.
Under data protection law, data subjects have certain rights.
Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by Pivot Health.
Your data subject rights are:
Any request should be put in writing and will be responded to, by us within 30 days. Please contact us either by email at [email protected] or by post to:
95 Merrion Square West
All correspondence should be marked for the attention of our GDPR team.
For your protection, we may need to verify your identity to process your request. Where we will be unable to fully respond to your enquiry within 30 days, we will notify you of this within 30 days and provide an estimated date by which you will receive a full response.
Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website.
This Non-Personal Data comprises of information that cannot be used to identify or contact you, such as demographic information regarding, for example, user IP addresses where they have been truncated or anonymised, browser types and other anonymous statistical data involving the use of our websites.
Any external links to other websites are clearly identifiable as such, and we are not responsible for the content or the privacy policies of these other websites.
You are always free to decline our cookies, if your browser permits, or to ask your browser to indicate when a cookie is being sent. You can also delete cookie files from your computer at your discretion. Note that if you decline our cookies or ask for notification each time a cookie is being sent, this may affect your ease of use of this website.
We reserve the right to transfer information (including your personal data) to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of our company in the following cases:
You will be notified in the event of any such transfer, and you will be afforded an opportunity to opt-in.
We may make changes to this Data Protection statement to reflect relevant laws or changes to our practices, however the “last updated” date will always be listed at the top of this page.