At Lyrebird Health ("Lyrebird"), we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.
Remember that your use of Lyrebird's Services is at all times subject to our Terms of Service. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service.
If you have a disability, you may access this Privacy Policy in an alternative format by contacting support@lyrebirdhealth.com.
1. Introduction
Subsidio Pty Ltd (“Lyrebird Health, we, us or our”) understands the importance of protecting an individual’s rights to privacy. This policy applies to our Lyrebird Health service [“Lyrebird Health” or “Lyrebird Health service”]. It explains how we handle, use and protect the privacy of Personal Data obtained in association with our Lyrebird Health service.
If you are a healthcare practitioner based in the United Kingdom (“UK”) the General Data Protection Regulation (EU 2106/679) and the Data Protection Act 2018 (UK) will apply to you (the “UKGDPR”). Additional information to supplement this policy where the UKGDPR applies is set out in Appendix 1 of this policy. Our collection, use and disclosure of Protected Health Information (as defined in the Health Insurance Portability and Accountability Act of the United States of America (“HIPAA”)) is in accordance with HIPAA.
You may access information about our UKGDPR and HIPAA security measures at: https://trust.lyrebirdhealth.com/
2. About the Lyrebird Health service
Healthcare practitioners engage us to provide our Lyrebird Health service. Our Lyrebird Health Scribe and services help to reduce the administrative burden on healthcare professionals that accompanies every client consultation.
Our Lyrebird Health Scribe transcribes your whole client consultation and produces a near perfect summary of your client consultation in a format ready for you to insert into your own client e-file or management system. This is all done within a few minutes of your client consultation ending.
3. Information collection and use
a) How Lyrebird Health manages personal data of the health-care practitioner
“Personal Data” (known as “personal information” under the Privacy Act 1988 (Cth)) is any information relating, directly or indirectly, to an identified or identifiable natural person. An identifiable natural person is one who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal Data collected by Lyrebird Health is your contact email address, mobile number, full name and your Clinic details. It may also include information you provide to us through our direct contact with you, through customer surveys, or through your use of our website.
We shall only use your Personal Data for the purposes for which it was provided to us, unless we reasonably consider we need to process your Personal Data for another reason that is compatible with the original purpose. This purpose in which we collect your Personal Data includes:
▪ to facilitate our interactions with you, including addressing any queries you may have, providing you with information about our Lyrebird Health service and other correspondence with you;
▪ to provide you with the Lyrebird Health service, which includes the creation of your account to use our services, to administer, manage and operate our services, and to protect, improve and optimise our services for you;
▪ to perform internal operations necessary to provide the Lyrebird Health service, including conducting data analysis, testing and research;
▪ to facilitate our internal business operations, including fulfilment of our legal and regulatory requirements;
▪ to facilitate payments using third party PCI-DSS certified payment providers (as set out below) for your use of the Lyrebird Health service; and
▪ any other purpose required by law or otherwise identified to you at the time of collecting your Personal Data.
If we need to process your Personal Data for an unrelated purpose, we shall notify you and provide with you the lawful and legitimate basis for us to process your Personal Data.
We may use your de-identified Personal Data in aggregate form to conduct analysis on how our website and services are being used to help us improve our services.
Lyrebird Health subscription payments are outsourced to the Stripe Payment System, a process to which you will need to agree during the payment process. Lyrebird Health does not hold your payment information. Stripe is a well-known and internationally reputable organisation, with Terms of Service and a Privacy Policy that clearly set out how Stripe manages and protects your Personal Data.
Your Personal Data (and that of your clients) is stored on our database. Our database content is protected with encryption during transit and at rest, which means that only authorised users can access this data.
If and when you delete your account with us, or where your account is dormant for 24 months, then all Personal Data associated with your account is destroyed within a 24 month period. However, changes to the period of retention can occur where:
▪ you may exercise your rights to have the information erased and we do not need it for any permitted reason or required by law;
▪ we bring or defend legal proceedings;
▪ your account is subject to an investigation for criminal or fraudulent activity; or
▪ in limited cases, based on any law, court order or regulator decision for us to change the period of retention.
b) How Lyrebird Health manages your client’s Personal Data
Our Lyrebird Health Scribe captures your whole client consultation from the time you press the record button until you end it. All consultation audio is transcribed in real time. By the time you have finalised your client consultation all audio has already been transformed into text and the audio file is destroyed. This process takes place on Lyrebird Health servers in Australia.
Unless you save your notes within Lyrebird, they will be automatically deleted from the platform. If you choose to save your notes within the Lyrebird Health platform, they will be stored in our Australian database fully encrypted for 7 days after which time they are destroyed. This 7-day window is designed to give you time to access and transfer your Lyrebird Health Patient Notes to your own computer device or management system. It means that after this 7-day window your Lyrebird Health Patient Notes no longer remain with Lyrebird Health and you can no longer access them. You may choose to have your Lyrebird Health Patient Notes stored for any time up to 6 months if you select this option in your settings.
c) Your responsibility to your clients
Once on your own device or management system, responsibility for the security of your Lyrebird Health Patient Notes sits entirely with you.
You are also required to collect, hold, and use your Client’s Personal Data in accordance with the Privacy Act 1988 (Cth) and any relevant Australian State or Territory legislation or, if your health care practice and your clients are located outside of Australia, in accordance with the privacy and data protection legislation applicable to your business.
d) How Lyrebird Health improves your Lyrebird Health website experience
We may keep data on how people use our online Lyrebird Health tool and website. This includes recording the volume of traffic received, the IP address of the connecting devices and the platform features accessed. We make use of cookies and similar technologies to obtain such data, - see our section on Cookies and websites below. This information helps us to provide a better user experience and continually improved features on our Lyrebird Health website.
4. Disclosure of personal information
We do not use or share any Personal Data collected in association with our Lyrebird Health service except as described in this policy.
Exceptions to this:
▪ where Lyrebird Health has a legal or regulatory obligation to disclose your contact details - for example, to protect the legal rights, property, or safety of Lyrebird Health, Lyrebird Health clients or others;
▪ where you consent to share your Personal Data [as described] in response to an offer;
▪ where Lyrebird Health Support People, on a needs only basis, access your contact details to provide you with support.
Lyrebird Health Support People are all bound by obligations to respect and protect your privacy and confidentiality.
5. Data security
We have put in place reasonable security measures to protect the loss, misuse, and alteration of Personal Data under our control. Our Lyrebird Health platform, and our physical and electronic storage of Personal Data are governed by practices and procedures that we consider are reasonable to keep information secure.
We store information in access-controlled premises or in electronic databases requiring logins and passwords. All transmitted data is encrypted. We require our third-party data storage providers to practice appropriate data security. Our people and third-party providers who may have access to confidential information are subject to confidentiality obligations.
Our people are trained on how to keep Personal Data safe and secure. Our data is stored on our servers located within Australia. However, while we make every effort to ensure the integrity and security of our network and systems, we cannot 100% guarantee that our security measures will prevent unauthorised and illegal access to data under our control. Moreover, whilst we take all reasonable precautions, you must keep in mind that transmission of information over the internet is never completely secure and error-free, so please exercise caution in transferring us information as this is done at your own risk.
6. Cookies and websites
Cookies and other similar technologies are used on the Lyrebird Health website. We use cookies to improve the user experience. Cookies are pieces of information that a website transfers to the hard disk of the website user’s computer for record keeping purposes. Most web browsers are set to accept cookies. Cookies do not themselves personally identify users, although they do distinguish individual users who browse the website. Cookies collate the information entered as users move through a website, and record how many people are using the different parts of the website. Where users do not wish to receive any cookies, their browser may be set to refuse cookies, however, this may mean they are unable to take full advantage of all aspects of the website being browsed.
On our Lyrebird Health website, we may provide links to other websites that are controlled by third parties. Where a link to any third party website is followed, those websites will have their own privacy policies. Lyrebird Health does not accept any responsibility for third party websites and how they handle personal information.
7. Status of this policy
By signing up with Lyrebird Health and/or signing up to a Lyrebird Health survey constitutes acceptance of the terms of this privacy policy, as revised from time to time. Technologies and information governance practices are constantly being developed. We may therefore need to revise this privacy policy in the future. You may access our privacy policy on our website, or you may request and obtain from Lyrebird Health’s privacy officer at any time a copy of our most recent Lyrebird Health privacy policy.
8. Accessing, Updating and Removing Personal Data
An individual may lodge a request with our privacy officer to access, update or remove their contact details from Lyrebird Health records. Such a request will be processed within a reasonable timeframe.
9. Direct Marketing and Communications
Where we:
▪ have your express consent;
▪ have a legal basis; or
▪ are otherwise permitted by applicable privacy laws,
we may use and process your Personal Data to send you information about our Lyrebird Health services as well as other products and services we believe may be suited to you and your interests or we may invite you to attend special events or information sessions
At any time, you may opt out of receiving direct marketing communications from us. Unless you opt out, your consent to receive direct marketing communications from us and to the handling of your Personal Data as detailed above will continue. You can opt out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at privacy@lyrebirdhealth.com.
10. Privacy Enquiries or Complaints
If you have any questions about this privacy policy or our privacy practices you may contact us directly. All privacy complaints should be directed to our privacy officer. A privacy complaint relates to any concern or dispute that an individual has with our privacy practices as it relates to that person’s personal information. At all times, privacy complaints will be treated seriously, dealt with promptly, and in a confidential manner. A person unsatisfied with the outcome of their complaint, may refer their complaint to the Australian Privacy Commissioner on 1300 363 992 or email enquiries@oaic.gov.au. If you are based outside of Australia, refer to our Appendix or the local Data Protection Agency in your local jurisdiction.
11. Lyrebird Health Privacy Officer Contact Details
By phone: +61 483 964 067
By email: support@lyrebirdhealth.com
By post: Confidential – Privacy Officer
Subsidio Pty Ltd
7-11 Hill St, Cremorne, Melbourne, Australia
Appendix 1 - UKGDPR
In addition to sections 1 to 11 above, this Appendix shall apply to you as a health-care practitioner if the UKGDPR applies.
A. Data Controller
For the purposes of the UKGDPR, Subsidio Pty Ltd is considered the controller in relation to the processing activities described in this Privacy Policy. This means we decide why and how your personal data is processed in connection with our activities.
However, in some circumstances, we may be the data processor.
B. Basis for Processing Personal Data
We will only process your personal data where we have a legitimate and lawful basis to do so. In general, we will process your personal data in one or more of the following circumstances:
▪ Consent: Where you have given us clear consent to process your personal data for a specific purpose.
▪ Contract: Where processing is necessary for the performance of a contract with you (or your clinic) or because you have asked us to take specific steps before entering into the contract.
▪ Legal Obligation: Where processing your personal data is necessary for compliance with our legal obligations.
▪ Legitimate Interest: Where processing your personal data is necessary for our legitimate interests or the legitimate interests of a third party, and your interests and fundamental rights do not override those interests. In this context, legitimate interests mean the interests of our business in providing you the Lyrebird Health services.
For our purposes, our primary legitimate and lawful basis to process your personal data as a health-care practitioner is from consent and your entry into our contract to use the Lyrebird Health services. However, if we provide services to the NHS, we may also rely on legal provisions under the National Health Service and Community Care Act 1990, the NHS Act 2006, the Health and Social Care Act 2021 and the UKGDPR.
Where you do not provide us with the personal data requested or withdraw your consent to processing, we may not be able to provide you with some or all of our Lyrebird Health services.
C. Storage of Personal Data
Section 5 of our privacy policy applies to the storage of your data. However, for health-care practitioners and their patients in the UK, your data is stored on our servers located within Australia.
D. Transfers of Personal Data
We may share your personal data with third party providers, known as subprocessors. Our sub-processers are listed here: https://trust.lyrebirdhealth.com/. A data processing agreement is in effect with each of our sub-processors that sets out the parameters, purposes and restrictions for which they may process your personal data. These processors are required to securely store your personal data and retain it only for the duration we specify.
If we are required to transfer your personal data to overseas persons or entities, we take all reasonable and appropriate measures to ensure that such data is secured and treated within the confides of the law and this policy. These measures including selecting recipients within countries that have been declared adequately protective of your personal data by relevant authorities or ensuring they are parties to international frameworks committed to ensure adequate protection. If no such declarations are in effect, our contracts require broadly equivalent measures are required.
E. Your Rights over your Personal Data
Under the UKGDPR, you have certain rights relating to your personal data. These rights include:
▪ To be informed.
▪ Access. You have the right to request we provide you with a copy of your personal data and to check we are lawfully processing it.
▪ Rectification. You have the right to request we correct, amend or update your information, which you believe is inaccurate or incomplete.
▪ Erasure. You have the right to request that we erase or destroy your data in certain circumstances, including where you withdraw your consent, where your data is no longer required to the purpose in which it was collected or where your data has been unlawfully processed.
▪ Restrict processing. You have the right to request that we restrict the processing of your data under certain circumstances, including where processing is inconsistent with the reason for which the data was collected.
▪ Object to processing. You have the right to object to us processing your personal data under certain circumstances, including the right to object to profiling, automation and direct marketing.
▪ Data Portability. Under certain circumstances, you have the right to request we transfer your personal data to a third party.
If you wish to exercise any of the rights set out above, please contact the privacy officer using the contact details set out in this policy. We may ask you for information to verify your identity for this purpose.
In most cases, we will respond to you within one (1) month of having received all required information from you regarding your request.
You will not have to pay a fee to access your personal data or exercise any other right, however we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We also have the right to refuse to comply with your request by law in certain circumstances.
F. Complaints
At first instance, we would like the opportunity to address your concerns. We encourage you to contact the Privacy Officer listed in section 11 of this privacy policy.
If we cannot resolve your concerns or you prefer to deal with an external body, you should contact:
Information Commissioner’s Office
Phone: 0303 123 1113
https://ico.org.uk