Welcome to impedia.org (the «site»), the website of the Institute of Medical Procedures («IMP», «we», «us» or «our»), a Swiss non-profit association with its registered office at Freiburgstrasse 3, in 3010 Berne, Switzerland.
The protection of your personal data is very important to us. In this privacy policy, we explain what data we collect, on what legal basis and for what purpose, as well as with whom we may share this data and what your rights are in this regard. Unless otherwise stated, IMP is the controller of your personal data and is therefore responsible for the processing of your personal data.
This privacy policy is based on the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
By accessing or using this site or any of our services, whether as a registered user or as an unregistered visitor, you acknowledge that you have read this privacy policy, and consent to the handling of your personal data as described hereinafter. If you do not acknowledge this privacy policy, do not use the site or our services.
If you have any questions regarding how we collect or process personal data, please contact us at the address set out above.
In order for you to better understand what data we collect and for what purpose, we would first like to briefly explain our vision and the intended use of our services:
IMP has launched the platform IMPEDIA (the «platform»), that collects user generated content from medical professionals and institutions in all relevant disciplines. The platform is intended to facilitate planning, visualization and documentation of surgical procedures. It can be used in the context of any type of surgical procedure, regardless of the medical indication and patient population. It is aimed at health care professionals, such as surgeons, nurses and other hospital staff, and at institutions of medical education and training («health care professionals»).
The collected content, such as outcome and best practice insights, shall be made available to all IMPEDIA -connected professionals in templates or even to the public. The aim is to improve the quality and safety as well as the effectiveness and sustainability of medical treatment.
Thus, we collect on one hand personal information about you as a health care professional. We mainly need these to be able to offer our services in accordance with their purpose. This privacy policy shall cover exactly this personal data about you, which we are responsible to protect.
On the other hand, we collect data generated by you («user content»), which you can process and publish via our services. We would like to point out that we are not responsible for the content you process via our services, in particular not for personal data of third parties, such as data of your patients. Such are not covered by this Privacy Policy. We only technically enable you to process third party data through our services in order to facilitate your surgical treatment. However, we have no control over whether and which data you process. This is solely your responsibility. You must ensure that the user content you make publicly available is anonymised or pseudonymised. We also do not possess a data based key to re-identify patient data. Please note that once you have made your content public, it is just that – public.
Personal data is understood to be all information that relates to an identified or identifiable person. In general, we collect your personal data when you provide it to us directly, automatically when you use our services or from third party sources.
We process your data only for specified purposes and only in legally permissible cases. You will find below the individual data processing operations and their legal basis. The following reasons are possible:
You will find a reference to the legal bases in the respective processing operations hereinafter.
If you have given us consent to process your personal data for specific purposes, we will process your data within the scope of this consent unless we have another legal basis. You may revoke your consent at any time. Data processing that has already taken place is not affected by this.
To use the services, with the exception of the site itself, you have to create a user-specific account (the «account»). When you register an account, we collect your full name, your e-mail address, job title, Institute and clinic. We mainly use this information to set-up, validate and administer your account. We also use it to associate your user content with a particular medical specialty.
Once a registered user, you may provide additional information in your personal account which describes you, your biography, your academic background, institutional affiliations, credentials, professional experiences and/or your surgical discipline and speciality. Providing additional information to your account is not required and entirely optional, but it may allow you to derive greater benefits from using the services, such as receiving discipline specific content. This additional information can be updated or removed by you at any time, and you may choose whether to make some of this information publicly visible to other users.
Log data
When you access the site or use our services, the provider of the services automatically collects and stores information in so-called server log files, which your devices via browser and/or iOS application transmits to us. These are:
The log files are stored and used in order to guarantee the functionality of the site and the services and to ensure the security of our information technology systems. This is our legitimate interest and serves as the legal basis.
Metadata
Sometimes we automatically receive location data from your device. For example, if you upload a photo to our services to attach to a surgical procedure, we may automatically receive metadata, such as the place and time you took the photo, from your device. Please be aware that the default settings on your devices may include the metadata of your photos or videos. If you do not want metadata to be shared, please change your settings on your device.
Cookies
Our services use cookies. Cookies are text files that are stored on the operating system of your device with the help of the browser when you call up our site. Cookies do not cause any damage to your device and do not contain viruses. A cookie cannot be used to read data off your device, nor can it read cookie files created by other sites. We use cookies to improve your experience on the site; for example, by setting a cookie on your browser, you would not have to log in a password more than once, thereby saving time. You can choose whether to accept cookies or not by changing the settings of your browser. You can reset your browser to refuse all cookies or allow your browser to show you when a cookie is being set. If you reject the cookies on the site, you may still be able to use the site, but your use may be limited in some areas or limited to certain functions of the site. If you choose not to reject the cookies, this will accordingly be deemed to be your consent.
Google Analytics
We use Google Analytics, a web analysis service, and Google Analytics for Firebase («Firebase»), an app analysis service, both of Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; https://www.google.de/intl/de/about/). Both use cookies (see above) to offer an overview on the use of the website or app regarding information as:
Usually, this information is transmitted to a Google server in the USA and stored there on a website with activated IP-anonymization. That means an abbreviation of the users’ IP address from members of EU states or other contracting states. Exceptionally, the complete IP address is transmitted to Google / USA and shortened then. On behalf of the website operator Google uses this information to evaluate the users’ website or app, to collect activities and to offer further services regarding use of website, app or internet in general towards the operator. Google Analytics and Firebase do not connect your IP address (transmitted by your browser) with other Google data. The Privacy Shield Agreement applies to the transfer of data to the USA.
You can prevent cookies from being stored by setting your browser software accordingly. This often – however – implies that if so, you are not able to use all services to the full extent. For information on how Google Analytics and Firebase collect and process data, as well as how you can control information sent to Google, review Google’s site «How Google uses information from sites or apps that use our services» currently located at www.google.com/policies/privacy/partners.You can learn about Google Analytics’ currently available opt-outs, including the Google Analytics Browser Ad-On here https://tools.google.com/dlpage/gaoptout. If you choose not to reject the cookies, this will accordingly be deemed to be your consent.
Crash- and Bug-reporting-tools
We want to provide our services as error-free as possible and constantly improve them. However, not all malfunctions, such as programming errors, can be ruled out from the outset. Therefore, we use various so-called crash or bug reporting tools, such as Bugsnag (Bugsnag Inc., 939 Harrison St, San Francisco, CA 94107 USA), AppCenter (a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA) and/or Rollbar (Rollbar Inc., 510 Federal Street Suite 401 San Francisco, CA 94107 USA). These are technical error analysis services that analyse, evaluate and categorise occurred errors. To improve the accessibility and technical stability of our services by monitoring functionality, system stability and identifying code errors, we may transmit the following information directly to these providers in the event of a software error such as:
An evaluation for advertising purposes does not take place. The data is collected anonymously, not used in a personalised manner and is subsequently deleted. This analysis helps us to further improve our services and to correct undetected code errors. It is therefore in our legitimate interest, as the data serves the sole purpose of error identification and analysis.
The Privacy Shield Agreement applies to the transfer of data to the USA.
We also receive information about you when you decide to contact us. For example, if you email us, we may keep your message, email address and contact information. We need this to categorise your enquiry, respond to it and, if applicable, investigate any breach of our terms of use or this privacy policy. This is our legitimate interest and serves as the legal basis.
We primarily collect your personal data directly from you. We may also receive personal data about you from third parties. This data may namely include the following categories:
As already mentioned, we use all of this personal data about you primarily to provide you with our services in accordance with their purpose. We may further use it to:
In connection with the collection and use described above, we may disclose your personal information to third parties as follows:
Public
Your account is publicly viewable by other registered users if you join a team and/or publish content with visibility set to public.
Service providers
We may share your information with third parties that help us provide our services, including in the areas of website and database hosting and maintenance, telecommunications, information security, fraud detection and prevention, email management, data analytics, marketing, advertising, member support, and identity and professional credential verification.
Research institutions
As part of IMP’s intention to drive quality of medical treatment, we may share your information with research institutions that perform research related to their respective missions. We require these institutions to agree that they will only use and share the data as needed for the approved research purpose. We may publish or allow others to publish insights learned from such research activities.
Educational institutions
We may share your data with educational institutions that use your data as part of their respective educational offerings. We require these institutions to agree to use and share this data only for the approved educational purpose.
Business transferees
We may share your personal information in connection with a business transaction (or potential transaction) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, IMP or our corporate affiliates (including, in connection with a bankruptcy or similar proceedings).
Affiliated companies
We may share personal information with our corporate affiliates for use consistent with this privacy policy.
Legal requests
We may share your information with third parties, as required or permitted by applicable law, if we believe it is reasonably necessary to comply with legal process and law enforcement instructions and orders, such as a search warrant, subpoena, statute, judicial proceeding, or other legal process served on us, which may involve disclosure to law enforcement, courts, or governmental authorities.
Other third parties
We may share your information if we determine it is reasonably necessary or appropriate to investigate, prevent or take action regarding suspected fraudulent, harmful, unethical or illegal activities, or any violation of our terms of use or to protect and defend the legal rights, safety, and property of IMP, our employees, agents and contractors (including to enforce our agreements) or in connection with any safety or security concerns, including the personal safety of our users and the public.
With your consent
We also may share your personal information with a third party in a manner not addressed by this policy with your consent.
Transfer abroad
Under certain circumstances, your personal data may also be transferred to companies abroad within the scope of commissioned processing. These companies are obligated to data protection to the same extent as we are. If the level of data protection in the country to which data is transferred does not correspond to that in Switzerland or the European Union, we contractually ensure that the same level of protection is guaranteed as in Switzerland or the European Union. This can be done through standard data protection clauses of the European Commission or a supervisory authority or approved and authorised codes of conduct together with binding and enforceable obligations of the recipient or authorised certification mechanisms together with binding and enforceable obligations of the recipient.
If data is transferred to a company in the USA, we ensure that this company is certified in accordance with the Swiss or EU-US Privacy Shield Agreement, thereby ensuring that the level of data protection in Switzerland or the EU is complied with. In the absence of certification, we obtain the necessary guarantees by contract.
You sharing information with third parties
As mentioned before, we technically enable you to process third party data through our services. We also enable you technically to inform third parties about such information. You are for example able to send a specific treatment report to another involved health care professional. However, we have no control over whether and which patient data you may share over our services. You are solely responsible to acquire the necessary consent of the person/patient concerned.
We take data security very seriously and we strive to protect your personal information. We use a variety of industry-standard security technologies and procedures designed to help protect your information from unauthorized access, use, or disclosure (such as access control procedures, network firewalls, and physical security). Unfortunately, there’s no such thing as completely secure data transmission or storage, so we can’t guarantee that our security will not be breached (by technical measures or through violation of our policies and procedures). In the event of a data security breach, we will take all essential actions as required under applicable laws.
The site may contain links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave this site and to read the privacy policies of every site that collects personal information. If you decide to access any of the third-party sites linked to our site, you do this entirely at your own risk. Any links to any partner of the site is the responsibility of that partner.
IMP will generally only store your personal information for as long as necessary to fulfil the purposes for which we originally collected it. However, depending on the type of personal data to be processed and the purpose of processing, the actual retention periods may vary. In addition, there are laws and local regulations that set minimum periods for the retention of personal data. The actual retention period for your personal data thus depends on whether we process your personal data as part of a contractual relationship with you, based on your explicit consent, whether we process the personal data for our own legitimate interests or whether IMP is legally obliged to retain the personal data for a certain period or to comply with certain legal obligations.
Please remember that when you generate content yourself and make it publicly available through our services, this content and you as the generator are public. Transparency of user content is critical to its effectiveness and trustworthiness.
You have the legal right to receive information from us about which personal data is stored about you. You can also request the correction of incorrect data or the deletion of personal data, provided that this does not conflict with any legal obligations to maintain data privacy or any legal permissions that allow processing. Furthermore, you may, under certain circumstances, have the processing of your personal data restricted or object to it. You also have the right to demand that we return the personal data you have provided to us (right to data portability). You have the right to receive the data in a structured, commonly used and machine-readable format. You may revoke your consent to any data processing procedure.
Please note that the exercise of your rights may be subject to legal restrictions. We reserve the right to assert these, e.g. if we are obliged to retain or process certain data, if we have an overriding interest in doing so or if we need the data to assert claims. Please note that the exercise of your rights may, under certain circumstances, conflict with contractual agreements and may have corresponding effects on the performance of the contract (e.g. early termination of the contract or cost consequences).
The exercise of your rights requires that you prove your identity (e.g. by means of a copy of your identity card if your identity cannot be established in any other way).
If you are affected by the processing of personal data, you have the right to enforce your rights in court or to file a complaint with the competent supervisory authority. The competent supervisory authority in Switzerland is the Swiss Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
Please note that these rights only relate on your personal data but not on the content you generate and make publicly available through our services. As set out in our terms of use, once you publish your content trough our services we are free to use it and you grant us and our affiliates a non-exclusive, irrevocable, royalty-free, worldwide, perpetual, unlimited and fully sublicensable right to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, display, improve, remove, retain, add, process, analyse, in-dex, tag and commercialize such user content throughout the world in any media on or in connection with the services.
We reserve the right to modify this privacy policy at any time and in our sole discretion. When we make a change, we will post the updated policy on or through our services. We may, and if required by law will, also provide notification of changes in another way that we believe is reasonably likely to reach you, such as by e-mail (if you have an account where we have your contact information) or another manner through the services. Any modifications to this privacy policy will be effective upon posting or as otherwise indicated at the time of posting. In all cases, by continuing to use the services after posting of the updated policy, you are consenting to the changes.
If you have any questions or suggestions about this privacy policy or our privacy practices, you may reach us at info@impedia.org
V1.0 – Berne, 08.08.2022