Last revised: 1 January 2024
Parties
- The website operator of frcophthnotes.com; and
- You, the user of frcophthnotes.com.
Background
- frcophthnotes.com ("the Website") provides educational notes and resources for ophthalmology trainees and qualified ophthalmologists. Users can subscribe to access additional premium educational content available on the Website.
- To subscribe, a user is required to provide their email address. A user's email address will be stored securely by Supabase for the purposes of authorising access to subscriber content and managing the user's subscription.
- Subscription payments are processed through Stripe. However, credit card or other financial details are not stored on the Website or passed to Supabase.
- The Website does not use any non-essential cookies such as those used for analytics or advertising. Any cookies used are essential for the functioning and security of the Website.
- The processing of users' email addresses is necessary for the purposes of the legitimate interests of providing the subscription service and content. Users consent to their email address being stored when they subscribe.
- Definitions
- Personal data means any information relating to an identified or identifiable living individual.
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- User means any individual who accesses or uses the Website.
- Website means the website located at the domain name frcophthnotes.com.
- We/Us/Our refers to the operator of the Website.
- Introduction
- This privacy policy sets out how We process any personal data that We collect about you, or that you provide to Us, when you use the Website.
- It is important that you read this privacy policy together with any other privacy notice or fair processing notice We may provide on specific occasions when We are collecting or processing personal data about you so that you are fully aware of how and why We are using your data.
- For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "UK GDPR") and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK, together with any successor legislation to the UK GDPR and the Data Protection Act 2018), the data controller is the operator of frcophthnotes.com.
- We only collect and use your personal data in accordance with this privacy policy and applicable data protection laws.
- This policy only covers our collection and use of personal data through the Website. To the extent that you disclose your personal data to Us through other means such as over the phone or via email, different privacy notices may apply.
- We are committed to protecting your personal data and privacy and We will only process any personal data you provide to Us in accordance with applicable data protection legislation.
- If you have any questions about this privacy policy or our privacy practices, please contact Us.
- Scope
- This privacy policy covers the email addresses of users who subscribe to premium content on the Website.
- This privacy policy applies to all personal data processed about users of the Website by the Website operator. It applies to users who are located in the European Economic Area (EEA) and the United Kingdom.
- Stripe processes payment information as part of the payment process but the Website operator does not have access to or control over any financial or other personal data processed directly by Stripe.
- Supabase processes users' email addresses securely in order to enable account access and manage subscriptions on behalf of the Website operator.
- This privacy policy will apply for as long as the Website operator processes a user's personal data as described in this policy.
- Information Collected
- For users who subscribe to the premium content on the Website, their email address is collected and securely stored by Supabase. This email address is used for authorising access to subscriber content and managing the user's subscription.
- Email addresses are stored securely by Supabase in accordance with applicable law.
- The Website uses essential technical cookies that are necessary for the functioning and security of the Website. No non-essential cookies such as those used for analytics or advertising are set.
- Payment information, including credit card or other financial details, are not collected or stored by the Website or passed to Supabase. Payments are processed through Stripe.
- No other personal data is actively collected from users of the Website. The Website does not use analytics or tracking tools.
- How We Use Your Personal Information
- We use users' email addresses:
- To manage and administer their subscription, including providing access to subscriber content and authorising sessions.
- To communicate with users about their subscription, including subscription renewal reminders.
- The lawful basis for processing email addresses under Article 6(1)(f) of the UK GDPR is our legitimate interests, in order to provide the subscription service.
- Some payment information may be shared with Stripe to process payments. The lawful basis for this processing under Article 6(1)(b) of the UK GDPR is to fulfil our contractual obligations to users.
- We do not conduct any profiling of users or use personal data for automated decision making.
- We do not share personal data with any third parties except our payment processor Stripe, as necessary to process payments.
- No personal data is transferred outside the UK/EEA. Stripe may transfer limited payment information to the US under standard contractual clauses.
- Email addresses are retained for the duration of the subscription and for 6 months after cancellation for accounting purposes only. Payment information is deleted after payment processing.
- Sharing Your Personal Information
- We may share your personal information with our third party payment processor Stripe in order to process any subscription payments you make through Stripe. Stripe does not share your full payment details with us.
- We may share your personal information, in particular your email address, with our third party service provider Supabase in order to manage your authorisation and access to subscriber content on the Website.
- Supabase is contractually bound by confidentiality obligations restricting their use of your personal information.
- In the event of a business transfer, such as a reorganisation, merger, sale or asset sale, your information, including personal information, would be part of the transferred assets.
- We may share your personal information with third parties if required to do so by law, or if we have a good faith belief that such disclosure is reasonably necessary to respond to legal process, enforce our terms and conditions, or protect the rights, property or safety of our users or others.
- International Data Transfers
- Personal data transferred to Supabase is stored on servers located in the United States.
- Supabase is certified under the EU-US Privacy Shield which provides adequate safeguards for transfers of personal data to companies in the United States.
- The Website will ensure Supabase maintains its Privacy Shield certification for the duration that personal data is stored with them.
- In the event the Privacy Shield is invalidated, the Website will require Supabase to provide alternative safeguards such as Standard Contractual Clauses approved by European regulators, prior to transferring any personal data to Supabase.
- Individuals have the right to request a copy of the safeguards put in place for transfers of their personal data to Supabase in the United States.
- The Website and Supabase will cooperate with the UK Information Commissioner's Office as required regarding any international transfers of personal data processed in connection with the Website.
- Data Security
- We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
- Access to your personal data is restricted on a need-to-know basis through password protection and multi-factor authentication.
- Personal data transmitted and stored is encrypted using industry standard TLS 1.2. Data at rest is encrypted using AES-256.
- Supabase stores data in secure data centres which are monitored 24/7 and have stringent access controls, firewalls, intrusion detection systems.
- The Website and Supabase systems undergo regular external penetration testing to identify vulnerabilities. Any issues are promptly addressed.
- All staff with access to personal data receive regular data protection training. Access is revoked if employment ends.
- We maintain security incident management policies and procedures to promptly identify, contain and respond to any personal data breaches. Notifications are made to the ICO and affected individuals as required by law.
- Data Retention
- Email addresses will be kept for the duration of the user's subscription and for 6 months after cancellation to handle any queries.
- Payment information is not collected or stored by the Website.
- Dates of subscription, upgrades and cancellations will be kept for accounting purposes for 7 years from the end of the tax year in which the transaction occurred.
- Essential cookies related to website functionality and security will be kept for the duration of the browsing session.
- If a user exercises their right to erasure, their personal data will be deleted from our systems within 1 month of the request.
- Your Rights
- Right to access your data. You have the right to request a copy of the personal data we hold about you. We will provide this to you within one month of receipt of the request.
- Right to rectification. You have the right to have personal data that we hold about you rectified if it is inaccurate or incomplete. We will respond to requests for rectification within one month of receipt of the request.
- Right to erasure. You have the right to request that we erase personal data we hold about you in certain circumstances. However, we may refuse to erase personal data to the extent permitted by applicable law, in particular if processing is necessary for compliance with our legal obligations or for the establishment, exercise or defence of legal claims.
- Right to restrict processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability. You have the right to receive a copy of personal data we hold about you in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where technically feasible.
- Right to object. You have the right to object at any time to the processing of your personal data for direct marketing purposes. We will stop processing for this purpose upon receipt of your objection. You also have the right to object to our processing of your personal data for other purposes if our processing is not reasonably necessary for the lawful purposes for which we process the data. If your objection is valid, we will stop processing your personal data for that purpose.
- Rights in relation to automated decision making and profiling. We do not use automated decision making or profiling.
- Right to withdraw consent. You have the right to withdraw your consent at any time where we rely on consent to process your personal data.
- Right to lodge a complaint. You have the right to lodge a complaint with the Information Commissioner's Office if you consider that our processing of your personal data infringes applicable data protection laws.
- Contact details. To exercise any of your rights set out in this section, please contact us using the email address admin@frcophthnotes.com.
- Changes to this Privacy Policy
- We may update this Privacy Policy from time to time to ensure it remains up-to-date and accurately reflects how and why we use your personal data.
- If we make any material changes to this Privacy Policy, we will notify you by email prior to the change becoming effective.
- By continuing to use the Website following notification of such changes, you signify your acceptance of the amended Privacy Policy.
- This Privacy Policy was last updated on 01/01/2024.
- Previous versions of this Privacy Policy are archived and can be obtained by contacting us at privacy@frcophthnotes.com. This is to ensure users understand how their personal data was handled at any given time in the past. This Privacy Policy is effective as of 01/01/2024. By using the Website, the user agrees to be bound by the terms of this Privacy Policy.