Our Data Protection & Privacy Policy
Effective Date: 30.01.2024
Thank you for choosing Multi Me, a product of MULTI-ME LTD. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal information when you use our software product and visit our websites, including multime.com, my.multime.com, and rixwiki.org. By using our services, you agree to the terms of this Privacy Policy.
This Privacy Policy is applicable to users of the websites multime.com, my.multime.com, and rixwiki.org, covering the use of our services on these online platforms. Furthermore, it extends to include users of the Multi Me smartphone app, available on both iOS and Android operating systems.
We gather information about you in two main categories: (1) data voluntarily provided by you while using the Multi Me Service, detailed further under "Information you provide to us," and (2) information automatically collected as a consequence of your interaction with the Service, elaborated on in the section titled “Information collected automatically.” The nature and extent of the information collected can vary, contingent upon the user's role—be it a General User, a Buddy, a Supported User, or an Account Holder (e.g., we intentionally collect minimal information from Supported Users). Furthermore, the specifics of how users engage with Multi Me, such as educators joining a school, may necessitate the collection of specific information, for instance, school address details.
Privacy under Common Law: Multi Me adheres to English Common law, which stipulates a lawful basis for the use or disclosure of confidential personal information. This is particularly relevant in the following circumstances:
Individual's Consent:
Disclosure is permissible when the individual has the capacity to provide valid informed consent.
Overriding Public Interest:
Disclosure may be warranted when it serves an overriding public interest.
Statutory Basis or Legal Duty:
Disclosure is lawful when there is a statutory basis or legal duty, such as complying with a court order.
These principles guide our approach to privacy and underscore our commitment to ensuring that the use and disclosure of personal information align with legal and ethical standards.
Information We Collect
1.1 Personal Information
Contact Information: Name, email address, phone number.
Account Information: Usernames, passwords, security questions.
Billing Information: Payment details, billing address.
1.2 Usage Information
Device Information: Type, model, operating system.
Log Data: IP address, browser type, pages visited, time spent.
1.3 Information collected automatically - Cookies and Similar Technologies
We use cookies and similar technologies to enhance your experience and collect additional information. You can manage your cookie preferences through your browser settings.
1.4 User-Generated Biographical Data
Our platform provides users with the ability to voluntarily upload biographical data to create their own stories, share experiences, and engage with the community. This may include personal narratives, historical information, or life events. It is important to note that we do not access or use this user-generated biographical data for any purpose beyond facilitating the intended user interactions.
1.5 User-Generated Content
Users may voluntarily submit various types of data to create their stories and engage with the platform. This includes, but is not limited to:
Text-based messages
Pictures
Videos
Audio recordings
Documents
Stickers
Weblinks
Location Maps
This diverse range of user-generated content is an integral part of the platform's functionality, allowing individuals to express themselves and engage with their Circle of Support.
How We Use Your Information
Providing and improving our services.
Personalizing your experience.
Processing transactions and managing your account.
2.1 User-Generated Biographical Data Usage
The user-generated biographical data uploaded to our platform is used solely to enable users to create, manage, and share their own stories within the platform. The handling of this data is tailored to the unique roles defined within our user system:
Supported Users:
Vulnerable individuals, including people with disabilities and minors under 18, who use the platform. Their privacy and safety are of paramount importance. Personal data is processed to provide a tailored and supportive environment, ensuring a positive and secure user experience.
Buddies:
Guardians assigned to Supported Users. Buddies play a crucial role in safeguarding, monitoring, and administrating one or more Supported Users. They are granted access to specific information necessary for their caregiving responsibilities, emphasizing the importance of maintaining a secure and supportive online environment.
Portal Admins:
Administrators overseeing a Multi Me Portal/network. They are responsible for creating users and defining roles and relationships within their portal. Portal Admins have access to high-level analytics, ensuring the effective management of the platform while upholding privacy and security standards.
General Users:
Individuals invited to join a Supported User's circle who do not hold the roles mentioned above. General Users may be granted read/write access to a Supported User's content by the Buddy, facilitating collaboration within the Circle of Support.
Information Sharing
We may share your information with:
Third-party service providers for processing payments, analytics, and support.
Law enforcement or government agencies when required by law.
We do not sell your personal information to third parties.
3.1 Third-Party Service Providers for Video and Media Processing
In order to enhance and efficiently operate our services, we utilise third-party services for the processing of video and media files. These services are carefully chosen to ensure compliance with GDPR and accredited data standards. While these third-party providers may handle certain aspects of data processing, they are contractually obliged to maintain the confidentiality and security of the information they process on our behalf.
Our websites and software may contain links to third-party websites. Please be aware that Multi Me is not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of these websites, as they may differ from ours. The inclusion of third-party links does not imply endorsement or responsibility for the content or practices of these external sites. Your interactions with these linked websites are subject to their own terms and policies.
3.2 Data Security of Third-Party Services
We take measures to ensure that any third-party services employed for video and media processing adhere to the same stringent data security standards we uphold. These services are regularly reviewed to confirm their continued compliance with relevant data protection regulations.
Data Sharing:
Multi Me values user privacy and provides controlled sharing options within specific environments, such as School Communities or Circles. The following practices guide our approach to sharing information:
4.1 Controlled Sharing:
Users, such as Supported Users or Group Admins, have the authority to veto information sharing.
Buddies can enable/disable sharing for a Supported User through the 'Manage this User' screen.
Multi Me discourages and restricts the 'sharing on' of information, placing control in the hands of the information Owner or their Buddy.
4.2 Sharing and Inviting as a Buddy:
Buddies can invite key individuals to join a Supported User's Circle and Groups, including health professionals, teachers, family, and friends.
Invitations can be sent to registered users or via email addresses for new sign-ups.
Buddies can also invite individuals to view specific sections of a user's Multi Me account using email access links.
Email addresses collected during these processes are stored in accordance with this Privacy Policy.
Objections to Data Processing:
At Multi Me, we believe you should have control over your personal data. If you wish to object to the processing of your data, follow these simple steps:
5.1 Account Managed by an Organisation (e.g. care home):
If your Multi Me account is managed by an organisation, like a care home:
Simply contact the organisation's Data Protection Officer (DPO).
Ask them to remove your data from their Multi Me dashboard.
The organisation will delete your data and confirm this with you directly.
5.2 Account Purchased Directly from Multi Me:
If you bought your Multi Me account directly (e.g., as a parent/carer or individual with a disability):
Log in to your Multi Me account.
Go to 'My Account Settings.'
Click 'Delete Account.'
If you do not log in and restore your account, your data will be scheduled to be permanently deleted in 2 weeks.
Individuals wishing to request the immediate deletion of their information can contact us directly at privacy@multime.com.
We've made these processes straightforward to respect your right to control your information.
Data Security
We employ industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.
6.1 Hosting and Data Security on AWS Servers
Our data is hosted on Amazon Web Services (AWS) servers located in the UK, adhering to AWS cybersecurity standards. AWS, a trusted cloud service provider, employs robust security measures to protect data integrity and confidentiality. The servers are subject to regular security audits and assessments to ensure ongoing compliance with industry standards.
6.2 Daily Data Backups
To safeguard against data loss, we perform daily backups of our data hosted on AWS servers. These backups are stored securely and can be restored in the event of any unforeseen incidents. The backup process is an integral part of our commitment to maintaining data integrity and availability.
6.3 Security breaches
While we make concerted good faith efforts to maintain the security of personal information, and we work diligently to ensure the integrity and security of our systems, it's essential to acknowledge that no practices are 100% immune, and we cannot guarantee the absolute security of information. Various factors, including outages, cyber-attacks, human error, system failures, unauthorized use, or other unforeseen circumstances, may compromise the security of user information at any time.
In the event of a security breach, we are committed to taking swift action. We will attempt to notify you electronically within 72 hours of detecting the breach, subject to any applicable laws. Notification methods may include posting a notice on our homepage (www.multime.com) or elsewhere on the Service. Additionally, we may send an email to the address you have provided to us.
It's important to note that depending on your location, you may have a legal right to receive notice of a security breach in writing. We encourage you to take appropriate protective steps upon receiving any notification to safeguard your information.
The actions we take in response to a data breach:
Immediate Investigation:
Launch an immediate investigation to assess the extent and nature of the breach.
Identify the specific data compromised and the potential impact on affected individuals.
Notification to Authorities:
Report the breach to relevant data protection authorities, complying with legal obligations.
Timely Notification to Users:
Notify affected users within 72 hours, as required by applicable data protection laws.
Provide clear and transparent communication regarding the nature of the breach, the information compromised, and steps users can take to mitigate potential risks.
Incident Response Team Activation:
Activate an incident response team, including a Data Protection Officer (DPO), legal experts, and IT professionals, to coordinate the organization's response.
Containment Measures:
Implement immediate measures to contain and minimize the impact of the breach.
Isolate affected systems and secure vulnerabilities that may have led to the breach.
Remediation Steps:
Develop and implement a remediation plan to address the root cause of the breach.
Apply patches, updates, or additional security measures to prevent similar incidents in the future.
Coordination with Law Enforcement:
Collaborate with law enforcement agencies when necessary to aid in the investigation and potential prosecution of malicious actors.
Offer Support to Affected Individuals:
Offer support services to affected individuals, as appropriate.
Reevaluation of Security Policies:
Conduct a thorough review of existing security policies and procedures.
Update and enhance security measures based on lessons learned from the breach.
Documentation and Reporting:
Document all actions taken in response to the breach for regulatory compliance and internal analysis.
Prepare a comprehensive post-incident report to identify areas for improvement in the organisation's security posture.
Your Choices
You have the right to:
Access and update your personal information. You can log into your account to do this.
Opt-out of marketing communications. You can click the unsubscribe link at the bottom of all email communications from us.
Delete your account (subject to legal and contractual obligations).
7.1 Managing User-Generated Biographical Data
Users retain control over the biographical data they upload to our platform. They have the right to manage, edit, or delete their user-generated content at any time. For inquiries regarding the handling of user-generated biographical data, please contact us at privacy@multime.com.
9. Obtaining Consents for Adults Lacking Mental Capacity
Our services may be utilised by adults who lack the mental capacity to provide valid informed consent. In such cases, caregivers, acting as legal representatives or advocates, play a crucial role in managing the individual's personal information. The following guidelines outline our approach to obtaining necessary consents for such adults:
9.1 Caregiver Responsibilities
Legal Representation: Caregivers, serving as legal representatives or advocates for adults lacking mental capacity, are responsible for providing consent on their behalf.
Informed Decision-Making: Caregivers should make decisions in the best interests of the individual, considering their preferences, well-being, and any known wishes expressed when they had the mental capacity.
9.2 Consent Process
Clear Communication: Caregivers are encouraged to maintain clear communication with the individual, explaining the nature and purpose of data processing to the best of their ability.
Documented Consent: Whenever possible, caregivers should document their consent decisions, outlining the reasons behind them.
9.3 Data Access and Management
Access to Information: Caregivers may be granted access to and manage personal information on behalf of the adult lacking mental capacity, ensuring their privacy and security.
Respecting Individual Privacy: Caregivers should respect the privacy and dignity of the individual when handling their personal information.
9.4 Multi Me Support
Guidance and Assistance: Multi Me provides guidance and assistance to caregivers in navigating the consent process and managing personal information on behalf of adults lacking mental capacity.
Contact: For inquiries or support related to obtaining consents for adults lacking mental capacity, caregivers can contact us at privacy@multime.com.
9.5 Consent through Service Contracts
· At Multi Me, we acknowledge that consent may be established through contractual agreements between service users and the care-providing entities leveraging our software to deliver quality care. In scenarios where service users enter into contracts with care services, the terms and conditions of such contracts may encompass the collection, processing, and management of personal information necessary for the provision of care services. Multi Me facilitates the secure and transparent communication of consent-related terms within these contracts. It is essential for service users and care services to collaboratively establish clear and comprehensive agreements that respect individual privacy rights while ensuring the delivery of high-quality care.
Data Retention and Management:
At Multi Me, we prioritize the responsible handling of data to ensure privacy, security, and compliance with applicable laws and regulations. Our commitment to effective data retention and management is reflected in the following practices:
Data Classification:
We classify data based on its sensitivity and regulatory requirements, enabling us to determine appropriate retention periods tailored to the nature of the information.
Documented Retention Policies:
Multi Me develops and maintains clearly documented data retention policies that comprehensively outline specific retention periods for different types of data.
Regular Audits:
We conduct regular audits of stored data, proactively identifying and addressing obsolete or unnecessary information to facilitate secure disposal.
Automated Data Deletion Processes:
Multi Me has implemented automated processes for the deletion of data that surpasses its defined retention period. This ensures timely and consistent compliance with our data retention policies.
Legal and Regulatory Compliance:
We stay abreast of changes in relevant laws and regulations that impact data retention requirements. Multi Me adjusts retention policies and practices to align with legal and regulatory obligations.
User Consent Monitoring:
Multi Me monitors and respects user consents for data processing and retention. We provide mechanisms for users to manage their preferences and exercise their right to be forgotten.
Secure Data Disposal:
We establish secure methods for the disposal of data at the end of its retention period, ensuring that sensitive information is irreversibly deleted or anonymized.
Employee Training:
We train employees on data retention policies and procedures to ensure awareness and compliance throughout the organization.
Documentation of Data Lifecycles:
We document the complete lifecycle of data, including creation, storage, access, and eventual deletion, to maintain transparency and accountability.
Periodic Review and Adjustment:
Multi Me periodically reviews and adjusts data retention policies based on evolving business needs, technology advancements, and changes in the regulatory landscape.
Notification to Data Subjects:
When applicable, we provide clear and transparent notifications to data subjects regarding the duration for which their data will be retained and the purpose of such retention.
Exception Handling:
We implement protocols for handling exceptions or legal holds that may temporarily suspend the standard data retention processes in response to legal proceedings or investigations.
User Rights and Choices:
7.2 User Rights and Choices:
At Multi Me, we believe in giving you control over your data. As part of this commitment, we respect and adhere to the national data opt-out scheme, empowering you to make choices about how your confidential patient information is used for purposes beyond your individual care and treatment.
7.3 National Data Opt-Out Scheme:
Multi Me fully supports and complies with the National Data Opt-Out Scheme.
This scheme allows you to decide whether you want your confidential patient information used for research and planning, beyond your individual care and treatment.
We value your right to manage your preferences, and this opt-out scheme provides a straightforward way for you to do so.
Third-Party Links
Our websites and software may contain links to third-party websites. We are not responsible for their privacy practices. Please review the privacy policies of these websites.
Children's Privacy
Our services may be used by individuals under the age of 13 under the supervision and guidance of a caregiver (a Buddy on our system). In such cases, we recognize the importance of protecting the privacy and safety of children. The following additional information is provided to address the use of our services by children:
9.1 Parental Consent
If you are a caregiver allowing a child under the age of 13 to use our services, you confirm that you are the child's parent or legal guardian and provide consent for the collection and processing of the child's personal information.
9.2 Information Collection from Children
We may collect limited personal information from children under 13, such as a username and email address, solely for the purpose of providing and improving our services. We do not knowingly collect more information than is reasonably necessary for these purposes.
9.3 Caregiver Rights
Caregivers have the right to review, delete, or refuse further collection of their child's personal information. To exercise these rights, please contact us at privacy@multime.com.
9.4 Educational and Safety Features
We are committed to incorporating educational and safety features into our services to create a secure environment for children. Caregivers are encouraged to guide and monitor their child's use of our services.
Changes to this Policy
We may update this Privacy Policy to reflect changes in our practices or for other operational, legal, or regulatory reasons.
10.1 Notification of Changes
We will provide notice of any material changes to this Privacy Policy through our website, platform, or by other means as required by applicable law. We encourage you to periodically review this page for the latest information on our privacy practices.
Contact Us
If you have any questions or concerns about this Privacy Policy or our practices, please contact us at privacy@multime.com.
Last Updated: 30.01.2024