About this Policy
This document contains a policy statement regarding Collective Minds Radiology’s collection, use and processing of Personal Data (“Privacy Policy”), as updated from time to time. It describes how we process your personal data at Collective Minds Radiology AB (also referred to as "Collective Minds", "Collective Minds Radiology", "CMRAD", "we" or "us").
Collective Minds Radiology AB, company registration number 559120-7187 having its registered address at Svärdvägen 5, 182 33, Danderyd, Sweden.
This Privacy Policy is applicable when you use the Collective Minds Platform’ (available at cmrad.com) or the Collective Minds Platform mobile application (the “Website” and “Application”) (collectively the “Services”).
At Collective Minds, we are committed to legal, regulatory and privacy compliance, both in relation to our users and customers, and in relation to the data we process on our platform and the data subjects involved. As part of our transparency practices, we explain how we process personal data and what rights you have under applicable laws and regulations.
All definitions in this Privacy Policy shall be interpreted in accordance with applicable data protection laws which refers to the General Data Protection Regulation (Regulation no. 2016/679) and the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), as well as the national implementations and related national legislation.
If you have any doubts or questions, please contact our Data Protection Officer at the following email address: dpo@cmrad.com.
Who is responsible for your data?
Collective Minds acts as the Data Controller of your data as a User when signing up, using or exploring our Platform / webpage. Also, when you are our customer or provider, or you request or interact with us.
Data Controller
Collective Minds Radiology AB
Registered office
Company registration number 559120-7187.
Registered address at Svärdvägen 5, 182 33, Danderyd; Sweden (Stockholm)
Data Protection Officer (from now on “DPO”)
You can contact or obtain more information about our DPO at: dpo@cmrad.com
On the other hand, we also act as a Data Processor when we process the (pseudonymised) data stored/uploaded on our Platform in order to provide our Services to our Users and Customers. In these cases, we only process data on behalf of those Users/Customers (Controllers), acting on their instructions.
It applies to your use of:
- All Collective Minds services as a user. For example this includes:
- your use of Collective Minds on any device
- the personalisation of your user experience.
- the infrastructure required to provide our services
- connection of your Collective Minds account with another application
- both our free or paid Collective Minds services “Services”.
- other Collective Minds services which include a link to this Policy. These include Collective Minds websites, Customer Service and the Community Site
From now on, we'll collectively call these the ‘CM Services'.
From time to time, we may develop new or offer additional services. They'll also be subject to this Policy, unless stated otherwise when we introduce them.
About the Service
See separate ‘Terms of Service’ (about.cmrad.com/terms-of-service) for descriptions of the Service that Collective Minds Radiology provides.
Data Processed
Collective Minds Radiology collects, processes and stores two distinct sets of personal data. We will process the following personal data on the Services:
- User profiles
- Name;
- contact details (e-mail address, telephone number, address, country of residence, nationality);
- position, title and workplace;
- medical doctor’s license;
- social network references.
- Technical usage data
- such as the URL you are accessing the Services from, your IP address, unique device ID, network and computer performance, browser type, language and identifying information and operating system;
- information about your use of the Services, such as what you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), consultation length(s), recurrence of visits and other interaction information, methods used to browse away from the page.
We are unable to provide you with the Services unless you provide us with the personal data listed in point A above.
The processing of the personal data above is necessary to enter into the Terms of Service with us and to maintain the contractual relationship between you and us, where Collective Minds Radiology will act as Data Controller for the collected data. Some of this collected information is subject to processing of third parties, both within and outside the European Union (third countries). A list of these third parties and what they do for us with the use of this data can be found here: https://about.cmrad.com/data-processors
The data listed in B above is solely collected and used for performance and issue handling pertaining to the platform, and will not be used for identifying you as a user, unless this is requested by official legal investigations as in ‘Responding to Legal Requests and Preventing Harm’ below.
A third set of personal data is processed using the Collective Minds Platform, which is the data that you as a User will upload to the platform. This data is referred to as ‘User generated Material’ in the Terms of Service, and Collective Minds Radiology will act as Data Processor on behalf as of you as Data Controller for this data:
- Patient case information
- pseudonymized DICOM images including embedded metadata;
- content that you post, upload and/or contribute to the Services;
For this data listed in C above, where you as a User of the Services will act as Data Controller and Collective Minds Radiology provide Services as Data Processor, a separate Data Processing Agreement must be in effect.
The reason for a separate Data Processing Agreement is to outline what kind of processing we’re instructed to perform on your behalf regarding personal data pertaining to Data Subject’s where you are Data Controller.
Pseudonymous DICOM data
All patient health data evident in the DICOM images are pseudonymised, automatically using our Default Pseudonymization Profile*, at its source location’s private network or through an encrypted link provided to the user. The objective of the Default Pseudonymization Profile is to remove any data which can be traced back to an individual Data Subject. Unique identifiers in the form or keyed hashes are kept within each study to enable linking back to the original patient and study. This linking is only possible by the source clinic by the User, which enables them to fulfill their data protection obligations towards each patient without revealing any information that may infringe on the integrity of the Data Subject.
The process of pseudonymization removes all direct identifiers such as name, birthdate, phone number, etc. from the DICOM images and removes any metadata tag which could indirectly enable the identification of the Data Subject. For this purpose, Collective Minds Radiology uses the de-identification method described in the DICOM standard and we continuously stay up to date with new releases of the specification. The specific tags which are removed or replaced can be found in Table E.1-1 from PS 3.15 of the DICOM standard.
More details about the exact data modifications which take place under the Default Pseudonymization Profile can be found in our Privacy Policy cmrad.com/privacy.
For additional data privacy the following tags are removed.
- Encapsulated Document
- Private Tags
In order to correctly provide our Services and ensure the clinical value is delivered to the user, the following tags are retained as these play a vital role in the medical context of our users and do not directly identify the patient.
For data management purposes, e.g. when structuring Clinical Trials or Education libraries
- Patient’s Sex
- Acquisition/Study/Series/Instance/Content/Date
- Study Description
- Series Description
For contrast media and nuclear medicine purposes
- Contrast Bolus Agent
- Radiopharmaceutical Start DateTime
- Radiopharmaceutical Stop DateTime
- Radiopharmaceutical Start Time
- Radiopharmaceutical Stop Time
- Radiopharmaceutical Information Sequence
- Energy Windows Information Sequence
- Radionuclide Total Dose
- Radionuclide Half Life
- Decay Correction
- Frame Reference Time
- Decay Factor
- SUV Factor
- SUV Type
- Interventional Drug Information Sequence
- Date Of Last Calibration
- Time Of Last Calibration
For lesion/organ annotation and segmentation
- Content Sequence
- Graphic Annotation Sequence
- ROI Generation Description
- ROI Generation Algorithm
- ROI Contour Sequence
- ROI Description
- ROI Name
- ROI Observation Description
- ROI Observation Label
The following tags are converted into generalized population groups also known as k-anonymity..
- Patient’s Age
- Patient’s Weight
- Patient’s Size
* Beyond the Default Pseudonymization Profile, we have the ability to create Custom Pseudonymization Profiles. Any such modifications will only be configured upon your specific request.
Purposes of Processing
Collective Minds Radiology will process the personal data sets described above for the following purposes:
- To enable you to verify your account, to administer your account, to enable and provide the Services and integration with third party services, and to provide, personalize and improve your experience with the Services, and to otherwise provide the Services according to the Terms of Service;
- to send you alerts or messages by email or otherwise, including to provide you with marketing of our and our related parties’ products and services;
- to inform you about updates of the Services or the terms of Service;
- to improve and develop the Services or new services and to analyse your use of the Services;
- to ensure the technical functioning of the Services and to prevent the use of the Services in breach of the Terms of Service;
- to enforce the Terms of Service, including to protect our rights, property and safety and the rights, property and safety of third parties if necessary;
- to fulfill our obligations as Data Controller and Data Processor;
- to respect and fulfill our obligations in regards to the Rights of the Data Subject;
- to respond to any queries you raise with us and to provide customer support; and
- to fulfill requirements by law (see ‘Responding to Legal Requests and Preventing Harm’ below).
Apply to job – https://careers.cmrad.com/privacy-policy
Legal Grounds
Consent: By contacting us, or actively providing consent to receive certain information from us (such as subscribing to our newsletter), you consent to the processing for the purposes contained in point A above which includes processing of your name, contact details and preferences as set out in this Privacy Policy.
Execution of contract: By accepting Collective Minds Radiology’s Terms of Service, we process your personal data to be able to fulfill our agreement with you for the purposes listed above in ‘Purposes of Processing’.
Legal obligation: Collective Minds Radiology will process personal data if it has a legal obligation to do so to fulfill requirements by law as pointed out in ‘Responding to Legal Requests and Preventing Harm’ below’.
Legitimate interest: The processing of your personal data for the purposes listed in ‘Purposes of Processing’ above is conducted on the basis of the legitimate interest of Collective Minds Radiology. Our legitimate interest for the processing is maintaining sufficient IT security through logging data when you use our Services and to evade fraud and to protect the Services from cyber threats. We also log data for the maintenance and improvement of our Services.
Disclosure of Personal Data
We do not commercially exploit or distribute personal data to any third party for commercial purposes. We share and disclose your personal data to companies with which we have contracts in place. These companies mainly provide data storage, data analytics, advertising, IT support and other services to be able to run and improve our Services. For a complete list of third party companies, please see https://about.cmrad.com/data-processors.
When you use our Services, you may be directed to other websites where the personal data collected is not in our control. The privacy policy of the other website will govern the personal data obtained from you on that website.
Responding to Legal Requests and Preventing Harm
We may access, preserve and share your personal data in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other Users, including as part of investigations described in Article 23(1) in the GDPR.
Cookies, Pixels and other System Technologies
We collect information by using technology such as cookies, pixels and tags (on your browser or device). For information about how we use this type of technologies, please see our cookie policy (available here https://www.cmrad.com/cookies)
Retention
Personal data about registered Users will be retained for as long as the User has an active profile on the Services. Users who have not used our Services will have all personal data deleted after 2 years of inactivity on the Services.
If you agree to be added to our mailing list, we will keep your personal information for that purpose unless and until you tell us that you want to unsubscribe or be removed from the list. If you advise that you do not want to be added to our mailing list or you ask to be removed, we will delete your personal data (aside from keeping a record that you have asked us not to send you marketing information).
Children
The Services are not directed to persons under the age of thirteen (13). If you are a parent or guardian of a person under the age of 13 and you become aware of that the child has provided personal data to us without your consent, please contact dpo@cmrad.com to exercise your access, rectification, erasure, limiting of processing and objection rights.
Security
The importance of security for personal data is of great concern to us. At Collective Minds Radiology, we have gone to great lengths to manage the security and integrity of the Services and to ensure that we use best–in-class services when providing secure transmission of information from your device. Personal Data collected via the Services is stored in secure environments that are not available or accessible to the public; only those duly authorized people, officers, employees or agents of Collective Minds Radiology who need access to your information in order to do their jobs are allowed access.
Anyone who violates our privacy or security policies is subject to disciplinary action, including possible termination of their contract with Collective Minds Radiology and civil and/or criminal prosecution. Collective Minds Radiology uses the latest technologies to ensure utmost security, including utilizing several layers of firewall security and encryption of personal data to ensure the highest level of security.
Please see our Security White Paper for further information on our security practices. The Services are hosted in Amazon Web Services (AWS) at its data centers in the EU. You can read more about this here: https://aws.amazon.com/compliance/gdpr-center/
Your Rights
You have an absolute right to object to the processing of your personal data for direct marketing. You also have the right to recall your prior given consent. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal, and we may continue processing your personal data based on other legal grounds, except for direct marketing.
You have the right to request access and further information concerning the processing of your personal data, or request that we correct, rectify, complete, erase or restrict the processing of your personal data. You have the right to obtain a copy of the personal data that we process relating to you free of charge once (1) every calendar year. For any additional copies requested by you, we may charge a reasonable fee of 10€ based on administrative costs.
If the processing is based on the legal grounds consent or fulfillment of contract you have the right to data portability. Data portability means that you can receive the personal data that you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transfer such data to another data controller.
Contact Information
To exercise your rights, or if you have any questions regarding our processing of your personal data, please contact us our Data Protection Officer (DPO) at the following address: dpo@cmrad.com or Collective Minds Radiology AB, Svärdvägen 5, 182 33 Danderyd, Sweden. In your letter/email please state your full name, your username (if you are a user) and which institution you are linked to. Note that you should sign the request to receive information about the processing of your personal data yourself.
If you have any complaints regarding our processing of your personal data, you may file a complaint to the competent data protection authority. You can find out more about the local data protection authorities under the following link http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Notice of Changes to the Privacy Policy
If we make changes to this Privacy Policy, we will notify you by posting a copy of the updated policy on our Services prior to any change becoming effective. We will post a copy of the updated policy on our Services prior to any change becoming effective. If your consent is required due to the changes, we will provide you additional prominent notice as appropriate under the circumstances and ask for your consent in accordance with applicable law.
Version 3, last update 19/08/2023